Endpoints, AOR, Auths <-> Humans or devices?

Dear forum members,

In their book, Van Meggelen et al. (“Asterisk - The definitive guide”) recommend naming endpoints, AORs, auths and auth-username all the same by something unique to the telephone device, e.g. the MAC address.

In their example setup, they propose the following (pages 68 f.):

  • Endpoints: 0000f30A0A01, 0000f30B0B02, SOFTPHONE_A, SOFTPHONE_B
  • AORs: 0000f30A0A01, 0000f30B0B02, SOFTPHONE_A, SOFTPHONE_B
  • Auths: 0000f30A0A01, 0000f30B0B02, SOFTPHONE_A, SOFTPHONE_B - each with the identifier as “username” (e.g. 0000f30A0A01).
  • Endpoint 0000f30A0A01 is mapped to AOR 0000f30A0A01 and to auth 0000f30A0A01 (with the username 0000f30A0A01).

I’m trying to build the following setup with Asterisk:

  • I have a few users (actual humans).
  • Each human has 1 softphone and 1 desk phone.
  • In the example from the book, these would be named SOFTPHONE_LINDA (softphone) and 000E3B74… (desk phone identified by its MAC address).
  • If a human is called, I always want their softphone and their desk phone ring parallely. (I guess each DIAL(PJSIP/…) in the dial plan would contain multiple “entries” (=endpoint names? or =AOR names?).
  • E.g. extension 234 should ring the softphone and the desk phone parallely. So users don’t have to know if your colleague is at the desk or somewhere else (softphone on notebook).
  • There will be no different extensions for softphones and desk phones in the dial plan.
  • So Linda’s softphone can’t make calls to Linda’s desk phone.
  • And users can’t call only someone’s softphone or only their desk phone.
  • Let’s say, my users are alex, john and linda.

Is the approach with device MAC addresses from the book the right for me?

Shouldn’t my endpoints, AORs and auths simply be alex, john and linda?
And each AOR has max_contacts >= 2 to allow softphone and desk phone in parallel?
So no MAC addresses at all?

In the best case I could have different passwords for softphones and desk phones. So if someone exposes their softphone password by accident, I could just change that (“softphone_linda”) without having to reconfigure the desk phone (different username/password, e.g. “deskphone_linda”). But that’s an optional requirement. Same credentials for softphones and deskphones would be fine as well.

What would be my endpoints, AORs and auths and the auth usernames?

Can you point me to the right track! I’d be very thankful!
“The penny hasn’t yet dropped.” :laughing:


The naming is arbitrary, and what you want it to be. There are best practices such as using the MAC address, but that’s not a requirement. It’s what you want it to be. It could be a randomly generated UUID if you wanted.

The MAC suggestion is to produce something unguessable, for security.

For multiple phones for the same person, you might put then all on on AOR and use PJSIP_DIAL_CONTACT to get the dialstring to access them all.

Thank you both very much for your responses. :slightly_smiling_face:

I understand that the names can be chosen arbitrarily.

But how should I map the PJSIP constructs “AOR”, “Endpoint” and “Auth”->“username” to the real world entities “Person/Human”, “Device” and “extension to dial”?

Please see my sketch:

I’ve read that PJSIP_DIAL_CONTACTS wants an endpoint name as argument and optionally an additional AOR name. But the main argument is an endpoint name. If I wanted to use that function, I would have 1 AOR ↔ 1 Endpoint ↔ 1 Auth-username for each natural person, right? So if I want the softphone and the deskphone to be the same endpoint, it’s not reasonable to name it by the MAC address of the deskphone. Because it would be used by the softphone as well.

If I wanted the extension “234” to reach the person “Linda”, then would I have to name Linda’s AOR “234” with arbitrarily named endpoints (e.g. MAC address or UUID) and auth user names? Or will I have a single endpoint “234” for both deskphone and softphone together, if I wanted to use pattern matching in the dial plan like

exten => _2XX,1,Dial(${PJSIP_DIAL_CONTACTS(${EXTEN})})

I think most people ignore the advice and use the directory number (extension). If you want more security, you need to think what is best from a security point of view.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.