[Asterisk-Dev] SIP Authentication problem between Cisco router and Asterisk when calls are forwarded

John Lange john.lange at open-it.ca
Fri Jun 10 10:58:18 MST 2005


I posted a similar message to the general list but this is not a repost
or cross-post.

I am thinking of modifying the Asterisk source code to solve a specific
problem we are having to which there appears to be no solution. Before I
do that I'd like some feed back from developers as to if my solution
seems reasonable and if it would make sense to incorporate it into the
main Asterisk source code.

Here is my the description of the problem and below that is my proposed
solution.

-------
We are using a Cisco router with a T1 card plugged into a PRI provided
by a local telco (Allstream).

This Cisco accepts calls and sends them to a couple of servers running
Asterisk depending on which number was dialled.

But there is a problem.

When a call comes in to the Cisco from the PSTN it sends it to the
Asterisk server something like this:

FROM: 204XXXXXXX@<CISCO IP>
TO: 204NNNNNNN@<Asterisk IP>

Normally, this is no problem. The user 204XXXXXXX does not exist on the
Asterisk server because it is the callerid of someone on the PSTN.

However, if a number on the PSTN is forwarded to a number on the
Asterisk server, and then someone else on the Asterisk server calls the
PSTN number, the call appears at the Asterisk server as being from a
local caller and it is rejected because it has no username/password.

I know, its confusing. So let me try and simplify.

Lets say 204 791 2345 is my cell phone.

And 204 885 0872 is my office phone.

When I get into the office, I forward my cell to my office phone to save
airtime. So 204 791 2345 is forwarded to 204 885 0872.

A random outside caller (204 123 4567) phones my cell (204 791 2345),
which is forwarded to 204 885 0872. No problem, the calls appears at the
Asterisk server as "FROM: 2041234567@<CISCO IP>". Since 2041234567 is
not a user on the Asterisk system it falls through to the default
context and no username/password is required.

However, if someone on a VoIP phone (lets say 204 444 5555) connected to
the Asterisk server calls my cell, the Asterisk server rightly believes
the call is destined for the PSTN and routes it to the Cisco which sends
it out to the PSTN where it promptly comes back in the PRI (because of
the forwarding) and is returned back to the Asterisk box.

The problem is, the from is now "FROM: 2044445555@<CISCO IP>", and
2044445555 *IS* a valid user on the Asterisk box as defined in sip.conf
so Asterisk tries to authenticate the user. The Cisco of course knows
nothing about the username/password for that user and the call gets
rejected.

e.g. sip.conf looks like this 

; Interal
[2044445555]
accountcode=318
type=friend
context=openit
username=sandra
callerid=Sandra <2044445555>
secret=password
host=dynamic
mailbox=2044445555

-------

Proposed solutions:

#1 Modify Asterisk so that it prefers static IP addresses over
usernames. In other words, if a call is received from a host that
matches, use that hosts definition to authenticate ignoring any
usernames that might match from dynamic hosts.

#2 Modify Asterisk so that sip.conf has a new option to force it to
never use callerid information for authentication and instead only uses
supplied usernames.

Please keep in mind I have not even cracked open the source code yet so
these proposed solutions may not even make sense but thats why I'm
asking.

In reality I don't really have time to hack Asterisk source code so
please let me know if the above sounds like a waste of time.

Also, if there are any developers out there that would accept a small
bounty for this work please contact me as I might go that route instead.

Thanks,

-- 
John Lange
President OpenIT ltd. www.Open-IT.ca (204) 885 0872
VoIP, Web services, Linux Consulting, Server Co-Location




More information about the asterisk-dev mailing list