[OpenSIPS-Users] IP Based Authentication on Asterisk with OpenSIP (Bogdan-Andrei Iancu)

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Dec 14 10:24:24 CET 2009


Hi Muhammad,

Never did it by myself (as I do not put to much "intelligence" o 
Asterisk in my platforms), but AFAIK there are other people who manage 
to configure Asterisk to do IP based auth based on the header info.
About other switches , I do not know :(...

But another option is to simple move the IP-based auh on opensips - it 
can do  it via DB table - see the permission module, the "address" 
functionality (check_source_address () function).

Regards,
Bogdan


Muhammad Zulqarnain wrote:
> Hello!
>
> Thanks Bodgan!
>
> I have added following to sip header which add source IP in sip packet 
> before sending to asterisk.
>         append_hf("X-customer-ip: $si\r\n");
> Sip trace got following packet which add X-customer-ip: x.x.x.x to sip 
> header but I am wondering how to told/setup asterisk to read source IP 
> from additional sip header instead of network level. Also I have 
> another switch named Voipswitch on which I would not be able to 
> customize any thing to honor incoming sip header for source ip 
> validation so solution should work for all GW/Server other then 
> asterisk only.
>
> U 2009/12/12 18:58:32.829652 y.y.y.y:5060 -> z.z.z.z:5060
> INVITE sip:123456789 at y.y.y.y SIP/2.0.
> Record-Route: <sip:y.y.y.y;lr;ftag=a16f2b41;did=882.11d0f5f>.
> To: <sip:123456789 at y.y.y.y>.
> From: hello<sip:hello at y.y.y.y>;tag=a16f2b41.
> Via: SIP/2.0/UDP y.y.y.y;branch=z9hG4bKfb2e.a79595a4.0.
> Via: SIP/2.0/UDP 
> x.x.x.x:7266;received=x.x.x.x;branch=z9hG4bK-d87543-197592634-1--d87543-;rport=7266.
> Call-ID: 9867b13bdc3a4f30.
> CSeq: 1 INVITE.
> Contact: <sip:hello at x.x.x.x:7266>.
> Max-Forwards: 69.
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
> SUBSCRIBE, INFO.
> Content-Type: application/sdp.
> User-Agent: eyeBeam release 3007n stamp 17816.
> Content-Length: 237.
> X-customer-ip: x.x.x.x.
>
> Please suggest solution with sample configs.
>
> Thanks
> Regards
> Muhammad Zulqarnain
>
>
> >Hi Muhammad,
> >
> >What you can do (and I know for sure it works with Asterisk), is to 
> configure opensips (LB) to add the real src IP (IP of the client) 
> >into a SIP header (in the request) and send it to Asterisk - asterisk 
> will do IP based auth but will take IP from that header (custom >name) 
> instead of taking it from network level.
>
> >Regards,
> >Bogdan
>
> Muhammad Zulqarnain wrote:
> > Hello!
> >
> > This is Zulqarnain and my first post to this mailing list. I just 
> start using OpenSIP and trying to get myself familiar with OpenSIP and 
> it's config files, method etc.
> >
> > Well, I am trying to achieve following:
> > Client IP: x.x.x.x
> > OpenSIP: y.y.y.y
> > Asterisk: z.z.z.z
> >
> > 1) Client -> OpenSIP (Load_balancer) -> Asterisk1, Asterisk2....
> >    a) If Client Request is Register -> Relay to Asterisk (It is 
> working fine as peer is defined with user/passwd auth, host=dynamic)
> >    b) If Client Request is INVITE -> Relay to Asterisk (Asterisk 
> Reject as peer is defined as IP Auth, type=peer, host=x.x.x.x)
> >
> > "b" scenario failed as Asterisk read OpenSIP IP y.y.y.y and reject 
> the call as Asterisk is expecting Source IP x.x.x.x instead of y.y.y.y
> >
> > I tried following to fix but no success:
> >
> > 1) 302 Redirect for GW Clients, who can only authenticate by IP and 
> don't support registration with user/passwd. But my DID Provider don't 
> support 302 redirect although i have tested with Eyebeam Client in 
> peer to peer mode and it works. But as it didn't work with my provider 
> so I tried another way:
> >
> > 2) uac_replace_from & uac_replace_to function of uac.so module, I 
> tried to replace from/to field with client IP but still Invite is from 
> OpenSIP IP y.y.y.y and again Asterisk/Voipswitch (another switch) 
> reject call.
> >
> > If required I can post my config file as well here or pastebin for 
> your expert reviews. I would like to know if it is possible to achive 
> above scenario with OpenSIP, if Yes then how, any example would 
> appreciated.
> >
> > Another small problem is that while setting up 302 redirect I wanted 
> to pass $du value to rewritehost("") as $du have the address return by 
> load_balancer of destination IP and rewritehost() only accept string. 
> Looking for suggestion on this as well.
> >
> > Hopefully to receive positive reply by community.
> >
> > Thanks
> > Regards,
> > Muhammad Zulqarnain
> > MSN: zulqarnain at globalitvision.com 
> <mailto:zulqarnain at globalitvision.com>
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > 
>
>
> -- Bogdan-Andrei Iancu
> www.voice-system.ro
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro




More information about the Users mailing list