[Freeswitch-users] how to solve the error Rejected by acl "domains". Falling back to Digest auth?
Peter Olsson
peter.olsson at visionutveckling.se
Tue Jul 3 15:56:39 MSD 2012
Ok, then your manager is wrong :)
Actually, I don't know enough to move this discussion forward, maybe anyone else can help out. However, for the specific problem we're talking about here, I can't see anything else than it's the software in the phone that causes problems. But I'm not really sure that the solution you want is even possible to do - according to me I don't think it is, at least not in a 100% working way.
/Peter
Från: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] För Samira Mh
Skickat: den 3 juli 2012 07:48
Till: FreeSWITCH Users Help
Ämne: Re: [Freeswitch-users] how to solve the error Rejected by acl "domains". Falling back to Digest auth?
i have to limit the count of registerations because that feature is exactly what my manager want !:(
so i must to implement it correctly ...
________________________________
From: Peter Olsson <peter.olsson at visionutveckling.se<mailto:peter.olsson at visionutveckling.se>>
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org<mailto:freeswitch-users at lists.freeswitch.org>>
Sent: Tuesday, July 3, 2012 9:58 AM
Subject: Re: [Freeswitch-users] how to solve the error Rejected by acl "domains". Falling back to Digest auth?
Yes, I know. That code does exactly what you want. It's the feature itself that is more questionable...
Personally I don't believe this will ever work, since there are so many possibilities for timing issues for the registration. As MC said earlier on this discussion, you need to rethink if this is something you really want.
When it comes to security this will not, in any way, increase the security for you. If you're unlucky it might do the opposite, leaving the phone registered to the "theif", and leave the "real" user blocked from registering.
Keep your accounts secure, and this shouldn't be needed.
/Peter
________________________________
Från: freeswitch-users-bounces at lists.freeswitch.org<mailto:freeswitch-users-bounces at lists.freeswitch.org> [freeswitch-users-bounces at lists.freeswitch.org<mailto:freeswitch-users-bounces at lists.freeswitch.org>] för Samira Mh [saami_mh at ymail.com<mailto:saami_mh at ymail.com>]
Skickat: den 3 juli 2012 05:48
Till: FreeSWITCH Users Help
Ämne: Re: [Freeswitch-users] how to solve the error Rejected by acl "domains". Falling back to Digest auth?
hi Peter,
this feature(max-registrations-per-extension) is embeded in the sofia_reg.c as follow :
............
if (max_registrations_perext > 0 && (sip && sip->sip_contact && (sip->sip_contact->m_expires == NULL || atol(sip->sip_contact->m_expires) > 0))) {
/* if expires is null still process */
/* expires == 0 means the phone is going to unregiser, so don't count against max */
uint32_t count = 0;
call_id = sip->sip_call_id->i_id;
switch_assert(call_id);
sql = switch_mprintf("select count(sip_user) from sip_registrations where sip_user='%q' AND call_id <> '%q'", username, call_id);
switch_assert(sql != NULL);
sofia_glue_execute_sql_callback(profile, NULL, sql, sofia_reg_regcount_callback, &count);
free(sql);
if (count + 1> max_registrations_perext) {
ret = AUTH_FORBIDDEN;
if (sofia_test_pflag(profile, PFLAG_LOG_AUTH_FAIL)) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING,
"SIP auth failure (REGISTER) due to reaching max allowed registrations. Count: %d\n", count);
}
goto end;
}
}
.............
________________________________
From: Peter Olsson <peter.olsson at visionutveckling.se<mailto:peter.olsson at visionutveckling.se>>
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org<mailto:freeswitch-users at lists.freeswitch.org>>
Sent: Monday, July 2, 2012 9:35 PM
Subject: Re: [Freeswitch-users] how to solve the error Rejected by acl "domains". Falling back to Digest auth?
It seems the phone tries to register, even though it is already registered according to FS.
So if you really want to use this method, I think you must do further debugging on the phone...
As mentioned before on this list, I don't think this is a good approach, and since noone had even heard about this variable before, I'm guessing it's not widely used. However, in this particular example, FS is just doing exactly what it has been told to do, only to allow a registration if it doesn't exist already.
