Can endpoints use IP ACL and no password registration (just a thought)

Hi FPBX / SangaomaOS people:

This is just a thought process I was having.
I just wanted to know if in theory or practice IF what I’m mentioning is do-able …for FreePBX / SangomaOS.

Using SangomaOS (built from .ISO) (hosted PBX)
(no local LAN for phones)
all endpoints / extensions are “remote” from the PBX.

Using PJSIP / UDP / port 5060

Can extensions be created / setup to work using only their IP address as an ACL (like trunks / circuits / peers can be built)?
No secret required: just match on the IP address.

No registration password (secret) would be required for the endpoints.

I guess in this case, the endpoints do not register, but rather are allowed by the ACL = public IP addresses.

I don’t want to do this: but I wanted to know if it is possible?
I might want to test it to see if in practice it could be done.

Also, what if it is possible to do this … using only an ACL for the extension, but the extension does have something populated in its password field: and sends this with its SIP traffic.

Would we need to tell the phone NOT to send any password, or would the password(s) just be ignored by the PBX because it is setup to “authenticate” using just the public IP address of the endpoints.

What is one example of why this might be needed?

Say you had to rebuild a PBX from scratch and you did not have the original password(s) the remote phones are using to register.

Say you do not have remote access to (10) phones all at various locations / sites …

Say the users do not have their web interface password …

Result:
They would have to factory reset and rebuild their phones …

Thanks for your replies.

If FreePBX allows such a configuration, which I suspect would be difficult, the phone would not be asked for the password, so it would never send it. (Actually, the password is never sent anyway. What is sent is a cryptographic hash of the password, a random challenge, sent with the request for the password, and some other information. Without the random challenge, the phone cannot send any authentication data.)

Actually, chan_pjsip matches first by IP, so adding custom type=identify, type=aor, and type=endpoint entries, should be enough, even if there is no GUI way of disabling authentication.

FreePBX has a Match field for extensions, but no static contact field. So I think you could make it work by putting the endpoint’s IP address in Match, and modifying the Dial string to, e.g. for extension 101,

PJSIP/101/sip:[email protected]

Something for someone else to test :slight_smile: I don’t know whether that would work with FreePBX’s dial plan.

billsimon:

Thank you for the reply.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.