SIP config to allow passwordless connection to place calls?

Get help with installing, upgrading and running Asterisk.

Moderators: muppetmaster, Moderator, Support

SIP config to allow passwordless connection to place calls?

Postby pyromancer » Wed Dec 23, 2015 6:27 pm

I have an Asterisk 1.4 system with multiple users.

Until now, where a user required the ability to place calls, we provided them with a SIP/IAX account with a username and password, plus a custom routing setup in extensions.conf (so we can control what numbers people can call), their device then logs in with the user/pass, finds itself in the correct context, and can make calls.

We also have customers who terminate banks of numbers on our system and we then pass the calls on to their equipment via passwordless SIP accounts, where our extensions.conf config routes the calls to their named SIP paths, and sip.conf then sends them to the relevant IP address - but these connections are strictly us -> user only.

We now have a customer with a Cisco device that doesn't support user/pass login on SIP, only IP-based no-password connections, who wishes to place outbound calls to the PSTN via our system.

I have created a passwordless IP-locked SIP account, type friend, with qualify=yes set, and I can see their device in sip show peers - 290-odd ms away but always accessible. The SIP account has a context set and the matching details and outbound routing (same as all our other configs) are set up in extensions.conf. This first forces the correct CLI on the calls (we need this for billing purposes, and have it on all our accounts to prevent abuse) and then routes them out as required.

However when the customer attempts to place calls, they don't appear to be coming from the correct context - the "from" is "" and none of the various stages of CLI setting are triggered, and the calls error with "rejected because extension not found."

The sip.conf section looks like this (identifying details radacted - UserContext is a unique context for this user only):

Code: Select all
; Manual SIP trunk for <customer>
; end of Manual SIP trunk for <customer>

And this is the extensions.conf entry

Code: Select all
; <customer> (P, 2015-12-21)
exten => _X.,1,Set(CALLERID(all)="020<cli>)" <020<cli>>)
exten => _X.,2,Set(CALLERID(ANI)=020<cli>)
exten => _X.,3,NoOp(UserContext ${CALLERID(num)} ${CALLERID(ani)} to 44${EXTEN:1})
include => free_internal
include => internal_short_codes
include => user_dial_UserContext

; Outbound calling routings (just _X. means no outbound calls allowed)
exten => _01.,4,Dial(SIP/toOutBoundBT/${EXTEN:1})
... (there are lines for each allowed call code type)
; end <customer> (P, 2015-12-21)

I can see that the user is there:

Code: Select all
asterisk -rx 'sip show peers' |grep 'x.x.x.x'
UserContext   x.x.x.x      N      5060     OK (283 ms)

And here is the log entry when they try and place a call - note none of the steps show up, which tells me it's not arriving within the context it should be:

Code: Select all
[2015-12-23 02:15:26] NOTICE[2844] chan_sip.c: Call from '' to extension '012<number>' rejected because extension not found.

Am I missing something from the sip.conf that will enable the customer to come in on the correct context, or does the user need to do something specific to register? Or do we need to register to them? Although I've been administering this Asterisk server for quite a few years now, I've never taken outbound calls from an account without a secret before, so this aspect is new to me.

I've searched on voip-info and googled, but all references I can find to accepting outbound calls from users appear to suggest using a conventional user/pass login.
Posts: 1
Joined: Wed Dec 23, 2015 6:19 pm

Re: SIP config to allow passwordless connection to place calls?

Postby david55 » Thu Dec 24, 2015 6:46 am

In principle there is nothing wrong except that nat=yes is deprecated in supported versions, and generally overused, as a result of cook book construction of configuration files.

I can't see that type=friend offers any advantage over type=peer, and as it negates the security from IP matching it undesirable, but there is no reason it should stop things from working. As the peers don't seem to be sending a from user part, the type=user aspect of type=friend will never be exercised for legitimate calls.

You need to provide logging of the actual SIP request being received, including its source IP address.

Unauthenticated peers are certainly allowed, and were even in 1.4.

Asterisk 1.4 is unsupported, and there have been significant internal changes in how the peer/user/friend split is handled since then.

I would consider a 283ms round trip time as bordering on the unacceptable.
Moves Like Spencer
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Return to Asterisk Support

Who is online

Users browsing this forum: No registered users and 1 guest