allowguest = yes? no?

Home » Asterisk Users » allowguest = yes? no?
Asterisk Users 4 Comments

Hello

I don’t understand how I should use the “allowguest” item: If set to
“yes”, callers from the Net should authenticate, but then, how can I
allow strangers to call extensions in my system?

“allowguest

If set to no, this disallows guest SIP connections. The default is to
allow guest connections. SIP normally requires authentication, but you
can accept calls from users who do not support authentication (i.e.,
do not have a secret field defined).Certain SIP appliances (such as
the Cisco Call Manager v4.1) do not support authentication, so they
will not be able to connect if you set allowguest=no:
allowguest=no|yes”

(from “Asterisk – The future of Telephony”)

Thank you.

4 thoughts on - allowguest = yes? no?

  • What they are talking about is SIP URI dialling. Let say you have
    extension 1000 the rings a phone on your system. With allowguest=yes I
    would be allowed to dial SIP:/1000@yourdomain.com and assuming the
    context defined in your [General] section had access to exten 1000 I
    would connect to that phone. With alloweguest=no my call would be rejected.

    That does not mean that strangers can not call an IVR and get to your
    1000 extension or even a DID that point right to it.

    If you are going to allowguest=yes you need to take carfule note of your
    contexts so as not to allow strangers access to parts of your dial plan
    that have, lets say long distance routes.

    Does that help?

    Thanks!!

    Jim

  • On Tue, 24 Jan 2012 09:55:12 -0500, Jim DeVito
    wrote:

    Thanks for the clarification.

    Provided I do want strangers to call extensions through an SIP URI
    instead of using the PSTN, how can I raise security by requiring that
    they authenticate?

    Of do you mean that the choice is between
    – don’t allow SIP URI at all (allowguest=no), so strangers can reach
    extensions only through the PSTN (but it’s a waste of money)
    – allow SIP URI (allowguess=yes) and make sure the context doesn’t
    allow making calls to the PSTN?

  • By definition this is impossible. If the caller is a ‘stranger’, that
    means you have no knowledge of them prior to their INVITE request
    arriving at your server. If you have no knowledge of them, then you
    don’t have any ‘shared secret’, and thus they cannot authenticate to
    your server.

  • On Tue, 24 Jan 2012 09:26:26 -0600, “Kevin P. Fleming”
    wrote:

    Mmm, so if I want to allow strangers to call us over the Net, I must
    1. allowgues=yes
    2. make sure the context they enter will not allow them to make calls
    through the PSTN, either directly (through our plug in the wall) or
    indirectly (through an ITSP).

    Thank you.