[asterisk-dev] chan_sip SIP Authentication

Klaus Darilion klaus.mailinglists at pernau.at
Tue Jan 27 17:19:29 CST 2009


I recently had the same problem.

One solution is to define everything as sip "peer" - also the sIP clients.

This does not work out of the box if you use users.conf for user 
provisioning. For this case I have submitted a patch (which was rejected 
as users.conf must not be flexible :-)

I think changing the priority (peer before user) might be a solution as 
well. Actually if someone uses "peers" for gateways and "users" for SIP 
clients IMO the gateways should have higher priority. Another matching 
option would be the order in sip.conf.


asterisk at ntplx.net wrote:
> I have the same old problem that has come up before, I know this
> has asked before.
> I use a cisco AS5300 PRI gateway to connect the PSTN to asterisk 1.4
> with SIP. When a call comes into the PRI, the cisco sends it to
> asterisk with a from of the CID which is normally a 10 digit phone
> number. The cisco gateway is configured as a peer in the sip.conf file
> and setup as insecure so asterisk can match the IP address.
> I also have some SIP ATA devices where the user name/device name is
> set as just the 10 digit phone number. This causes a problem for
> asterisk when one of the users calls back into the same system.
> The cisco box sends a SIP from with the 10 digit number and asterisk
> matches the username in sip.conf and says the authentication does
> not match (I want it to match the insecure gateway IP).
> If I change check_user_full in chan_sip.c to match IP peers first then
> this seems to solve the problem for the cisco/asterisk system, but seems
> it may cause future authentication issues for users. When a user connects
> it matches the username and then later requests match the IP in the peer
> list. Are authenticated uses added as peers? Do they expire?
> Other then not using the 10 digit number as a name for authentication
> to solve this issue, is there a real problem matching IP peers first?
> Why is this not done now? Why does asterisk not match peers by IP after
> an authentication failure?
> Does any/all of this change in version 1.6/trunk?
>     Andrew
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev

More information about the asterisk-dev mailing list