Hello, has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ? Is there a danger that one uses a different MAC-address in the provisioning link to obtain SIP username / password settings ? Kind regards, Jonas. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101026/fcf2700b/attachment.htm
I havent had much auto provisioning experience, however, what about just using IPTables to create an access list essentially for known IPs to connect via HTTP/HTTPS and block all other addresses. This would only work if the phones are coming from a Static IP, but I figured i'd give my 2 cents to try and help. On Tue, Oct 26, 2010 at 11:31 AM, Jonas Kellens <jonas.kellens at telenet.be>wrote:> Hello, > > has anyone experience with auto provisioning IP-phones on different > locations through a central public provisioning server ? You use http or > https ? > > Is there a danger that one uses a different MAC-address in the provisioning > link to obtain SIP username / password settings ? > > > Kind regards, > Jonas. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101026/fdc1739e/attachment-0001.htm
You can provision over a WAN and access-lists or iptables can limit the networks allowed. Define what level of security you need first. For further security you can use an inbound proxy and check the http headers for agent identification. This can also be faked. Practice layers of security... ~ Andrew "lathama" Latham lathama at gmail.com * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software * Learn more about Linux http://en.wikipedia.org/wiki/Linux * Learn more about Tux http://en.wikipedia.org/wiki/Tux On Tue, Oct 26, 2010 at 12:31 PM, Jonas Kellens <jonas.kellens at telenet.be> wrote:> Hello, > > has anyone experience with auto provisioning IP-phones on different > locations through a central public provisioning server ? You use http or > https ? > > Is there a danger that one uses a different MAC-address in the provisioning > link to obtain SIP username / password settings ? > > > Kind regards, > Jonas. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > ? ? ? ? ? ? ? http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > ? http://lists.digium.com/mailman/listinfo/asterisk-users >
Hello, many SIP phones offer you the possibility to provisioning them over a FTP connection (with username and password). Regards - Bakko
On 10/26/2010 05:52 PM, bakko wrote:> Hello, > > many SIP phones offer you the possibility to provisioning them over a FTP > connection (with username and password). > > Regards > > - Bakko >In this case I will want to use Snom phones. TFTP is available, but no FTP (with indeed then a username and password). FTP would be great... Jonas.
snom phones can do http digest authentication...> In this case I will want to use Snom phones. TFTP is available, but no > FTP (with indeed then a username and password). FTP would be great... > > > Jonas.
On 26 Oct 2010, at 16:31, Jonas Kellens wrote:> has anyone experience with auto provisioning IP-phones on different locations through a central public provisioning server ? You use http or https ?What handset? That's rather what controls your options. Some support HTTPS with client certificate authentication. Some support passwords. Some don't. S
On Tue, 2010-10-26 at 17:31 +0200, Jonas Kellens wrote:> Hello, > > has anyone experience with auto provisioning IP-phones on different > locations through a central public provisioning server ? You use http > or https ? > > Is there a danger that one uses a different MAC-address in the > provisioning link to obtain SIP username / password settings ? > > > Kind regards, > Jonas.The company we use for provisioning snom phones delete the un pass info from the server once it has been picked up for the first time. That way no one else can access it by spoofing the MAC address -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062
On Tue, Oct 26, 2010 at 11:31 AM, Jonas Kellens <jonas.kellens at telenet.be>wrote:> Hello, > > has anyone experience with auto provisioning IP-phones on different > locations through a central public provisioning server ? You use http or > https ? > > Is there a danger that one uses a different MAC-address in the provisioning > link to obtain SIP username / password settings ? > > > Kind regards, > Jonas. > >Yes, there is a danger, especially with TFTP, but also with FTP to a lesser degreee. If someone guessed correctly, they could download the config file for another phone. Thanks, Steve T -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101027/9340eac3/attachment.htm
On Wed, Oct 27, 2010 at 4:04 AM, Ishfaq Malik <ish at pack-net.co.uk> wrote:> On Tue, 2010-10-26 at 17:31 +0200, Jonas Kellens wrote: > > Hello, > > > > has anyone experience with auto provisioning IP-phones on different > > locations through a central public provisioning server ? You use http > > or https ? > > > > Is there a danger that one uses a different MAC-address in the > > provisioning link to obtain SIP username / password settings ? > > > > > > Kind regards, > > Jonas. > The company we use for provisioning snom phones delete the un pass info > from the server once it has been picked up for the first time. That way > no one else can access it by spoofing the MAC address > > > -- > Ishfaq Malik > Software Developer > PackNet Ltd > > Office: 0161 660 3062 > >What company is that? I have seen companies that do this but have never felt very secure handing the keys to the castle over to a 3rd party service. It seems like a good idea, but I have trust issues, especially when you top off your prepaid service with $15k a week. Thanks, Steve T -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101027/1fb1ead1/attachment.htm
On 10/27/2010 10:06 AM, Steve Totaro wrote:> On Tue, Oct 26, 2010 at 11:31 AM, Jonas Kellens > <jonas.kellens at telenet.be <mailto:jonas.kellens at telenet.be>> wrote: > > Hello, > > has anyone experience with auto provisioning IP-phones on > different locations through a central public provisioning server ? > You use http or https ? > > Is there a danger that one uses a different MAC-address in the > provisioning link to obtain SIP username / password settings ? > > > Kind regards, > Jonas. > > > Yes, there is a danger, especially with TFTP, but also with FTP to a > lesser degreee. > > If someone guessed correctly, they could download the config file for > another phone. > > Thanks, > Steve TIf I find a way to implement it... https would be safer ? Or is the only safe way to work with certificates that are loaded on the IP-phone ?! Jonas. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101027/f37512d3/attachment.htm
Hi, On Tue, Oct 26, 2010 at 05:31:00PM +0200, Jonas Kellens wrote:> Hello, > > has anyone experience with auto provisioning IP-phones on different > locations through a central public provisioning server ? You use http or > https ?What is it exactly that you want to guarantee? Authenticating the client? The server? Avoiding any leak of data to some eavesdropper?> > Is there a danger that one uses a different MAC-address in the > provisioning link to obtain SIP username / password settings ?On a LAN it wouls be quite difficult to forge the MAC without it getting detected. But in your case, the MAC is merely an arbitrary ID of the client. It can probably serve as a useful unique ID. See the above question regarding authentication. I also guess you should not use TFTP. Unless you have some spare time at boot. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.cohen at xorcom.com +972-50-7952406 mailto:tzafrir.cohen at xorcom.com http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir