asterisk users - Mar 2019 - pjsip: don't require authentication from remote i register to

I'm being told by my ITSP that my Asterisk shouldn't be challenging
their system to authenticate (i.e. a 401 response) when they send me a
SIP MESSAGE (or I suppose a SIP INVITE for that matter).

But I'm not sure what a pjsip.conf configuration for that looks like.

How does one associate an incoming call/message with an existing
authenticated outgoing registration so that Asterisk doesn't return a
401 requiring authentication?

Cheers,
b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20190301/933aa2eb/attachment.sig>

On Fri, Mar 1, 2019, at 3:05 PM, Brian J. Murrell wrote:
> I'm being told by my ITSP that my Asterisk shouldn't be challenging
> their system to authenticate (i.e. a 401 response) when they send me a
> SIP MESSAGE (or I suppose a SIP INVITE for that matter).
> 
> But I'm not sure what a pjsip.conf configuration for that looks like.
> 
> How does one associate an incoming call/message with an existing
> authenticated outgoing registration so that Asterisk doesn't return a
> 401 requiring authentication?
You either configure IP based matching using an identify section[1] or you can
try line functionality on the outbound registration which may or may not work[2]
(requires the upstream to adhere to the RFC, which not all do).

[1] https://wiki.asterisk.org/wiki/display/AST/res_pjsip+Configuration+Examples
[2]
https://blogs.asterisk.org/2016/01/27/the-pjsip-outbound-registration-line-option/

-- 
Joshua C. Colp
Digium - A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org

On Fri, 2019-03-01 at 14:15 -0500, Joshua C. Colp wrote:
> 
> You either configure IP based matching using an identify section[1] 
That's what I did:

[itsp]
type=registration
transport=transport-udp
outbound_auth=itsp-auth
server_uri=sip:pop1.itsp.example.com
client_uri=sip:XXX at pop1.itsp.example.com

[itsp-auth]
type=auth
auth_type=userpass
password=XXX
username=XXX

[itsp-endpoint](!)
type=endpoint
transport=transport-udp
context=from-itsp
message_context=messages
disallow=all
allow=ulaw
from_user=XXX
outbound_auth=itsp-auth
auth=itsp-auth
send_pai=yes

[itsp-aor](!)
type=aor
qualify_frequency=15

[itsp-pop1](itsp-endpoint)
aors=itsp-pop1
[itsp-pop1](itsp-aor)
contact=sip:XXX at pop1.itsp.example.com:5060

[itsp-pop1]
type=identify
endpoint=itsp-pop1
;match=pop1.itsp.example.com
match=192.168.5.6

but SIP INVITE and SIP MESSAGE packets coming from 192.168.5.6 are
still being challenged with 401 and not even printing any
errors/warnings in the console about not being able to find an
endpoint.
> or you can try line functionality on the outbound registration which
> may or may not work[2] (requires the upstream to adhere to the RFC,
> which not all do).
I'll read up on that and try in the meanwhile.

Cheers,
b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20190301/b09b6e35/attachment.sig>

On Fri, 2019-03-01 at 14:15 -0500, Joshua C. Colp wrote:
> you can try line functionality on the outbound registration which
> may or may not work[2] (requires the upstream to adhere to the RFC,
> which not all do).
My provider seems to implement this.

However even with the line=... in the:

SIP to address: sip:5555551212@<my_IP_address>:5060;line=dpnlyiu

res_pjsip is still sending a 401 challenge.

Removing the:

auth=itsp-auth

from my endpoint [template]:

[itsp-endpoint](!)

Has stopped pjsip from sending a 401 when my ITSP sends a SIP MESSAGE,
but do I really want to have that endpoint without authentication?

Cheers,
b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20190301/0b7cc526/attachment.sig>