Asterisk SIP custom authentication

1
votes

I'm using ASTERISK to bridge sip calls inside my company.

Only authenticated/authorized users are allowed to make calls.

We already have a service that handles authentication, so is there any way to integrate the authentication from asterisk (sip.conf) to our service ?

So, instead of typing all users and passwords in sip.conf asterisk could simply call some API that communicates with our authentication service.

Basically I need a way to get the username/password from the SIP device and authenticate. Since each user has a different password it would become impractical to type it all inside sip.conf when we already have all the users/passwords in our database.

Thanks

4
authenticationsipasterisk

4 Answers

3
votes

There are plenty ways to do auth in asterisk

  • use asterisk realtime architecture, auth is via database(mysql/odbc). This one is HIGHLY recommended method. For realtime sip integration see this.
  • use exec include method(on reload execute external script which supply config). Will change config only on reloads. Check this link
  • use openser(kamailio/opensips) before asterisk, use avpairs with curl to got answer from your API. Your API has to be REALLY quick and you need to be an expert in opensips/kamailio.

Since all that is quite common things for asterisk, probably you need an asterisk expert to validate/security audit/performance audit for your system or you need someone from your staff to read some books like O'Reilly's Asterisk The Future Of Telephony just to understand some possible issues.

1
votes

arheops has hit the big options dead on. He's cool like that. Alternately, if your phone supports XML browsing/java apps on-phone as some do, you can also use a custom SIP header to provide a second authentication factor. So, the phone has a non-rotating RSA key, for the first authentication factor, and then dynamically executes a CHAP-style call to your authentication server to retrieve a much shorter-lived "go key" which is included as a custom SIP header. No time-valid header, no call permissions. If you can derive a two-factor authentication scheme, with one factor being an RSA/DSA key, you're likely more than secure enough.

0
votes

You can use AGI to connect directly (or indirectly via web service) to your Database. AGI can write in PHP, Java, Python ... or other languages that Asterisk provides to work with. When an extension attempts to make calls, your Agi connects to Database, full out Username/password and then authenticate .... Hope this help,

0
votes

I work on Asterisk for more than 2 years. I used to use AGI to connect with windows environment. I wrote a lot of Asterisk codes to cutomize IVR ...and so on. I use PHP to write AGI. So, AGI connects to Microsoft SQL, gets data and returns data back to Asterisk Dial plan. It is not simple but not too difficult to this task. The thing is you have to learn how to write codes in Asterisk and also learn how to use AGI.