[OpenSIPS-Users] Registered trunks
Bogdan-Andrei Iancu
bogdan at opensips.org
Tue Jul 25 08:59:32 EDT 2017
Hi Pat,
I see 2 scenarios here (in both cases, the calledID and the auth user
are completely different, they cannot be calculated one from the other):
* if the caller sends in FROM the auth username and in PAI/RPID the CLI,
you should be fine.
* if the caller sends in FROM the CLI, then it should send in the auth
answer the (as "username" attribute) the right auth username. The
authentication should be successful, but you should check if the
advertised CLI (in FROM) is allowed to use authentication username
So, bottom line (I think you are on the second scenario), you have to
keep the db_check_from(), re-configure the URI module to perform the
check against a predefined set of mappings (auth username as per
subscriber and SIP username as per FROM hdr) vi DB table "uri" - see the
"db_table" and "use_uri_table" parameters:
http://www.opensips.org/html/docs/modules/2.3.x/uri.html#use-uri-table
Or using avp_db_query() you can make your one SQL query for checking
(via custom table) if the auth username is allowed with a certain CLI
(FROM username)
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
OpenSIPS Bootcamp 2017, Houston, US
http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
On 07/25/2017 03:32 AM, Pat Burke wrote:
> Hello,
>
> As a SIP Provider, we implementing the ability to provide SIP trunks
> to customers with a PBX or Dialer that require Registration. With
> this in mind,
> the customer wants to be able to set the CallerID on at least on the
> basis of the devices connected tho them, but potentially on a per call
> basis.
>
> For the challenge-response to the non-Register methods, we have
> implemented the script as follows (seems to be a very standard way).
> My question is
> for the case of the CallerID not being the same as the
> username/authorization name, how do we do this? Because the "FROM"
> user is different from the
> authorized user, the db_check_from fails. I don't believe all phone
> systems support P-Asserted-ID, so we can't really go that route. So
> can we just remove
> the "db_check_from"? What risk does that expose us to?
>
> if ( !(is_method("REGISTER")) ) {
> if (is_from_local("$var(reg_domain_attr)")) { # from Registered device
> $avp(callee_number_type) := "Registered";
>
> # authenticate if from local subscriber
> # authenticate all initial non-REGISTER request that pretend to be
> # generated by local subscriber (domain from FROM URI is local)
> if (!proxy_authorize("", "subscriber")) {
> proxy_challenge("", "0");
> exit;
> }
>
> if (!db_check_from()) {
> sl_send_reply("403","Forbidden auth ID");
> exit;
> }
>
> consume_credentials();
> # caller authenticated
> }
> }
> Regards,
> *Pat Burke*
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170725/b5f197a0/attachment.html>
More information about the Users
mailing list