Anonymous user and p-asserted-identity

According to RFC 3325 if a call has the From field set to anonymous, the server can add the real user id from the authentication exchange in the p-asserted-identity added to a trunk.

This requires anonymous users to be authenticated.

The only way I’ve been able to achieve this is to create an auth section for anonymous with the real username of the client.
But I want all my clients to be able to use anonymous.

I assume this must be possible but I cant find the syntax necessary.

Also, when I use send_pai on the trunk it is populated with “anonymous@…” not with the user_id extracted from the authentication.

Here’s my PJSIP

;=============== ENDPOINT DEFINITIONS ===========
;Students

[student_template](!)
type = endpoint
context = internal
disallow = all
allow = ulaw

[auth_template](!)
type = auth
auth_type = userpass
password = testpassword

[aor_template](!)
type = aor
support_path = yes
max_contacts = 1

;-------------------------------------------
;Student2

[Student2](student_template)
auth = Student2
aors = Student2

[Student2](auth_template)
username = Student2
password = testpassword

[Student2](aor_template)

;-------------------------------------------
;anonymous

[anonymous](student_template)
auth = anonymous

[anonymous](auth_template)
username = Student2
password = testpassword
;-------------------------------------------
;trunk

[mytrunk]
type=endpoint
aors=mytrunk
context=external
disallow = all
allow = ulaw,alaw
rewrite_contact=no
send_pai=yes

[mytrunk]
type=aor
support_path=yes
contact=sip:192.0.2.4

[mytrunk]
type=identify
endpoint=mytrunk
match=192.0.2.4

I’ve read this a few times and I don’t understand what you’re trying to do exactly. I don’t understand if you’re referring to incoming calls, or outgoing calls.

Incoming calls have From set to anonymous@…
This needs to provoke an authentication challenge
The re-invite will then contain the real identity of the user in the authentication fields
It is this authentication ID that should be placed in the p-asserted-identity (as per the packet flow shown in the RFC).

To achieve this the anonymous endpoint must issue the challenge but each UA will have a unique authentication ID.
I’m sure that pjsip_endpoint_identifier_anonymous.so must handle this but I cant find anything in the documentation pages.

As I mentioned there is a call flow in section 10 of RFC3325 that explains exactly what I’m trying to achieve.

The anonymous endpoint identifier doesn’t. You would not use that at all. You could enable the auth_username endpoint identifier[1] at which point the endpoint would be matched based on the authentication username. After this you would need to trust the callerid information[2] if you want the value from PAI to be used, and if you want it to be sent out a trunk then you would need to trust it on outbound too and enable sending of it using PAI.

[1] asterisk/configs/samples/pjsip.conf.sample at master · asterisk/asterisk · GitHub
[2] asterisk/configs/samples/pjsip.conf.sample at master · asterisk/asterisk · GitHub

Many thanks for that.
I was experimenting with “identify_by = auth_username” already

However the initial invitation doesn’t have an auth_username so it seems to me that the challenge must still be issued from the anonymous endpoint based on the from field.

I’ll continue experimenting.
I guess it doesn’t really matter what is in the anonymous username field, the challenge will be the same and the reply can be picked up on the correct endpoint.

Asterisk will always challenge, unless an anonymous endpoint is configured to allow calls in. If you don’t have anonymous loaded and configured, it will challenge.

Thanks for that - I nearly have it.
I have removed my anonymous sections and the call is now being accepted based on auth_id

The client UA isn’t generating PAI; I need asterisk to generate the PAI from the auth_id of the incoming call.
At the moment the PAI contains anonymous

Thanks so much for your help.
I’ll continue experimenting

Asterisk won’t do that unless you configure things to. For example you can set the callerid on the PJSIP endpoint, in which case incoming calls from the given endpoint will have that callerid, which can then be sent out externally.

Its all working now.

Ill post a config later when I’ve spruced it up so that anyone else interested in the thread can see it.

I really appreciate your help, thanks once again.

Sorry bout this, but I spoke too soon.

Adding the callerid has indeed fixed the pai
But now the From header across the outgoing trunk also now contains the authenticated ID
The From header on the outbound trunk should still be anonymous

You would want to set the callerid presentation to prohib[1].

[1] Asterisk Call Party, Privacy, and Header Presentation ⋆ Asterisk

Thanks for that.
Ill read and digest.

The problem I see here is that using CALLERID(pres)=prohib in the dialplan
will hide the CID for all calls , not just the call that arrived anonymously.
I want the UA to choose whether to use anonymous or not.

You’ve given me some good pointers and I’ve learned a lot
Ill need to do some more reading/experimentation.

Thanks for all you help thus far.

Only the calls for which it is actually executed. At the very least, you can explicitly read the incoming From header, although there may be better ways (if the caller wants anonymity, they should be setting the appropriate privacy settings on the incoming request, not just using a special From header)