[asterisk-users] Disallow CALLS without registry

Sat Feb 11 12:27:57 CST 2017

>>> so the main question is -- how to Disallow CALLS without registering
>>> on PBX

> In fact, I'm not sure that it's actually possible to disallow [authenticated] calls from a peer that hasn't registered!
> 
> As far as I can tell, 'registration' was never intended to be part of the authentication process. It's sole purpose is to inform the PBX as to the current location of the endpoint. I suspect this means that what the OP is asking for cannot be achieved with the current code bases.
> 
> But each time I'm proven wrong I learn something, so if I'm wrong then please by all means correct me! :)

I think your understanding is largely correct... although I do believe
it _is_ possible to achieve what the original poster wants, with
a bit of dialplan trickery.

I think you're correct, in that registration of a peer (using proper
credentials) is not normally necessary in order for that peer to be
able to place a call (again, with those same valid credentials).  The
"ingoing" and "outgoing" aspects of a peer are fundamentally
separate... and that's why there's no option which requires
registration to make a call.

The way you're "supposed to" prevent unauthorized calls, is to make
sure that each peer has valid (unique, cryptographically-strong)
credentials (i.e. a proper password).  The peer has to prove that it
has these when it places a call - and, so, registration per se is
irrelevant.  As long as you don't allow anonymous calls to be placed,
you should be OK.

Now, there probably _is_ a way to force specific peers to register
prior to placing a call, if that's what you really want to do (although
I would ask "Why?" to anyone who wants to do things this way).  The
way I would do it, in Asterisk, is:

-  Turn on "qualify", so that Asterisk will check each registered
   peer periodically and confirm that it's still on-line.  Using
   a modest registration timeout (a few minutes) is probably also
   beneficial.

-  Create a new dialplan context, which will be used as the initial
   context for all of these peers when they try to place a call.
   Specify this context in the definition of each such peer.

-  In this call-placing context, have a single ruleset which matches
   all numbers being dialed.

-  In this ruleset, retrieve the name of the peer placing the call
   (I think it's CHANNEL(peername) but I could be wrong).

-  Test the peer's SIP status with SIPPEER($peername:status) and see
   if it's OK.  If so, the peer is registered - jump to another rule
   or ruleset which dials the requested number.  If not, reject the
   call, or play a polite (or rude) message which explains that
   unregistered phones may not place calls.