/Peter
2 jul 2012 kl. 18:53 skrev "Samira Mh" <saami_mh at ymail.com<mailto:saami_mh at ymail.com><mailto:saami_mh at ymail.com<mailto:saami_mh at ymail.com>><mailto:saami_mh at ymail.com<mailto:saami_mh at ymail.com><mailto:saami_mh at ymail.com<mailto:saami_mh at ymail.com>>>>:
hi guys,
please let me know paste myconfigurations as follow:
1-
vim /usr/local/freeswitch/conf/directory/default/v_212263612400.xml
<include>
<user id="212263612400">
<params>
<param name="password" value="samira"/>
<param name="vm-password" value="user-choose"/>
<param name="vm-enabled" value="true"/>
<param name="max-registrations-per-extension" value="1"/>
</params>
<variables>
<variable name="toll_allow" value=""/>
<variable name="accountcode" value=""/>
<variable name="user_context" value="default"/>
<variable name="directory-visible" value="true"/>
<variable name="directory-exten-visible" value="true"/>
<variable name="limit_max" value="5"/>
<variable name="sip-force-contact" value="NDLB-connectile-dysfunction"/>
<variable name="nibble_account" value="20014334"/>
</variables>
</user>
</include>
2-vim /usr/local/freeswitch/conf/autoload_configs/acl.conf.xml
<configuration name="acl.conf" description="Network Lists">
<network-lists>
<list name="domains" default="deny">
<node type="allow" domain="$${domain}"/>
</list>
</network-lists>
</configuration>
*max-registrations-per-extension =1
when issue the following command the user is registered so another user with the extension '2122636124' couldn't register simultaneously :
sofia status profile internal reg
Now what is problem?
every time i want to dial some extensions that is configured in my dialplan the following erroe occure:
2012-07-02 21:02:12.050074 [WARNING] sofia_reg.c:1471 SIP auth challenge (REGISTER) on sofia profile 'internal_private' for [212263612400 at 192.168.10.70<mailto:212263612400 at 192.168.10.70>] from ip 192.168.18.120
2012-07-02 21:02:14.710049 [DEBUG] sofia.c:7904 IP 192.168.18.120 Rejected by acl "domains". Falling back to Digest auth.
2012-07-02 21:02:14.710049 [WARNING] sofia_reg.c:1471 SIP auth challenge (INVITE) on sofia profile 'internal_private' for [00989191949637 at 192.168.10.70<mailto:00989191949637 at 192.168.10.70>] from ip 192.168.18.120
2012-07-02 21:02:14.710049 [DEBUG] sofia.c:7904 IP 192.168.18.120 Rejected by acl "domains". Falling back to Digest auth.
2012-07-02 21:02:14.710049 [WARNING] sofia_reg.c:2607 SIP auth failure (REGISTER) due to reaching max allowed registrations. Count: 1
2012-07-02 21:02:14.710049 [WARNING] sofia_reg.c:1416 SIP auth failure (INVITE) on sofia profile 'internal_private' for [00989191949637 at 192.168.10.70<mailto:00989191949637 at 192.168.10.70>] from ip 192.168.18.120
so if i remove the line <param name="max-registrations-per-extension" value="1"/> from /usr/local/freeswitch/conf/directory/default/v_212263612400.xml or from within /usr/local/freeswitch/conf/sip_profiles/internal.xml(it is posible to defined either
internal.xml or /usr/local/freeswitch/conf/directory/default/v_212263612400.xml) the problem solved --with the same settings on vim /usr/local/freeswitch/conf/autoload_configs/acl.conf.xml-- but simultaneously registeration per extension couldn't worked properly ,,,
plz help,
what is problem on my settings?
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org><mailto:consulting at freeswitch.org<mailto:consulting at freeswitch.org>><mailto:consulting at freeswitch.org<mailto:consulting at freeswitch.org><mailto:consulting at freeswitch.org<mailto:consulting at freeswitch.org>>>
http://www.freeswitchsolutions.com<http://www.freeswitchsolutions.com/>
</></>
Official FreeSWITCH Sites
http://www.freeswitch.org<http://www.freeswitch.org/><http://www.freeswitch.org/>
http://wiki.freeswitch.org<http://wiki.freeswitch.org/><http://wiki.freeswitch.org/>
http://www.cluecon.com<http://www.cluecon.com/><http://www.cluecon.com/>
Join Us At ClueCon - Aug 7-9, 2012
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org><mailto:FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>><mailto:FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org><mailto:FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>>>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org<http://www.freeswitch.org/><http://www.freeswitch.org/>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org><mailto:consulting at freeswitch.org<mailto:consulting at freeswitch.org>>
http://www.freeswitchsolutions.com<http://www.freeswitchsolutions.com/><http://www.freeswitchsolutions.com/>
</></>
Official FreeSWITCH Sites
http://www.freeswitch.org<http://www.freeswitch.org/><http://www.freeswitch.org/>
http://wiki.freeswitch.org<http://wiki.freeswitch.org/><http://wiki.freeswitch.org/>
http://www.cluecon.com<http://www.cluecon.com/><http://www.cluecon.com/>
Join Us At ClueCon - Aug 7-9, 2012
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org><mailto:FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org<http://www.freeswitch.org/><http://www.freeswitch.org/>
!DSPAM:4ff26ae632762054019490!
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com<http://www.freeswitchsolutions.com/>
</>
Official FreeSWITCH Sites
http://www.freeswitch.org<http://www.freeswitch.org/>
http://wiki.freeswitch.org<http://wiki.freeswitch.org/>
http://www.cluecon.com<http://www.cluecon.com/>
Join Us At ClueCon - Aug 7-9, 2012
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org<http://www.freeswitch.org/>
!DSPAM:4ff2867f32765777574751!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120703/2b2ffae8/attachment-0001.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list