SIP UAs Authentication based on a combination of username, password and IP address of the UA

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SIP UAs Authentication based on a combination of username, password and IP address of the UA

Sujeev
Hi everyone,
I've a small OpenSIPs setup with 1500 ATAs.  those ATAs are on a LAN and have a static IP address(Private).
I want to authenticate those ATAs with a combination of username + password + IP of ATA on MySQL or Postgresql database.

example;
ATA 1
------
IP : 10.2.222.4
Username : 10001
Password : 10001

I added these info into a DB. When ATA 1 uses IP address "10.2.222.4" ATA can register with my OpenSIPs server.
When ATA 1 uses IP address 10.2.222.5 the registration should be failed.
Is that possible? if yes please tell me how.


Thank you.

Sujeev


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: SIP UAs Authentication based on a combination of username, password and IP address of the UA

k1028
Using the permission module to check the source address and username first before www_authorize should work.
http://www.opensips.org/html/docs/modules/1.6.x/permissions#id233458
Reply | Threaded
Open this post in threaded view
|

Re: SIP UAs Authentication based on a combination of username, password and IP address of the UA

Bogdan-Andrei Iancu
In reply to this post by Sujeev
Hi Sujeev,

You to first do standard digest authentication of the user (using the
proxy_auth() function) - to also check the IP, add a new column in
subscriber table (to keep the IP address) and load that column (during
digest auth) using the load_credentials (see
http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228201)...

So, once the digent auth was successfully validated, you will have the
provisioned IP loaded into a script variable, so you can easyly check it
against $si (source IP of the message).

Regards,
Bogdan

Sujeev wrote:

> Hi everyone,
> I've a small OpenSIPs setup with 1500 ATAs.  those ATAs are on a LAN
> and have a static IP address(Private).
> I want to authenticate those ATAs with a combination of username +
> password + IP of ATA on MySQL or Postgresql database.
>
> example;
> ATA 1
> ------
> IP : 10.2.222.4
> Username : 10001
> Password : 10001
>
> I added these info into a DB. When ATA 1 uses IP address "10.2.222.4"
> ATA can register with my OpenSIPs server.
> When ATA 1 uses IP address 10.2.222.5 the registration should be failed.
> Is that possible? if yes please tell me how.
>
>
> Thank you.
>
> Sujeev
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: SIP UAs Authentication based on a combination of username, password and IP address of the UA

Sujeev
Hello Bogdan,
I followed your instruction and It works!
Thanks a lot!!

This is what I did
----
modparam("auth_db", "load_credentials", "$avp(i:56)=host_ip_address")


if (is_method("REGISTER")||is_method("SUBSCRIBE")) {
if (!www_authorize("", "extensions")) {
www_challenge("", "0");
exit;
};
if ($avp(i:56)!= $si) {
sl_send_reply("401","Unauthorized");
xlog("EVENT: Unauthorized IP\n");
exit;
}
save("location");
xlog("EVENT: Client IP : $avp(i:56)\n");
exit;
};
----

one more thing.... could you please tell me how can I add MemCache support for this config.

but I stuck at "modparam("auth_db", "load_credentials", "$avp(i:55)=password")" because I already used "modparam("auth_db", "load_credentials", "$avp(i:56)=host_ip_address")"

Thank you!

Sujeev

On Mon, Aug 9, 2010 at 2:46 PM, Bogdan-Andrei Iancu <[hidden email]> wrote:
Hi Sujeev,

You to first do standard digest authentication of the user (using the
proxy_auth() function) - to also check the IP, add a new column in
subscriber table (to keep the IP address) and load that column (during
digest auth) using the load_credentials (see
http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228201)...

So, once the digent auth was successfully validated, you will have the
provisioned IP loaded into a script variable, so you can easyly check it
against $si (source IP of the message).

Regards,
Bogdan

Sujeev wrote:
> Hi everyone,
> I've a small OpenSIPs setup with 1500 ATAs.  those ATAs are on a LAN
> and have a static IP address(Private).
> I want to authenticate those ATAs with a combination of username +
> password + IP of ATA on MySQL or Postgresql database.
>
> example;
> ATA 1
> ------
> IP : 10.2.222.4
> Username : 10001
> Password : 10001
>
> I added these info into a DB. When ATA 1 uses IP address "10.2.222.4"
> ATA can register with my OpenSIPs server.
> When ATA 1 uses IP address 10.2.222.5 the registration should be failed.
> Is that possible? if yes please tell me how.
>
>
> Thank you.
>
> Sujeev
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>


--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: SIP UAs Authentication based on a combination of username, password and IP address of the UA

Bogdan-Andrei Iancu
Hi Sujeev,

Sujeev wrote:

[...]
> one more thing.... could you please tell me how can I add MemCache
> support for this config.
>
> I followed this http://www.opensips.org/Resources/DocsTutMemcache
> but I stuck at "modparam("auth_db", "load_credentials",
> "$avp(i:55)=password")" because I already used "modparam("auth_db",
> "load_credentials", "$avp(i:56)=host_ip_address")"

Simply load both :
    modparam("auth_db", "load_credentials", "$avp(i:55)=password ;
$avp(i:56)=host_ip_address")

And cache both the password and the IP.

