VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
lists at telium.io
Guest
|
 Posted: Tue Nov 22, 2022 3:59 pm Post subject: [Freeswitch-users] Conflicting settings in SIP profile in va |
 |
|
I am working with a simple FreeSWITCH installation, with the vanilla demo configuration. I see that the Internal SIP profile contains:
<param name="apply-inbound-acl" value="domains"/>
<param name="auth-calls" value="$${internal_auth_calls}"/>
The first line means that if a caller's IP is on the 'domains' list that they do NOT need to authenticate. The second line means that in order to use this SIP profile the user MUST be authenticated (internal_auth_calls is true).
Aren't these two lines contradictory? Why allow a user to not authenticate for this SIP profile, and then say they must authenticate to use this SIP profile? |
|
| Back to top |
|
 |
krice at freeswitch.org
Guest
|
| Posted: Tue Nov 22, 2022 7:00 pm Post subject: [Freeswitch-users] Conflicting settings in SIP profile in va |
|
|
no, it means users that match the acl are auto authenticated.
Sent from my iPhone
| Quote: | On Nov 22, 2022, at 14:53, TTT <lists@telium.io> wrote:
@font-face { font-family: "Cambria Math"; } @font-face { font-family: Calibri; } p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; } a:link, span.MsoHyperlink { color: rgb(5, 99, 193); text-decoration: underline; } a:visited, span.MsoHyperlinkFollowed { color: rgb(149, 79, 114); text-decoration: underline; } span.EmailStyle17 { font-family: Calibri, sans-serif; color: windowtext; } .MsoChpDefault { } @page WordSection1 { size: 8.5in 11in; margin: 1in; } div.WordSection1 { page: WordSection1; } <![endif]--> <![endif]-->
I am working with a simple FreeSWITCH installation, with the vanilla demo configuration. I see that the Internal SIP profile contains:
<param name="apply-inbound-acl" value="domains"/>
<param name="auth-calls" value="$${internal_auth_calls}"/>
The first line means that if a caller's IP is on the 'domains' list that they do NOT need to authenticate. The second line means that in order to use this SIP profile the user MUST be authenticated (internal_auth_calls is true).
Aren't these two lines contradictory? Why allow a user to not authenticate for this SIP profile, and then say they must authenticate to use this SIP profile?
_________________________________________________________________________
The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.
Build your next product on our scalable cloud platform.
Join our online community to chat in real time https://signalwire.community
Professional FreeSWITCH Services
sales@freeswitch.com
https://freeswitch.com
Official FreeSWITCH Sites
https://freeswitch.com/oss
https://freeswitch.org/confluence
https://cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
https://freeswitch.com
|
|
|
| Back to top |
|
|
brian at freeswitch.com
Guest
|
|
| Back to top |
|
|
brian at freeswitch.com
Guest
|
|
| Back to top |
|
|
brian at freeswitch.com
Guest
|
|
| Back to top |
|
|
brian at freeswitch.com
Guest
|
| Posted: Sat Nov 26, 2022 1:02 pm Post subject: [Freeswitch-users] Conflicting settings in SIP profile in va |
|
|
The domain ACL is special, it's built from the cidr= from the directory. When you mix ip auth there is very little flexibility. If you have users that intersect then it's going to be the first to match. I hope you can understand why this is a bad approach?
You can't add or remove things to the domains acl using the acl.conf.xml it disconnects the tie to the user in the directory if you do that, so you'll have to use set_user to switch to the appropriate user.
/b
On Sat, Nov 26, 2022 at 11:27 AM TTT <lists@telium.io (lists@telium.io)> wrote:
| Quote: |
That’s correct – that’s the concept I’m trying to understand. If I don’t set a CIDR for a particular user, but add a CIDR range to the ‘domains’ ACL, what would be the effect.
I assumed that all users on that IP range would not have to authenticate. (Documentation says users will not be challenged for authentication, but forums response says these users are “auth-authenticated”). And as a result, the dialplan should processes them in the ‘default’ context since that is what the user_context variable for this user is set to.
However, the user is processed in the ‘public’ dialplan context. If the user is auto-authenticated then why is the user_context variable not set/respected? If the user is not authenticated, then what is the impact of adding a CIDR range to the domain acl ( if not all users have a CIDR attribute set. ). It would appear that adding a CIDR range to the domains ACL would cause any user without a CIDR to not be challenged for authentication, and will therefor never be treated as internal (or whatever their user_context is set to).
From: FreeSWITCH-users [mailto:freeswitch-users-bounces@lists.freeswitch.org (freeswitch-users-bounces@lists.freeswitch.org)] On Behalf Of Brian West
Sent: Saturday, November 26, 2022 11:45 AM
To: FreeSWITCH Users Help <freeswitch-users@lists.freeswitch.org (freeswitch-users@lists.freeswitch.org)>
Subject: Re: [Freeswitch-users] Conflicting settings in SIP profile in vanilla demo
I see no cidr definition on that user.
On Thu, Nov 24, 2022 at 1:43 PM TTT <lists@telium.io (lists@telium.io)> wrote:
--
Brian West | Co-founder and Developer
Need Commercial support? email sales@freeswitch.com (sales@freeswitch.com)
FreeSWITCH Solutions | 17345 Civic Drive #2531 Brookfield, WI 53045
Email: brian@freeswitch.com (brian@freeswitch.com)
Mobile: 918-424-9378
Website: https://www.FreeSWITCH.com
[/url][url=https://twitter.com/freeswitch]
_________________________________________________________________________
The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.
Build your next product on our scalable cloud platform.
Join our online community to chat in real time https://signalwire.community
Professional FreeSWITCH Services
sales@freeswitch.com (sales@freeswitch.com)
https://freeswitch.com
Official FreeSWITCH Sites
https://freeswitch.com/oss
https://freeswitch.org/confluence
https://cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users@lists.freeswitch.org (FreeSWITCH-users@lists.freeswitch.org)
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
https://freeswitch.com
|
--
Brian West | Co-founder and Developer
Need Commercial support? email sales@freeswitch.com (sales@freeswitch.com)
FreeSWITCH Solutions | 17345 Civic Drive #2531 Brookfield, WI 53045
Email: brian@freeswitch.com (brian@freeswitch.com)
Mobile: 918-424-9378
Website: https://www.FreeSWITCH.com
[/url] [url=https://twitter.com/freeswitch] |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
