[asterisk-users] Softphone that supports central provisioning?

Fri Apr 20 23:20:34 MST 2007

>From: "Salvatore Giudice" <Salvatore.Giudice at VoIPSecurityTraining.com>
>Date: Sat, 21 Apr 2007 01:46:20 -0400
>
>A complete provisioning system for soft phones could impart some of the 
>same
>authentication models used for popular IM clients. Imagine a large
>enterprise who wants to give out several thousand soft phones to employees
>in a turnkey fashion requiring the employee's network credentials to
>authenticate at the start of each session. Generally, it is not acceptable
>to use employee credentials to perform SIP digest authentication. Employee
>credentials are meant for employees, not devices or software that sets up a
>session on behalf of an employee.
>
>The solution to this kind of setup is to use a soft phone that can be
>downloaded on demand and presents the employee with a simple
>username/password/domain login box. In one such system that I worked on, 
>the
>client would take the credentials from the employee and authenticate via
>HTTPS to a simple CGI script that authenticates the credentials against an
>Active Directory setup. Once the employee is authenticated, the CGI script
>sets a temporary password in a database that is accessible by a radius
>server and sends back all the provisioning information including the
>employee's office number and the temporary session password via XML in the
>HTTPS POST response. The client then logs into the SIP service using the
>session credentials.

Thought the OP wanted the name of a soft phone that was capable of using CGI 
or whatever mechanism to pull such provisioning info, or one that could be 
reconfigured on demand (outside of itself).  I'd like to know which one(s), 
too.  Wouldn't imagine pushing user credentials to end points.

Yuan Liu

>The employee is required to re-authenticate at the start of each soft phone
>session or after a timed interval when the temporary session password is
>expired from radius.
>
>The advantages to this kind of setup are:
>1.) you don't have employee credentials stored in soft phones
>2.) you avoid locking out employee credentials when policy-based password
>changes are required because of rapid authentication failures from a SIP
>device with stored credentials
>3.) no SIP service credentials are stored in the soft phones
>4.) in the event that the temporary session password is stolen from a soft
>phone installation, it is only good for a short period of time usually
>limited to 12 hours
>5.) HTTPS is a significantly better provisioning method than TFTP (cough
>Cisco...) because it is encrypted and you have the opportunity to validate 
>a
>cert from the provisioning server to ensure that the soft phone client is
>talking directly to the provisioning server. Man in the middle attacks 
>suck.
>6.) it's a lot easier to change provisioning information for all clients
>without requiring employees to download a new soft phone with hardcoded
>settings or trying to get employees to implement changes on their phones
>manually. For the same reason, it reduces initial setup complexity and also
>eliminates the bulk of setup related support calls
>
>We have put together implementations of this kind of system before for
>clients. Usually, this kind of scenario is not something we discuss outside
>our training classes or at conventions. Generally, this kind of system is
>commonly requested by enterprise and government customers when they seek to
>extend their phone system to employees for road warrior, pandemic, disaster
>recovery, or occasional work at home scenarios.
>
>
>
>--------------------------------------------------
>Salvatore Giudice
>Salvatore.Giudice at VoIPSecurityTraining.com
>
>VoIP Security Training, LLC
>http://VoIPSecurityTraining.com
>
>848 N. Rainbow Blvd. #1676
>Las Vegas, NV 89107
>Phone: (702) 979-2906
>Fax: (212) 279-2906
>
>-----Original Message-----
>From: asterisk-users-bounces at lists.digium.com
>[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Tzafrir Cohen
>Sent: Friday, April 20, 2007 9:01 PM
>To: asterisk-users at lists.digium.com
>Subject: Re: [asterisk-users] Softphone that supports central provisioning?
>
>On Fri, Apr 20, 2007 at 11:48:20AM -0400, James FitzGibbon wrote:
> > Has anyone found a softphone that supports pulling it's configuration 
>from
>a
> > central server via TFTP/FTP/HTTP, much like hard desk phones use?
>
>Why would you want to do that?
>
>There are well-known and established tools to "provision" (centrally
>configure) software running on computers in a entwork. Why should the
>soft phones be configured any differently?
>
>What OS do you use on the desktops?