[Freeswitch-users] ACL and Digest authentication problem
Ognjen Seslija
oseslija at gmail.com
Tue Oct 12 08:15:57 PDT 2010
Hello Katarina,
I can answer your questions in (I believe) our mother tongue.
On Tue, Oct 12, 2010 at 3:12 PM, katarina djakovic <kdjakovic at hotmail.com>wrote:
> Dear FreeSwitch users,
>
> we need some help about ACL and Digest authenication.
>
> This is what we want:
>
> 1) We want certain users to be authenticated through ACL (certain IP
> addresses) including both Register and Invite messages. In other words, we
> want those users to be granted access to our FS withouth having to
> authenticate with username and password when registering or calling.
> 2) On the other hand, if users don't fall into our ACL list
> (registering/calling from other IP addresses) we want them to authenticate
> normally throught Digest authentication (username/password).
>
>
2) je FreeSWITCH-ov default konfiguracija.
> We tried to configure FS for our needs, but we didn't acomplished what we
> wanted. Namely, now, for any users that do not belong to the ACL list our FS
> will reject their registration and will NOT fall back to Digest
> authentication. In other words, our FS will let all users that fall into ACL
> list register and call without authenticating --- but all others will be
> rejected on the attempt to register (debug trace says: sofia_reg.c IP
> YY.YY.YY.YY Rejected by register acl "domains") and will not let them fall
> back to Digest authentication.
>
>
Ako se koristi register acl FS ne koristi fallback na Digest. Ovo ne vazi za
INVITE-e gde to radi.
> These are our settings:
>
> a) acl.conf.xml:
> <configuration name="acl.conf" description="Network Lists">
> <network-lists>
>
> <!--
> This will traverse the directory adding all users
> with the cidr= tag to this ACL, when this ACL matches
> the users variables and params apply as if they
> digest authenticated.
> -->
> <list name="domains" default="deny">
> <node type="allow" domain="$${domain}"/>
> <node type="allow" domain="XX.XX.XX.XX/32"/>
>
> </list>
>
> </network-lists>
> </configuration>
>
> b) sip profile:
>
> <param name="apply-inbound-acl" value="domains"/>
> <param name="apply-register-acl" value="domains"/>
> <param name="auth-calls" value="true"/>
>
> c) users that fall into ACL will have a cidr parameter set aproprietelly
> <user id="2000" mailbox="2000" cidr="XX.XX.XX.XX/32">
>
> Other users, that we want to be authenticated through Digest authentication
> will not have anything related to ACL in their user profiles in the
> Directory.
>
> 2) On the other hand, if we remove the <param name="apply-register-acl"
> value="domains"/> from the sip profile, then users that do not belong to the
> ACL list will register normally and when calling - their calls (Invite) will
> fall back to digest authentication (here is the debug: "sofia.c:5847 IP
> YY.YY.YY.YY Rejected by acl "domains". Falling back to Digest auth.).
>
> That is fine with us - but then we have a different problem, then the users
> from the ACL list will be asked to register by username/password
> credentials, i.e. their registration will have to authenticated and that is
> not what we wanted.
>
>
> We are mistaging somewhere. Hopefully what I wrote makes sense and maybe
> someone could help us configure the system to fit our needs.
>
>
Kao sto sam rekao ovo je podrazumevana opcija.
>
>
>
Many thanks in advance,
> Katarina
>
>
Regards,
Ognjen
irc #freeswitch: sekil
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20101012/bd8af943/attachment.html
More information about the FreeSWITCH-users
mailing list