Brian J. Murrell
2019-Mar-01 18:48 UTC
[asterisk-users] pjsip: don't require authentication from remote i register to
I'm being told by my ITSP that my Asterisk shouldn't be challenging their system to authenticate (i.e. a 401 response) when they send me a SIP MESSAGE (or I suppose a SIP INVITE for that matter). But I'm not sure what a pjsip.conf configuration for that looks like. How does one associate an incoming call/message with an existing authenticated outgoing registration so that Asterisk doesn't return a 401 requiring authentication? Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190301/933aa2eb/attachment.sig>
Joshua C. Colp
2019-Mar-01 19:15 UTC
[asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, Mar 1, 2019, at 3:05 PM, Brian J. Murrell wrote:> I'm being told by my ITSP that my Asterisk shouldn't be challenging > their system to authenticate (i.e. a 401 response) when they send me a > SIP MESSAGE (or I suppose a SIP INVITE for that matter). > > But I'm not sure what a pjsip.conf configuration for that looks like. > > How does one associate an incoming call/message with an existing > authenticated outgoing registration so that Asterisk doesn't return a > 401 requiring authentication?You either configure IP based matching using an identify section[1] or you can try line functionality on the outbound registration which may or may not work[2] (requires the upstream to adhere to the RFC, which not all do). [1] https://wiki.asterisk.org/wiki/display/AST/res_pjsip+Configuration+Examples [2] https://blogs.asterisk.org/2016/01/27/the-pjsip-outbound-registration-line-option/ -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org
Brian J. Murrell
2019-Mar-01 19:55 UTC
[asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, 2019-03-01 at 14:15 -0500, Joshua C. Colp wrote:> > You either configure IP based matching using an identify section[1]That's what I did: [itsp] type=registration transport=transport-udp outbound_auth=itsp-auth server_uri=sip:pop1.itsp.example.com client_uri=sip:XXX at pop1.itsp.example.com [itsp-auth] type=auth auth_type=userpass password=XXX username=XXX [itsp-endpoint](!) type=endpoint transport=transport-udp context=from-itsp message_context=messages disallow=all allow=ulaw from_user=XXX outbound_auth=itsp-auth auth=itsp-auth send_pai=yes [itsp-aor](!) type=aor qualify_frequency=15 [itsp-pop1](itsp-endpoint) aors=itsp-pop1 [itsp-pop1](itsp-aor) contact=sip:XXX at pop1.itsp.example.com:5060 [itsp-pop1] type=identify endpoint=itsp-pop1 ;match=pop1.itsp.example.com match=192.168.5.6 but SIP INVITE and SIP MESSAGE packets coming from 192.168.5.6 are still being challenged with 401 and not even printing any errors/warnings in the console about not being able to find an endpoint.> or you can try line functionality on the outbound registration which > may or may not work[2] (requires the upstream to adhere to the RFC, > which not all do).I'll read up on that and try in the meanwhile. Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190301/b09b6e35/attachment.sig>
Brian J. Murrell
2019-Mar-01 20:33 UTC
[asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, 2019-03-01 at 14:15 -0500, Joshua C. Colp wrote:> you can try line functionality on the outbound registration which > may or may not work[2] (requires the upstream to adhere to the RFC, > which not all do).My provider seems to implement this. However even with the line=... in the: SIP to address: sip:5555551212@<my_IP_address>:5060;line=dpnlyiu res_pjsip is still sending a 401 challenge. Removing the: auth=itsp-auth from my endpoint [template]: [itsp-endpoint](!) Has stopped pjsip from sending a 401 when my ITSP sends a SIP MESSAGE, but do I really want to have that endpoint without authentication? Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190301/0b7cc526/attachment.sig>