[asterisk-dev] chan_sip SIP Authentication

Philipp Kempgen philipp.kempgen at amooma.de
Tue Jan 27 18:58:03 CST 2009


Klaus Darilion schrieb:
> I recently had the same problem.
> 
> One solution is to define everything as sip "peer" - also the sIP clients.
> 
> This does not work out of the box if you use users.conf for user 
> provisioning. For this case I have submitted a patch (which was rejected 
> as users.conf must not be flexible :-)
> http://bugs.digium.com/view.php?id=14188
> 
> I think changing the priority (peer before user) might be a solution as 
> well. Actually if someone uses "peers" for gateways and "users" for SIP 
> clients IMO the gateways should have higher priority. Another matching 
> option would be the order in sip.conf.

Yeah, something needs to be done here.
Changing the order to match peers by IP address first seems to
work.

> asterisk at ntplx.net wrote:
>> I have the same old problem that has come up before, I know this
>> has asked before.
>> 
>> I use a cisco AS5300 PRI gateway to connect the PSTN to asterisk 1.4
>> with SIP. When a call comes into the PRI, the cisco sends it to
>> asterisk with a from of the CID which is normally a 10 digit phone
>> number. The cisco gateway is configured as a peer in the sip.conf file
>> and setup as insecure so asterisk can match the IP address.
>> 
>> I also have some SIP ATA devices where the user name/device name is
>> set as just the 10 digit phone number. This causes a problem for
>> asterisk when one of the users calls back into the same system.
>> The cisco box sends a SIP from with the 10 digit number and asterisk
>> matches the username in sip.conf and says the authentication does
>> not match (I want it to match the insecure gateway IP).
>> 
>> If I change check_user_full in chan_sip.c to match IP peers first then
>> this seems to solve the problem for the cisco/asterisk system, but seems
>> it may cause future authentication issues for users. When a user connects
>> it matches the username and then later requests match the IP in the peer
>> list. Are authenticated uses added as peers? Do they expire?
>> 
>> Other then not using the 10 digit number as a name for authentication
>> to solve this issue, is there a real problem matching IP peers first?
>> Why is this not done now? Why does asterisk not match peers by IP after
>> an authentication failure?

   Philipp Kempgen

-- 
AMOOCON 2009, May 4-5, Rostock / Germany   ->  http://www.amoocon.de
Asterisk: http://the-asterisk-book.com - http://das-asterisk-buch.de
AMOOMA GmbH - Bachstr. 126 - 56566 Neuwied  ->  http://www.amooma.de
Geschäftsführer: Stefan Wintermeyer, Handelsregister: Neuwied B14998
-- 



More information about the asterisk-dev mailing list