[asterisk-users] Softphone that supports central provisioning?

Salvatore Giudice Salvatore.Giudice at VoIPSecurityTraining.com
Fri Apr 20 22:46:20 MST 2007


A complete provisioning system for soft phones could impart some of the same
authentication models used for popular IM clients. Imagine a large
enterprise who wants to give out several thousand soft phones to employees
in a turnkey fashion requiring the employee's network credentials to
authenticate at the start of each session. Generally, it is not acceptable
to use employee credentials to perform SIP digest authentication. Employee
credentials are meant for employees, not devices or software that sets up a
session on behalf of an employee. 

The solution to this kind of setup is to use a soft phone that can be
downloaded on demand and presents the employee with a simple
username/password/domain login box. In one such system that I worked on, the
client would take the credentials from the employee and authenticate via
HTTPS to a simple CGI script that authenticates the credentials against an
Active Directory setup. Once the employee is authenticated, the CGI script
sets a temporary password in a database that is accessible by a radius
server and sends back all the provisioning information including the
employee's office number and the temporary session password via XML in the
HTTPS POST response. The client then logs into the SIP service using the
session credentials.

The employee is required to re-authenticate at the start of each soft phone
session or after a timed interval when the temporary session password is
expired from radius.

The advantages to this kind of setup are:
1.) you don't have employee credentials stored in soft phones
2.) you avoid locking out employee credentials when policy-based password
changes are required because of rapid authentication failures from a SIP
device with stored credentials
3.) no SIP service credentials are stored in the soft phones
4.) in the event that the temporary session password is stolen from a soft
phone installation, it is only good for a short period of time usually
limited to 12 hours
5.) HTTPS is a significantly better provisioning method than TFTP (cough
Cisco...) because it is encrypted and you have the opportunity to validate a
cert from the provisioning server to ensure that the soft phone client is
talking directly to the provisioning server. Man in the middle attacks suck.
6.) it's a lot easier to change provisioning information for all clients
without requiring employees to download a new soft phone with hardcoded
settings or trying to get employees to implement changes on their phones
manually. For the same reason, it reduces initial setup complexity and also
eliminates the bulk of setup related support calls

We have put together implementations of this kind of system before for
clients. Usually, this kind of scenario is not something we discuss outside
our training classes or at conventions. Generally, this kind of system is
commonly requested by enterprise and government customers when they seek to
extend their phone system to employees for road warrior, pandemic, disaster
recovery, or occasional work at home scenarios.



--------------------------------------------------
Salvatore Giudice
Salvatore.Giudice at VoIPSecurityTraining.com

VoIP Security Training, LLC
http://VoIPSecurityTraining.com

848 N. Rainbow Blvd. #1676
Las Vegas, NV 89107
Phone: (702) 979-2906
Fax: (212) 279-2906

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Tzafrir Cohen
Sent: Friday, April 20, 2007 9:01 PM
To: asterisk-users at lists.digium.com
Subject: Re: [asterisk-users] Softphone that supports central provisioning?

On Fri, Apr 20, 2007 at 11:48:20AM -0400, James FitzGibbon wrote:
> Has anyone found a softphone that supports pulling it's configuration from
a
> central server via TFTP/FTP/HTTP, much like hard desk phones use?

Why would you want to do that?

There are well-known and established tools to "provision" (centrally
configure) software running on computers in a entwork. Why should the
soft phones be configured any differently?

What OS do you use on the desktops?

-- 
               Tzafrir Cohen       
icq#16849755                    jabber:tzafrir at jabber.org
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




More information about the asterisk-users mailing list