[Serusers] Accept invite only for registered users

sendman sendman at gmail.com
Wed Dec 1 15:58:04 CET 2004


How can I check if caller user has valid credentials on my sip server?

I have to use www_authorize on INVITE message or in route to pstn segment ?

All calls on my server must be payed, so I have to check if the caller
is valid on my realm, if I setup my ata186 to not do SIPregon and use
a inexistent user, I can make a call.


On Wed, 01 Dec 2004 15:16:03 +0100, Andreas Granig <a.granig at inode.at> wrote:
> Bruno Lopes F. Cabral wrote:
> >> But why do you want to force users to register?
> >
> > perhaps because all calls must be payed, or to prevent non-registered
> > (i.e. blocked) users to place calls to outside...
> 
> If users have to proxy_authenticate() when calling, there's no problem
> with accounting.
> 
> Explicitely blocked users can be handled with groups, so you can differ
> between incoming-blocked and outgoing-blocked, e.a.:
> 
>    # proxy_authenticate() here, then:
> 
>    if(method == "INVITE")
>    {
>      if(!check_from())
>      {
>        # spoofed From-URI, send 403 here
>        break;
>      }
> 
>      if(is_user_in("credentials", "outblocked"))
>      {
>        # outgoing call attempt of blocked user, deflect to announcement
>        # or send 403 here
>        break;
>      }
> 
>      if(does_uri_exist() && is_user_in("Request-URI", "inblocked"))
>      {
>        # incoming call to local blocked user, see above
>        break;
>      }
>    }
> 
> and use serctl for blocking users: "serctl acl grant <user> outblocked"
> 
> So still no need to register.
> 
> > but it would also prevent outside calls to registered
> > (local) users to be placed, am I right?
> 
> Only if the caller can't proxy_authenticate(). If there are for example
> PSTN gateways which don't authenticate, you've to create some kind of
> "trusted network", e.a.:
> 
>    if(method == "INVITE")
>    {
>      if(!(src_ip==gw1.your.domain || src_ip==gw2.your.domain))
>      {
>        if(!proxy_authenticate(...))
>        {
>          # untrusted caller failed to authenticate
>          proxy_challenge(...);
>          break;
>        }
>      }
>      else
>      {
>        # trusted sources don't have to authenticate
>      }
>    }
> 
> Hope this helps,
> Andy
> 
> 
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>




More information about the sr-users mailing list