Contact Center Express (CCX) Authenticate Users with CRS Script

Author
William Bell
Vice President, Solutions and Products

As with most things, I am sure there are multiple ways to accomplish this task.  This just happens to be the approach I take.  The context for the following example is based on the need to manage prompts remotely.  For every CCX solution NetCraftsmen deploys, we add a “prompt changer” application. 

At a high level, our “prompt changer” application does the following:

  • Accepts the call
  • Authenticates the user
  • Allows the user to manage dynamic/”live” prompts (i.e. instantly active prompts)
  • Allows the user to pre-record prompts by a specific prompt ID (for later upload)
  • Allows the user to open/close a call center

The following example focuses on the second step:  User Authentication.

Variables

The example uses the following variables:

  • intRetryCnt:  (integer) Used to control the number of times we ask the caller to authenticate themselves
  • strUserExtension: (string) Used to store the agent extension as provided by the caller
  • usrWhoAmI: (user) Stores the user object retrieved from CUCM
  • blnSupervisor: (boolean) Flagged true if the user object is a CCX supervisor
  • strCCMUserID: (string) User ID for the CUCM user held in usrWhoAmI
  • strUserPIN: (string) User PIN as defined in CUCM (provided by the caller)

Script

Our first task is to initialize the variable intRetryCnt to 0 and then play a prompt to provide basic instructions for authenticating to the system.

Next, we show the simplistic loop control.  We have a label “AUTHENTICATE_LOOP” and then we increment the retry counter, do a quick check, and if the counter is greater than 3 we send the caller to the script termination routine.

Step 1:

First things first.  Since the user is using a telephone to call into the script, it makes sense to make it easier on the caller by asking them for their CCX agent extension.  The agent extension is programmed in CUCM as “ICD Extension” or “IPCCX Extension”.  The “Get Digit String” step basically plays a prompt with instructions and defines digit filters like length and termination string.

If we collect digits successfully, we move to step 2.

Step 2:

We use the “Get User” step to tell the CRS scripting engine to retrieve the user object associated with the agent extension that the user provided.  If the user provided an erroneous agent extension, then the “Unsuccessful” branch is engaged.  Otherwise, we have successfully grabbed the user object and wrote it to the usrWhoAmI variable.  Proceed to step 3.

Step 3:

This step is optional.  I just like to restrict contact center control to designated supervisors.  You could allow it so that anyone can manage the contact center.  I don’t advise it, but you could.  Anyway, all we are doing is checking an attribute tied to the user object stored in usrWhoAmI.  Specifically, we are asking if the user is a CCX supervisor and storing the value in blnSupervisor.

Step 4:

Again, we are extracting an attribute from the user object stored in usrWhoAmI.  In this case, we are grabbing the end user ID.  This is the user ID as configured in CUCM (e.g. bbell).  This is an attribute of type string, so we push it into a string variable: strCUCMUserID.

Step 5:

We check to see if the user object is a supervisor.  If it is then we proceed.  We are now going to prompt the caller to enter their Personal Identification Number (PIN).  This is the PIN as defined in CUCM.  Similar to the procedure in Step 1, we are using “Get Digit String” to store the PIN.  We push this into a string variable: strUserPIN.

Step 6:

OK, all previous steps are needed to reach this point.  We are going to take the user ID stored in strCUCMUserID and the PIN stored in strUserPIN and authenticate the user against CUCM.  If the PIN and User ID match up with what is stored in CUCM, then we are good to go and allow the caller to manage the prompts and/or contact center.

Unsuccessful and Timeout Steps:

Many of the steps we have provided have a branch for handling exceptions (e.g. Unsuccessful or Timeout).  Each of these has a similar structure:

  • Play a prompt to user to clue them in on what they did or didn’t do
  • Send the caller back to AUTHENTICATE_LOOP (which will increment the counter, and see if we should try this again)

That’s it, now you have a method to authenticate users before they destroy your contact center.  Thanks for reading!

5 responses to “Contact Center Express (CCX) Authenticate Users with CRS Script

  1. What would happen if the supervisor, also happened to have Admin rights, because they need to change Application parameters?

  2. The fact that a guru like Anthony Holloway is asking me this question makes me wonder if I missed something big! 😉 I have tested the script using a user that was a supervisor and an admin. I didn’t test for that reason, I was just being lazy and tested using an account I setup for both purposes!

    Prior to having this script, I would set the admin attribute for the user object so that they could edit the script parameter variables. I am actually a proponent for parameter variables (as long as you don’t get carried away). Again, that is because I am lazy and want to leave my customers with a method to control script behavior.

    Does that answer the question? Or did I miss something?

    HTH.

    Regards,
    Bill

  3. Hello William.
    I know that maybe this is not the right place to post this. But i was wondering if there is any way to lock a phone when the user is not at their desk. I know of third party software like stonelock that do this, but I was wondering whether you know write custom code to do the same thing in a simpler way..

    Best regards…
    davi

  4. Davi,

    I am not familiar with Stonelock. I did a quick read on their software offering and I imagine it may use some of the same approaches you see with EM. Meaning, it uses device profiles to do its job. But that is a guess on my part.

    In my experience, Extension Mobility can be used as an effective security measure. Though, it could be cumbersome for folks who want to "lock" their phone when they leave their desk for a short period. Stonelock may be a simple shortcut to the same mechanisms?

    Anyway, I have not looked at coding something like this but the first place I would look is the Phone SDK to see if there is an API function that could be leveraged (just in case). Then I would look at the EM API to see if I could create user shortcut functions (like I suspect Stone has done – but could be wrong).

    HTH.

    Regards,
    Bill

  5. Bill,

    Great article! I have completed my script and added the necessary steps to authenticate the user and it works great. However, my script is not uploading the prompt to the directory. No real errors that I can see either.

    Any ideas or can you point me in to another blog that maybe spells this part out?

    Regards,

    Nathan Richie

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.