Authentication restrictions

Posts: 39
Member Since:
2007-09-10

Submitted by AB on Mon, 09/01/2008 - 12:47am.

Hi all!

I want to make extensions registrations by Auth (username+password) AND by IP, so if some user want to register to extension 200,the user need to enter user+pass and he can register just from the 10.0.0.30 for this extension. If the user have ip 10.0.0.31 or something else, the user need to be denied...

Now on my 2.6.1 trixbox i set auth (user+pass) with host dynamic. But when i enter an IP address instead of dynamic the useragent can't register (403 - Forbidden).

So, is there any posibility to make double check of useragent, by auth and by IP?

Tnx in advance...

&nbsp

Posts: 39
Member Since:
2007-09-10

So, nobody knows? I need to

Mon, 09/01/2008 - 10:45pm

So, nobody knows?
I need to know to continue searching a solution or not...
This is needed because i have some users what change their IP and i want to restrict their access to PBX in case they do that.

&nbsp

bubbapcguy

Posts: 3774
Member Since:
2006-06-02

Tue, 09/02/2008 - 5:00am

Your best bet would be to use your firewall to do this, your way would be a lot of hassle when it would be easier with a firewall or even using IPtables.

&nbsp

Posts: 39
Member Since:
2007-09-10

Hi bubbapcguy! You're right,

Tue, 09/02/2008 - 5:21am

Hi bubbapcguy!
You're right, but not enough for my situation.

Let me give you an example:
user1 (ip:10.0.0.51) extension 201
user2 (ip:10.0.0.52) extension 202

I want to exclude kind of situation then user1 set himself IP 10.0.0.52 and login to his extension, because in this case i get a big haos on my network (in my case almost 200 users). I want all things to be ordrdered, and in case of trouble to know where to look...

Such stuff i can't make in iptables...

&nbsp

IcelandDreams

Posts: 415
Member Since:
2007-09-11

Can you lock down the phone

Tue, 09/02/2008 - 6:00am

Can you lock down the phone with an admin password so they can't change the IP? Do you use DHCP and tie a specific IP to each MAC address? After that you can work on restricting it at the PBX. As far as I know you should be able to use a static IP in the extension/host value but as you've seen that is not working correctly. Ideally you would use a host name so that you can control things at the DHCP/DNS server.

&nbsp

Posts: 39
Member Since:
2007-09-10

The softphone installed on

Tue, 09/02/2008 - 6:21am

The softphone installed on pc and laptops make my live harder.... All stuff is about them... The worst thing is what i can't have access to them anytime. So i need to restrict them by ip and by auth.

&nbsp

IcelandDreams

Posts: 415
Member Since:
2007-09-11

ah, softphone. Then you

Tue, 09/02/2008 - 6:30am

ah, softphone. Then you want to lock down the pc itself. Same idea, lock their MAC address to a static IP at the DHCP server. And if possible (windoze, oh well) make their pc user account non admin and they can't change IP.

You can get a lot more detailed and complicated depending on what hardware and software you have on the network. But if the users are admin on their desktop and they are playing games with the configs then you have more issues then just softphone.

&nbsp

Posts: 39
Member Since:
2007-09-10

Hi IcelandDreams! This

Tue, 09/02/2008 - 6:46am

Hi IcelandDreams!

This network is some kind of home LAN, and there is no AD or other stuff... There is no DHCP-server (yes, i can setup one, but like i said, i don't have access to all pc&laptops to configure them). From this point of view, i think, the optimal way is to lock ip to extension, and every extension need to use authentication to exclude the situation then someone set the foreign IP and make calls from extension that trusted this IP. But extension's restrictions can be made only in PBX, at the authentication level. This is why i'm asking if there is any posibility to restrict by auth and by ip.

&nbsp

Posts: 39
Member Since:
2007-09-10

Hi ppl, No one know? This

Wed, 09/03/2008 - 10:37pm

Hi ppl,

No one know? This mean that it is imposible to get registration by auth and by trusted IP?

I think this need to be implemented, for those who need advanced security...

Tnx anyway.

&nbsp

SkykingOH

Posts: 9538
Member Since:
2007-12-17

SIP peer ACL's

Thu, 09/04/2008 - 8:24am

deny= and allow= in the SIP peer.

For instance:

deny=0.0.0.0/0.0.0.0
permit=192.168.1.55/255.255.255.255

Will only allow registrations from 192.168.1.55 for that peer.

Surely an advanced user such as yourself has read the Asterisk documentation before claiming that the package does not have the capability you need?

Scott

aka "Skyking"

&nbsp

Posts: 39
Member Since:
2007-09-10

Hi SkykingOH, Hm, i allways

Fri, 09/05/2008 - 12:05am

Hi SkykingOH,

Hm, i allways think that allow/disallow is for enable or disable codecs...

In "Extensions" section we have host (with 'dynamic' set by default), and type(by default set as 'friend').
If i set the type as 'peer', when the asterisk don't check the username and password, the registration is denied with the error:
[Sep 5 10:02:22] ERROR[6725] chan_sip.c: Peer '3350' is trying to register, but not configured as host=dynamic
[Sep 5 10:02:22] NOTICE[6725] chan_sip.c: Registration from '"3350" ' failed for '192.168.6.23' - Peer is not supposed to register

It only work if i set the host to dynamic, but then there no check by ip...

&nbsp

SkykingOH

Posts: 9538
Member Since:
2007-12-17

Sorry it's deny= and permit=

Sat, 09/06/2008 - 10:13am

Sorry it's deny= and permit= I mistyped

Scott

aka "Skyking"

&nbsp

Posts: 39
Member Since:
2007-09-10

Hi SkykingOH, In the

Sun, 09/07/2008 - 10:33pm

Hi SkykingOH,

In the "Extensions" section i didn't see any field for deny/permit... Only in "Trunk" section.

&nbsp

SkykingOH

Posts: 9538
Member Since:
2007-12-17

ACL's

Mon, 09/08/2008 - 8:35am

You can't access the feature from FreePBX, you have to use sip_custom.conf

Scott

aka "Skyking"

&nbsp

Authentication restrictions

Comment viewing options

Search

Main

User login

Who's online