[Freeswitch-users] ACL and Digest authentication problem

Nyamul Hassan mnhassan at usa.net
Thu Oct 14 01:49:43 PDT 2010


Another nice way to do that on the same profile is to not have any ACL
defined at all, instead put a "cidr=" parameter in the directory entry
for a user.

Regards
HASSAN


On 2010-10-14, katarina djakovic <kdjakovic at hotmail.com> wrote:
>
> Dear Ognjen,
>
> thanks a lot. As you are saying the FS default behavour is  such when <param
> name="apply-register-acl" value=.../> is set in a sip profile, then,
> Register doesn't fall back to Digest authentication (in case when caller
> does not belong to the acl list).
>
> So, to acomplish what we wanted we configured 2 sip profiles, one to handle
> ACL registrations/calls and another to handle Digest authentication
> registrations/calls and solved our problem.
>
> Thanks again,
> Katarina
>
>
>
>
> Date: Tue, 12 Oct 2010 17:15:57 +0200
> From: oseslija at gmail.com
> To: freeswitch-users at lists.freeswitch.org
> Subject: Re: [Freeswitch-users] ACL and Digest authentication problem
>
>
> Hello Katarina,
>
> I can answer your questions in (I believe) our mother tongue.
>
>
> On Tue, Oct 12, 2010 at 3:12 PM, katarina djakovic <kdjakovic at hotmail.com>
> wrote:
>
>
> Dear FreeSwitch users,
>
> we need some help about ACL and Digest authenication.
>
> This is what we want:
>
> 1) We want certain users to be authenticated through ACL (certain IP
> addresses) including both Register and Invite messages. In other words, we
> want those users to be granted access to our FS withouth having to
> authenticate with username and password when registering or calling.
> 2) On the other hand, if users don't fall into our ACL list
> (registering/calling from other IP addresses) we want them to authenticate
> normally throught Digest authentication (username/password).
>
>
>
> 2) je FreeSWITCH-ov default konfiguracija.
>
>
> We tried to configure FS for our needs, but we didn't acomplished what we
> wanted. Namely, now, for any users that do not belong to the ACL list our FS
> will reject their registration and will NOT fall back to Digest
> authentication. In other words, our FS will let all users that fall into ACL
> list register and call without authenticating --- but all others will be
> rejected on the attempt to register (debug trace says: sofia_reg.c IP
> YY.YY.YY.YY Rejected by register acl "domains") and will not let them fall
> back to Digest authentication.
>
>
>
> Ako se koristi register acl FS ne koristi fallback na Digest. Ovo ne vazi za
> INVITE-e gde to radi.
>
>
>
> These are our settings:
>
>     a) acl.conf.xml:
>         <configuration name="acl.conf" description="Network Lists">
>           <network-lists>
>
>           <!--
>         This will traverse the directory adding all users
>          with the cidr= tag to this ACL, when this ACL matches
>         the users variables and params apply as if they
>         digest authenticated.
>           -->
>           <list name="domains" default="deny">
>             <node type="allow" domain="$${domain}"/>
>             <node type="allow" domain="XX.XX.XX.XX/32"/>
>
>           </list>
>
>           </network-lists>
>         </configuration>
>
> b) sip profile:
>
>    <param name="apply-inbound-acl" value="domains"/>
>    <param name="apply-register-acl" value="domains"/>
>    <param name="auth-calls" value="true"/>
>
> c) users that fall into ACL will have a cidr parameter set aproprietelly
> <user id="2000" mailbox="2000" cidr="XX.XX.XX.XX/32">
>
> Other users, that we want to be authenticated through Digest authentication
> will not have anything related to ACL in their user profiles in the
> Directory.
>
> 2) On the other hand, if we remove the <param name="apply-register-acl"
> value="domains"/> from the sip profile, then users that do not belong to the
> ACL list will register normally and when calling - their calls (Invite) will
> fall back to digest authentication (here is the debug: "sofia.c:5847 IP
> YY.YY.YY.YY Rejected by acl "domains". Falling back to Digest auth.).
>
> That is fine with us - but then we have a different problem, then the users
> from the ACL list will be asked to register by username/password
> credentials, i.e. their registration will have to authenticated and that is
> not what we wanted.
>
>
> We are mistaging somewhere. Hopefully what I wrote makes sense and maybe
> someone could help us configure the system to fit our needs.
>
>
>
> Kao sto sam rekao ovo je podrazumevana opcija.
>
>
>
>
>
>
>
> Many thanks in advance,
> Katarina
>
>
> Regards,
> Ognjen
>
> irc #freeswitch: sekil
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _______________________________________________ FreeSWITCH-users mailing
> list FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org 		 	   		

-- 
Sent from my mobile device



More information about the FreeSWITCH-users mailing list