[Freeswitch-users] ACL and Digest authentication problem

katarina djakovic kdjakovic at hotmail.com
Thu Oct 14 00:54:25 PDT 2010 

Dear Ognjen,
 
thanks a lot. As you are saying the FS default behavour is  such when <param name="apply-register-acl" value=.../> is set in a sip profile, then, Register doesn't fall back to Digest authentication (in case when caller does not belong to the acl list).
 
So, to acomplish what we wanted we configured 2 sip profiles, one to handle ACL registrations/calls and another to handle Digest authentication registrations/calls and solved our problem.
 
Thanks again,
Katarina
 
 


Date: Tue, 12 Oct 2010 17:15:57 +0200
From: oseslija at gmail.com
To: freeswitch-users at lists.freeswitch.org
Subject: Re: [Freeswitch-users] ACL and Digest authentication problem


Hello Katarina, 

I can answer your questions in (I believe) our mother tongue.


On Tue, Oct 12, 2010 at 3:12 PM, katarina djakovic <kdjakovic at hotmail.com> wrote:


Dear FreeSwitch users,

we need some help about ACL and Digest authenication.  

This is what we want:

1) We want certain users to be authenticated through ACL (certain IP addresses) including both Register and Invite messages. In other words, we want those users to be granted access to our FS withouth having to authenticate with username and password when registering or calling.
2) On the other hand, if users don't fall into our ACL list (registering/calling from other IP addresses) we want them to authenticate normally throught Digest authentication (username/password).



2) je FreeSWITCH-ov default konfiguracija.
 

We tried to configure FS for our needs, but we didn't acomplished what we wanted. Namely, now, for any users that do not belong to the ACL list our FS will reject their registration and will NOT fall back to Digest authentication. In other words, our FS will let all users that fall into ACL list register and call without authenticating --- but all others will be rejected on the attempt to register (debug trace says: sofia_reg.c IP YY.YY.YY.YY Rejected by register acl "domains") and will not let them fall back to Digest authentication.



Ako se koristi register acl FS ne koristi fallback na Digest. Ovo ne vazi za INVITE-e gde to radi.

 

These are our settings:

    a) acl.conf.xml: 
        <configuration name="acl.conf" description="Network Lists">
          <network-lists>

          <!--
        This will traverse the directory adding all users 
         with the cidr= tag to this ACL, when this ACL matches
        the users variables and params apply as if they 
        digest authenticated.
          -->
          <list name="domains" default="deny">
            <node type="allow" domain="$${domain}"/>
            <node type="allow" domain="XX.XX.XX.XX/32"/>
      
          </list>

          </network-lists>
        </configuration>

b) sip profile:

   <param name="apply-inbound-acl" value="domains"/>
   <param name="apply-register-acl" value="domains"/>
   <param name="auth-calls" value="true"/>

c) users that fall into ACL will have a cidr parameter set aproprietelly <user id="2000" mailbox="2000" cidr="XX.XX.XX.XX/32">

Other users, that we want to be authenticated through Digest authentication will not have anything related to ACL in their user profiles in the Directory.

2) On the other hand, if we remove the <param name="apply-register-acl" value="domains"/> from the sip profile, then users that do not belong to the ACL list will register normally and when calling - their calls (Invite) will fall back to digest authentication (here is the debug: "sofia.c:5847 IP YY.YY.YY.YY Rejected by acl "domains". Falling back to Digest auth.).

That is fine with us - but then we have a different problem, then the users from the ACL list will be asked to register by username/password credentials, i.e. their registration will have to authenticated and that is not what we wanted.


We are mistaging somewhere. Hopefully what I wrote makes sense and maybe someone could help us configure the system to fit our needs.



Kao sto sam rekao ovo je podrazumevana opcija.

 



 

Many thanks in advance,
Katarina 


Regards,
Ognjen

irc #freeswitch: sekil
 
_______________________________________________
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



_______________________________________________ FreeSWITCH-users mailing list FreeSWITCH-users at lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20101014/e707bbb8/attachment.html

More information about the FreeSWITCH-users mailing list