Regards,
Bogdan


>
> Thank you!
>
> Sujeev
>
> On Mon, Aug 9, 2010 at 2:46 PM, Bogdan-Andrei Iancu
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi Sujeev,
>
>     You to first do standard digest authentication of the user (using the
>     proxy_auth() function) - to also check the IP, add a new column in
>     subscriber table (to keep the IP address) and load that column (during
>     digest auth) using the load_credentials (see
>     http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228201).
>     <http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228201%29.>..
>
>     So, once the digent auth was successfully validated, you will have the
>     provisioned IP loaded into a script variable, so you can easyly
>     check it
>     against $si (source IP of the message).
>
>     Regards,
>     Bogdan
>
>     Sujeev wrote:
>     > Hi everyone,
>     > I've a small OpenSIPs setup with 1500 ATAs.  those ATAs are on a LAN
>     > and have a static IP address(Private).
>     > I want to authenticate those ATAs with a combination of username +
>     > password + IP of ATA on MySQL or Postgresql database.
>     >
>     > example;
>     > ATA 1
>     > ------
>     > IP : 10.2.222.4
>     > Username : 10001
>     > Password : 10001
>     >
>     > I added these info into a DB. When ATA 1 uses IP address
>     "10.2.222.4"
>     > ATA can register with my OpenSIPs server.
>     > When ATA 1 uses IP address 10.2.222.5 the registration should be
>     failed.
>     > Is that possible? if yes please tell me how.
>     >
>     >
>     > Thank you.
>     >
>     > Sujeev
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Users mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     >
>
>
>     --
>     Bogdan-Andrei Iancu
>     OpenSIPS Bootcamp
>     20 - 24 September 2010, Frankfurt, Germany
>     www.voice-system.ro <http://www.voice-system.ro>
>
>
>     _______________________________________________
>     Users mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: SIP UAs Authentication based on a combination of username, password and IP address of the UA

Sujeev
Hello Bogdan,
Thanks again!
Everything works fine.

Regards,

Sujeev

On Wed, Aug 11, 2010 at 9:54 PM, Bogdan-Andrei Iancu <[hidden email]> wrote:
Hi Sujeev,

Sujeev wrote:

[...]
> one more thing.... could you please tell me how can I add MemCache
> support for this config.
>
> I followed this http://www.opensips.org/Resources/DocsTutMemcache
> but I stuck at "modparam("auth_db", "load_credentials",
> "$avp(i:55)=password")" because I already used "modparam("auth_db",
> "load_credentials", "$avp(i:56)=host_ip_address")"

Simply load both :
   modparam("auth_db", "load_credentials", "$avp(i:55)=password ;
$avp(i:56)=host_ip_address")

And cache both the password and the IP.

Regards,
Bogdan


>
> Thank you!
>
> Sujeev
>
> On Mon, Aug 9, 2010 at 2:46 PM, Bogdan-Andrei Iancu
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi Sujeev,
>
>     You to first do standard digest authentication of the user (using the
>     proxy_auth() function) - to also check the IP, add a new column in
>     subscriber table (to keep the IP address) and load that column (during
>     digest auth) using the load_credentials (see
>     http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228201).
>     <http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228201%29.>..
>
>     So, once the digent auth was successfully validated, you will have the
>     provisioned IP loaded into a script variable, so you can easyly
>     check it
>     against $si (source IP of the message).
>
>     Regards,
>     Bogdan
>
>     Sujeev wrote:
>     > Hi everyone,
>     > I've a small OpenSIPs setup with 1500 ATAs.  those ATAs are on a LAN
>     > and have a static IP address(Private).
>     > I want to authenticate those ATAs with a combination of username +
>     > password + IP of ATA on MySQL or Postgresql database.
>     >
>     > example;
>     > ATA 1
>     > ------
>     > IP : 10.2.222.4
>     > Username : 10001
>     > Password : 10001
>     >
>     > I added these info into a DB. When ATA 1 uses IP address
>     "10.2.222.4"
>     > ATA can register with my OpenSIPs server.
>     > When ATA 1 uses IP address 10.2.222.5 the registration should be
>     failed.
>     > Is that possible? if yes please tell me how.
>     >
>     >
>     > Thank you.
>     >
>     > Sujeev
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Users mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     >
>
>
>     --
>     Bogdan-Andrei Iancu
>     OpenSIPS Bootcamp
>     20 - 24 September 2010, Frankfurt, Germany
>     www.voice-system.ro <http://www.voice-system.ro>
>
>
>     _______________________________________________
>     Users mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>


--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users