1) Keep all existing setup on "whitelist only"
2) Create a new web page that runs only on port 81
3) Be sure the web page is NOT "index" so it must be addressed directly (no guessing, make it an impossible to guess page name like "akjsajg816j1283ja.php"). Consider rotating it regularly and sending the dynamic agents a link every morning before work if you're really security conscious.
4) That new web page has one purpose: Check user/pass against vicidial_users table (borrow the code from any vicidial page!) and if the user authenticates, add their IP address to the iptables "good" file managed by the "Recent" module in iptables.
This module allows the creation of a file that can be checked against within the iptables system.
5) If an entry is present or absent, special action can be taken. In this case, the action would be ACCEPT, thus after logging in to this page the agent is now "whitelisted" until reboot when that file is cleaned out.
We charge $100 to install this in a standard Vicibox installation, as we've already invested the time to create it.
And you're right, it was fun to make. I'd like to make it part of Vicibox. Maybe I'll suggest that to Kumba