It appears that Asterisk uses the following methology to determine how to authenticate a SIP INVITE;
the From URI in the INVITE is parsed, left of the @. Example: firstname.lastname@example.org would become “username”
the sip users entries are scanned for a match to “username” if ther eis one the caller is expected to provide matching credentials.
If there is no matching SIP user the IP address is then matched to SIP users with static IP address definitions.
This seems backwards, as it allows for a bug where if the from header in the invite from a remote SIP device happens to have the same username portion of the URI in the from header, but the caller is on a device that is at a trusted IP address and is not required to authenticate, the caller invite recevies a 407, proxy authentication required.
once a user is defined by IP address with no credentials requried there should never be any checking of credentials, the only way this can work is if the static IP entries are matched by IP BEFore the dynamic entries are matched by “incorreclty derived partial username”