Multi Step Auth?

Home » Asterisk Users » Multi Step Auth?
Asterisk Users 6 Comments

Hi,

We have been using Voxbone for some time for origination, and they now offer E911 services.  We are trying to set this up and having trouble meeting their authentication requirements.

I setup a peer as I normally would, with user/pass as they supplied
(“lacoursj”, “pass”), but my calls are rejected.  Their support is asking that I follow this auth mechanism:

1st step – You send an INVITE message.
2nd step – We respond with a 407.
3rd step – You send a RE INVITE message including your credentials.

 The tricky bit seems to be that they want the original INVITE to look like:

From: ;tag=as00771983. To: . Contact: .

The “1786…” above is meant to be the DID number that is placing the
911 call. Our DID numbers don’t have peer or user entries in sip.conf. My peer isn’t sending that, though, it is sending:

From: ;tag=as00771983. To: . Contact: .

They claim that ‘lacoursj’ shouldn’t be sent until step 3.

I have never been asked to authenticate this way… can asterisk chan_sip do it?

Cheers,

j

6 thoughts on - Multi Step Auth?

  • try setting the callerid with

    same => n,Set(CALLERID(all)864089672 <17864089672>)

    ofcourse for each customer you will need to provide his own did.

  • I *am* doing that, as I assumed it would be required just for the 911
    mapping we have provided, but that doesn’t change the SIP header.

    Cheers,

    j

  • try adding a + sign for the number

    same => n,Set(CALLERID(all)864089672 <+17864089672>)

  • Thats till doesn’t change the SIP header.  Basically they want to send a RE INVITE and authenticate my DID number.  But my DID number does not have a peer or user entry in sip.conf.  Perhaps I am answering my own question, but is that the only way this is going to work?

    Thanks,

    j

  • Try to set fromuser=number in your sip provider peer configuration

  • Maybe you should post their requirments (instead of your rephrasing of them). Do they actually want to have different from/to and contact(!) in one SIP dialog? But AFAIK you don’t have such control in Asterisk, you can only influence the original INVITE and than have Asterisk respond to a auth challenge, which you can influence with defaultuser according to sip.conf.

    So experiment with something like
    [user]
    fromuser=thenumber defaultuser=theusername remotesecret=thepassword

    and see what the fromuser in request is and what the authentication user in the Authorization header is in step 3, according to sip.conf remarks it should be:

    From:
    To:…. Authorization: Digest username=”defaultuser”….