Outbound Trunk Auth with PJSIP (No Username Needed)

Asterisk Asterisk SIP
1

I am adding an additional trunk for international support. Our new provider uses the IP address as the sole auth, so I cannot send a username.

Currently, the registration returns the 401 challenge as expected:

WWW-Authenticate: Digest nonce="XXXXXXXXXXXXXXX",algorithm=MD5,realm="AUTH_DOMAIN"

I have tried a variety of settings in pjsip.conf. Removing the username setting (or using username=) will result in an error from PJSIP stating it cannot create an auth without a username.

As a result, all attempts inevitably receive a response of:

SIP/2.0 403 Username mismatch

Is there any way to disable setting / passing a username for an outbound pjsip trunk connection?

2

Another option, if someone could tell me if this is possible…

Modify the Authorization header for the REGISTER request. Modifying the headers for INVITE and MESSAGE is trivial since it can easily be done in the dialplan… however, I can’t find any documented way of modifying the headers for the REGISTER request. If this is possible using some special context that would be fantastic. Then I could set the username to an arbitrary value like null and do:

exten => s,1,Set(auth_orig=${PJSIP_HEADER(read,Authorization)})
exten => s,n,Set(auth_new=STRREPLACE(auth_orig,"username=\"null\", ",""))
exten => s,n,Set(PJSIP_HEADER(update,Authorization)=auth_new)

or something similar…

3

What it is your pjsip configuration for that endpoint,

4

Just dont use the outbound_auth object

5

If your provider uses IP authentication, don’t register at all.

6

This was the the answer for me, thank you!

I wasn’t aware that it was possible to have outbound trunking without registering. Removing the trunk registration from the config entirely worked for me.

I’m not sure I like the idea of not registering, I think I would prefer to be alerted of an issue with the trunk before someone attempts to make an outbound call… but at least it’s working! Thanks again!

7

The real purpose of registration is that that the service provider knows where to send incoming calls, not as a way of authenticating outbound ones. Those can get authenticated on every call attempt.

8

Set qualify_frequency to a positive number in the AOR and Asterisk will send an OPTIONS message to the service provider every X seconds. If the provider doesn’t respond with an OK, the trunk will be marked as unavailable.

9

@gjoseph This behaviour for me particularly is an issue, because some providers dont reply to OPTION request packages , and then you will find the problem where Asterisk will mark them absent, and you cant dial out using that peer, I faced that problem and solved it disabling qualify option

10

Of course if the service provider doesn’t support it then yeah it’s not an option (pun intended). @efilson asked about knowing when a trunk went unavailable so if his service provider supports it, qualify is the way to go.

11

Yes you right I just took the opportunity to make reference about this issue, as you remember me this problem with your clarification, but I think I must open a new thread to discuss this issue,