Help setting up IP authentication with PJSIP Endpoint

Hello, I’m trying to configure a PJSIP extension to authenticate via IP
address instead of user/password, but I can’t make it work, I searched
online through many threads like
Asterisk PJSIP with authorization by IP adress - Zadarma but it
doesn’t work, my problem is that when I use the following setup, any IP
address can register besides my IP

[2000]
type=aor
max_contacts=3
maximum_expiration=7200
minimum_expiration=60
qualify_frequency=60

[2000]
type=endpoint
aors=2000
transport=0.0.0.0-udp
disallow=all
allow=ulaw,alaw
context=demo
dtmf_mode=rfc4733
direct_media=yes
mailboxes=2000@device
mwi_subscribe_replaces_unsolicited=yes
aggregate_mwi=no
media_use_received_transport=no
media_encryption_optimistic=no
message_context=textmessage
rewrite_contact=yes

[2000]
type=auth
auth_type=userpass
password=
username=2000

[2000]
type=identify
endpoint=2000
match=179.109.22.111

When I change the identify from 179.109.22.111 to another IP and re-load
asterisk, I still can register from 179.109.22.111 without any password;
I tried adding the option “identify_by=ip” on the ‘type=endpoint’
section, then I get this error :

[Jun 19 13:23:04] WARNING[49934]: res_pjsip_registrar.c:1166
find_registrar_aor: AOR ‘’ not found for endpoint ‘2000’
(179.109.22.111:29758)

I know I can block everything and just white-list this IP through
iptables, but I remember have done this with regular SIP in the past, so
this should be doable in PJSIP right ? Any help here is appreciated.
Thank you.

This looks like you’re trying to have a phone do IP auth from the outside in to your Asterisk server?

If that’s the case, the example config you linked to won’t work. To start with, IP Authed endpoints don’t have a auth type stanza; so what you’ve effectively done is open account up 2000 to anyone, with no password.

The example you listed is for having your asterisk pbx do IP auth with their servers. I’m not sure what you’re doing, but it looks like you want an endpoint to do IP Auth to your asterisk. Entirely different setup. I will dig in to this…but you’ve essentially left your asterisk server wide open to anyone who sends a user ID of 2000.

An extension doesn’t exist until it’s defined in the dialplan; until then, they are endpoints. You should never use extensions or numbers in general as logins. This is highly insecure and usually exploited.

I will dig in to this…but if you’ve got that server sitting idle waiting for a fix with that config…shut it down if it has any trunk connectivity before someone has some fun at your expense.

Hello there, thank you for your reply!
You are correct, I’m trying to setup IP authentication between a SIP extension and a SIP device; I understand the setup I gave is insecure, I’m actually blocking all traffic to that server except my IP for testing, but my current endpoint setup is this (with the identify_by=ip)
[2000]
type=endpoint
aors=2000
transport=0.0.0.0-udp
disallow=all
allow=ulaw,alaw
context=demo
dtmf_mode=rfc4733
direct_media=yes
mailboxes=2000@device
mwi_subscribe_replaces_unsolicited=yes
aggregate_mwi=no
media_use_received_transport=no
media_encryption_optimistic=no
message_context=textmessage
rewrite_contact=yes
identify_by=ip

with this line added, I’m unable to register at all, it gives me the error I said earlier :
"
res_pjsip_registrar.c:1166
find_registrar_aor: AOR ‘’ not found for endpoint ‘2000’
(179.109.22.111:29758)
"

I can’t remember if you can register by IP Auth; but the issue is that there’s no AOR for your endpoint. This is usually created when the endpoint registers; but in your case you’ll need to make an AOR entry stanza in the config for your endpoint.

deleted

I’m not sure I understand what I need to add, I do have an AOR:
[2000]
type=aor
max_contacts=3
maximum_expiration=7200
minimum_expiration=60
qualify_frequency=60

and my endpoint has “aors=2000” ; and I have a identify type of

[2000]
type=identify
endpoint=2000
match=179.109.22.111

so I was assuming by using ‘identify_by=ip’ it would attempt to match 179.109.22.111 which actually does, because if I change this IP to something else and try to register from this IP I get registration error not AOR error; I just can’t figure out why it tries to find AOR ‘’ and not AOR 2000, if I remove the ‘identify_by=ip’ line from the endpoint settings, everything works fine, but then any IP can register without a password

in the old SIP channel as far as I recall, I could set ‘host=179.109.22.111’ (instead of ‘host=dynamic’) for the type=peer, and have no password, then only the IP 179.109.22.111 could register; Unfortunately I don’t have any Asterisk instance running the old SIP channel, but if there’s no solution for this I’ll likely have to install it on this server

You would need to provide an actual SIP trace.

Here is a SIP trace : Dropbox

This should be:

contact=sip:179.109.22.111

and you should disable attempts to register on 179.109.22.111.

I tried with and without
contact=sip:179.109.22.111

it gives the same error:
find_registrar_aor: AOR ‘’ not found for endpoint ‘2000’
(179.109.22.111:29758)

I’m not registering on 179.109.22.111, I’m registering from 179.109.22.111; If I disable registration on my SIP device I don’t get inbound calls, if I use contact=sip:179.109.22.111 the OPTIONS packets don’t reach 179.109.22.111 because I’m firewalled, and it doesn’t qualify the endpoint ‘available’ to deliver calls, the contact should be picked by my REGISTER request from 179.109.22.111 towards Asterisk, which happens if I remove the ‘identify_by=ip’ option

Something is misusing REGISTER here, but it it too late at night to work out exactly how.

It is probably because you are still mixing static and dynamic address logic. The firewall should also be programmed with the known address.

You’re right, I tested by disabling registration on my SIP device, and if I make a call it obeys the “match=179.109.22.111” , and if I change this to a different IP I can’t dial out, I get “No matching endpoint found”; The problem here if my SIP device doesn’t register, Asterisk uses the AOR contact uri to qualify my SIP device, and it’s always ‘unavailable’, I see the OPTION packets being sent to the contact IP but nothing comes back, because the SIP device’s network doesn’t allow incoming connections. So I have two options apparently, use the open authentication without password and filter the ips on the router, or install the old SIP channel which can do this job as far as I recall. I’ll let that for tomorrow too cos I’m exhausted

Are you sure you don’t just want to apply an ACL to the endpoint and the AOR, to restrict it to only the given IP address? I think that’s what you’re actually wanting to do?

I don’t really know how to do that, I know in FPBX there’s a ‘Match(permit)’ setting where you can define the ips or subnets we want to limit access, but I couldn’t figure out where that setting goes in Asterisk; My client told me they rather use PJSIP and disable registration, so the current setting with ‘identify_by=ip’ is working fine with the registration disabled, he said he’ll deal with the firewall later. So we are all good. Thanks for the support!

Match/permit is misnamed. It is used to form the match= parameter, and has nothing to do with permission.

That is saying the AOR should be based off the registration for 2000.

AOR is Address of Record, it is basically an address that the endpoint lives at. When you register, the registration process creates an AOR in asterisk that points to the endpoint’s IP.

You don’t have a valid AOR. You’re telling it AORS=2000 but it doesn’t know what that means as 2000 has not made an AOR.

You need something like this in your config:

[2000]
type=aor
contact=sip:2000@192.0.2.1:5060

Where 192.0.2.1 is the IP of your endpoint.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.