>>> so the main question is -- how to Disallow CALLS without
registering
>>> on PBX
> In fact, I'm not sure that it's actually possible to disallow
[authenticated] calls from a peer that hasn't registered!
>
> As far as I can tell, 'registration' was never intended to be part
of the authentication process. It's sole purpose is to inform the PBX as to
the current location of the endpoint. I suspect this means that what the OP is
asking for cannot be achieved with the current code bases.
>
> But each time I'm proven wrong I learn something, so if I'm wrong
then please by all means correct me! :)
I think your understanding is largely correct... although I do believe
it _is_ possible to achieve what the original poster wants, with
a bit of dialplan trickery.
I think you're correct, in that registration of a peer (using proper
credentials) is not normally necessary in order for that peer to be
able to place a call (again, with those same valid credentials). The
"ingoing" and "outgoing" aspects of a peer are fundamentally
separate... and that's why there's no option which requires
registration to make a call.
The way you're "supposed to" prevent unauthorized calls, is to
make
sure that each peer has valid (unique, cryptographically-strong)
credentials (i.e. a proper password). The peer has to prove that it
has these when it places a call - and, so, registration per se is
irrelevant. As long as you don't allow anonymous calls to be placed,
you should be OK.
Now, there probably _is_ a way to force specific peers to register
prior to placing a call, if that's what you really want to do (although
I would ask "Why?" to anyone who wants to do things this way). The
way I would do it, in Asterisk, is:
- Turn on "qualify", so that Asterisk will check each registered
peer periodically and confirm that it's still on-line. Using
a modest registration timeout (a few minutes) is probably also
beneficial.
- Create a new dialplan context, which will be used as the initial
context for all of these peers when they try to place a call.
Specify this context in the definition of each such peer.
- In this call-placing context, have a single ruleset which matches
all numbers being dialed.
- In this ruleset, retrieve the name of the peer placing the call
(I think it's CHANNEL(peername) but I could be wrong).
- Test the peer's SIP status with SIPPEER($peername:status) and see
if it's OK. If so, the peer is registered - jump to another rule
or ruleset which dials the requested number. If not, reject the
call, or play a polite (or rude) message which explains that
unregistered phones may not place calls.