Skip to content

The Data Scientist

the data scientist logo
Menu
Menu
Forced

Forced Authorization Code (FAC)

What is Forced Authorization Code (FAC)?

Forced Authorization Code (FAC) helps control what calls users can make. Users must enter a valid code before their call goes through. This security feature adds an extra layer of authentication for specific call types, especially where call security needs tight control.

Cisco Unified Communications Manager (CUCM) lets administrators track call usage and limit outgoing calls to specific numbers. The system plays a tone asking for an authorization code when users dial numbers through FAC-enabled route patterns. Calls only go through when users enter a valid code that matches or exceeds the route pattern’s authorization level.

Authorization levels in FAC systems range from 0 to 255, which lets organizations create detailed access control hierarchies. Companies can set these levels based on their needs. To name just one example, a company might set level 10 for interstate long-distance calls, level 20 for intrastate long-distance calls, and level 30 for international calls. Setting levels in steps of 10 creates an expandable structure to add more codes later.

Trending
Reclaiming space and cleaning up your Mac quickly: here are the steps!

FAC does more than just restrict calls:

  • Call Accounting: FAC tracks call activities by recording authorization codes in Call Detail Records (CDRs)
  • Billing Management: The system makes accurate billing easier by linking calls to their users
  • Security Enhancement: Blocks unauthorized access to restricted call types or services
  • User Accountability: Unique authorization codes help administrators identify who made specific calls

FAC works well in many situations. Colleges and universities use FAC to control access to certain call types. Companies with shared phones in reception areas need authorization codes for outgoing calls. Businesses can also require these codes when employees make long-distance calls from their colleagues’ offices.

FAC combines smoothly with Logical Partitioning Class of Restriction (LPCOR) groups in Cisco Unified CME environments. The system splits devices and endpoints into different LPCOR groups such as IP phones, analog phones, PSTN trunks, and IP trunks. LPCOR policy decides which incoming calls from each group need FAC restrictions.

Organizations should update their dial plan documentation to show which route patterns use FAC. This documentation helps maintain system integrity and shows users when they need authorization codes.

It’s worth mentioning that FAC differs from Client Matter Codes (CMC) in their main purpose. FAC controls call access through authorization levels, while CMC focuses on call accounting and client billing.

How Forced Authorization Code works in CUCM

Cisco Unified Communications Manager (CUCM) implements forced authorization code through a systematic workflow that enforces call restrictions and security protocols. This approach differs from other call restriction methods because users must enter a code before completing their calls.

CUCM’s FAC process follows this sequence:

  1. A user dials a number that routes through a FAC-enabled route pattern
  2. CUCM signals the phone to play a distinctive tone that prompts authorization
  3. Users enter their assigned authorization code on the keypad
  4. The system checks the code against configured authorization levels
  5. Successful validation allows the call to reach its intended destination

CUCM’s verification process compares the entered code’s authorization level with the route pattern’s configured level. Calls proceed only when a user’s authorization level matches or surpasses the route pattern’s specified threshold. The system uses the FAC timer (T302/interdigit timer) set to 15 seconds by default. Users can press the pound (#) key to process their input right away.

Each forced authorization code in CUCM needs specific settings. The code must use numeric format (0-9) and can’t exceed 16 digits. A unique name links each code to specific users or groups, along with a three-digit authorization level between 0 and 255.

CUCM moves forward with the outgoing call setup once authentication succeeds. The system marks the Call Detail Record (CDR) with the used forced authorization code, which helps track and account for calls. Commands like “show call active voice” and “show call history voice” can retrieve this information.

FAC implementation goes beyond simple call routing. The system works with Logical Partitioning Class of Restriction (LPCOR) policies in Cisco Unified CME environments. This integration determines which incoming calls from specific groups need authorization. Organizations can control call permissions based on how endpoints are classified.

Failed FAC authentication triggers CUCM’s predefined rules. Some configurations forward the call to another destination, where FAC checks might happen again if the service is active. The system disconnects blocked calls using a specific LPCOR Q.850 disconnect cause code.

Organizations can set different authorization requirements for various user groups. To name just one example, employee phones might need FAC for long-distance calls, while manager phones skip this requirement through separate partitions and calling search spaces.

Steps to configure Forced Authorization Code

Forced

Configuring forced authorization code in Cisco Unified Communications Manager (CUCM) requires several sequential steps. The process includes creating codes, setting authorization levels, and applying them to route patterns. A well-planned implementation ensures appropriate security levels that align with your organization’s requirements.

1. Add authorization codes

The first task for administrators is to create unique authorization codes in CUCM:

  1. Direct yourself to Call Routing > Forced Authorization Codes in the CUCM Administration interface.
  2. Click Add New to create a new authorization code[93].
  3. The Authorization Code Name field needs a unique name (maximum 50 characters) that links the code to specific users or groups[93].
  4. The Authorization Code field requires a unique numeric code (maximum 16 digits). Users will enter this code when making calls through FAC-enabled route patterns[93].

2. Set authorization levels

The next phase involves assigning proper authorization levels:

  1. Type a three-digit value between 0 and 255 in the Authorization Level field[93].
  2. Using incremental values (10, 20, 30) creates a structure that allows easy addition of more authorization codes.
  3. Your organization should define each level’s meaning—level 10 might handle interstate calls, level 20 for intrastate calls, and level 30 for international calls.

3. Enable FAC in route patterns

The system needs FAC functionality enabled in route patterns after codes and levels are set:

  1. Direct yourself to Call Routing > Route/Hunt > Route Pattern in CUCM Administration[93].
  2. Click Find to select an existing pattern or Add New to create one[93].
  3. Check the Require Forced Authorization Code checkbox in the Route Pattern Configuration window[93].
  4. The Authorization Level field needs a value (0-255). Users must have codes with equal or higher levels to place calls through this pattern[93].

4. Save and apply changes

The final implementation steps include:

  1. Save your changes to apply the route pattern configuration[93].
  2. Your dial plan documentation should reflect FAC-enabled route patterns and their authorization levels.
  3. Different user groups might need separate partitions and calling search spaces. To cite an instance, employee phones might need FAC for long-distance calls while manager phones don’t.
  4. The configuration needs testing through FAC-enabled route patterns to ensure proper authorization code prompts.

Note that FAC’s value extends beyond call restrictions. The system records authorization codes in Call Detail Records (CDRs), which proves valuable for billing and tracking purposes.

Call flow behavior with Forced Authorization Code

The system starts a specific authentication sequence when users place calls through a forced authorization code-enabled route pattern. This technical process will give proper call access control based on authorization levels.

Tone prompts and user input

The system plays a distinctive tone that signals users to enter their authorization code when they attempt to call a FAC-enabled number. Users hear this prompt right after dialing as an authentication step. They can wait for the FAC Timer (T302/interdigit timer) to expire in 15 seconds or press the pound (#) key to process their input immediately. The system plays sequential tones in environments that employ both FAC and Client Matter Codes (CMC). Users must enter the FAC first, then the CMC.

Successful vs failed authentication

The system confirms the authorization code against configured authorization levels after submission. A successful authentication connects the call to its intended destination. Users hear a reorder tone that blocks the call when they enter incorrect digits or have insufficient authorization levels. Some configurations forward failed authentication calls to another destination where FAC checks might run again if enabled. Blocked calls disconnect with a specific LPCOR Q.850 disconnect cause code.

Call detail record (CDR) logging

The system’s detailed records track all authentication attempts. Each successful authorization creates Call Detail Records (CDRs) marked with the specific FAC number. New AAA fac-digits and fac-status attributes in CDR STOP records store this information. The core team can access this data through commands like “show call active voice” and “show call history voice”. Organizations can then utilize CDR Analysis and Reporting (CAR) to create complete reports for accounting and billing. This helps track call activities linked to specific authorization codes.

Differences between FAC and Client Matter Codes (CMC)

Forced authorization code and Client Matter Codes (CMC) are two different but complementary features in Cisco Unified Communications Manager (CUCM). These features manage different parts of call handling. Many organizations use them together, though each serves a unique purpose in telecommunications systems.

