It looks like auth_check() will work. It seems intelligent enough to scan all instances of the same domain as long as the username is unique so that should get things working.
The problem here is that there is a fundamental difference between Asterisk and Kamailio authentication. Asterisk authentication works with FQDN or IP. However, Kamailio is not designed to authenticate anything with FQDN unless it is also a realm and identified as such by the UA. I believe that is the main issue here. SIP trunks typically do not use or care about realm. So after the initial invite response from Kamailio the SIP trunk provider typically responds with the IP address as the realm.
It does almost seem like there should be a special module to deal with this sort of thing. None of the existing modules seem to be the right fit.
On 3/18/2015 9:03 AM, Daniel Tryba wrote:
On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and update the ip_addr table as needed so I think this is a satisfactory solution for IP authentication.
Is there a mechanism to identify all originating servers for a hostname/domain? If the answer is no (and AFAIK is it) then this solution doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But this ins't an answer for subaccounts on trunks (unles you can get the sender to actually use different ports). 3 is the whitelist for ip adresses on record. I abandoned this due to to much problems with trunks, they just have to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to use tls with certificate verification (good luck getting the trunks to implement this :)
route[AUTHENTICATE] { if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") && $proto=="tcp") { if(!avp_db_query("select username from usr_preferences where attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value like '$si:%') order by length(value) limit 1")) { xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n"); sl_send_reply("403", "Not Allowed by AUTHENTICATE ACL"); exit; }
$avp(au)=$avp(i:1); } else { $var(authenticated)=www_authenticate("$td", "subscriber"); if (!www_authenticate("$td", "subscriber")) { xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu (IP:$si:$sp)\n"); www_challenge("$td", "1"); exit; }
$avp(au)=$au; consume_credentials(); }