The main difference lies in what they do. FAC controls call access through security measures, while CMC tracks calls for accounting purposes. Users must enter valid authorization codes assigned at specific access levels to complete calls through restricted route patterns with FAC. CMC works differently – it needs code entry to link calls with specific client matters for accounting and billing without restricting call completion.

Both features work by playing tones to users after they dial numbers through enabled patterns. Their authentication process is very different though. FAC checks the entered code against preset authorization limits and blocks calls if levels aren’t high enough. CMC just records valid codes in Call Detail Records and doesn’t enforce any authorization rules.

These features serve different purposes. Educational institutions, businesses, and organizations use FAC to control access to specific call types. Law offices, accounting firms, and consulting businesses use CMC to track call duration for client billing.

CUCM processes both features one after another when organizations use them together. Users hear two tones after dialing – first for FAC entry, then for CMC. This order ensures security through FAC while keeping CMC’s tracking ability intact.

Both features add valuable data to Call Detail Records, which enables detailed analysis through CDR Analysis and Reporting tools. Organizations can manage call access and financial tracking in one system by using these tools to audit security with FAC and handle client accounting with CMC.

Limitations and restrictions of Forced Authorization Code

Forced authorization code functionality helps manage call access but comes with limitations that system administrators need to think about when implementing it. These constraints affect both system performance and user experience in deployments of all types.

Unsupported call types

Forced authorization code implementation remains incompatible with several call scenarios. The system doesn’t work with Single Number Reach (SNR) calls, three-party call control (3pcc) outgoing calls, parallel hunt groups, or whisper intercom calls. H.323 analog gateways lack the ability to play tones, which makes them incompatible with FAC. Cisco IP soft phones cannot play authorization code prompt tones, but users who wait about two seconds after dialing can enter their code without a prompt. The authentication also fails with failover calls, users picking up group calls, and calls that join meetme conferences.

Call forwarding issues

Forced authorization code and call forwarding functionality face fundamental compatibility problems. Calls forwarded to FAC-enabled route patterns fail because no one is available to enter the required code. The call forwarding configuration fails completely when users press the CFwdALL softkey and enter numbers with FAC enabled on the route pattern. System administrators should test numbers by dialing the intended forwarding number to minimize disruptions. If the system asks for a code, that number shouldn’t be used for call forwarding. CUCM doesn’t store previously entered authorization codes when using redial or speed-dial buttons, so users must enter them again for each call. Users can’t preconfigure speed-dial buttons with FAC codes and must enter the code manually at the prompt.

Localization and accessibility

Forced authorization code has specific localization and usability constraints. Cisco uses the same default tone for any locale supported with Cisco Unified Communications Manager, except in Cisco Mobility implementations where FACs are localized [75, 76]. Users with hearing impairments should wait one or two seconds after dialing before entering their authorization code. The system doesn’t support overlap sending because CUCM can’t determine when to prompt users for code entry. The system automatically unchecks the “Allow Overlap Sending” option when enabling the “Require Forced Authorization Code” checkbox in route patterns configuration and vice versa.

FAQs

1. What is a Forced Authorization Code (FAC) in telecommunications? 

A Forced Authorization Code is a security feature that requires users to enter a valid code before completing certain types of calls. It helps regulate call access and enables detailed call tracking for accounting and billing purposes.

2. How does FAC work in Cisco Unified Communications Manager (CUCM)? 

When a user dials a number routed through an FAC-enabled pattern, CUCM prompts for an authorization code. The call proceeds only if the entered code meets or exceeds the required authorization level for that route pattern.

3. Can FAC be used with call forwarding? 

FAC is not compatible with call forwarding. Calls forwarded to FAC-enabled route patterns will fail because there’s no user present to enter the required code. It’s important to test numbers before configuring call forwarding to avoid issues.

4. What are the main differences between FAC and Client Matter Codes (CMC)? 

While FAC regulates call access through security controls, CMC focuses on tracking calls for accounting purposes. FAC can block calls based on authorization levels, whereas CMC simply records valid codes for billing without restricting calls.

5. Are there any limitations to using FAC? 

Yes, FAC has several limitations. It doesn’t work with certain call types like Single Number Reach calls or H.323 analog gateways. It also presents challenges for hearing-impaired users and doesn’t support overlap sending functionality in CUCM.