[cisco-voip] Authenticating sip trunk to ITSP from CUBE?
Sreekanth
sreenara at cisco.com
Wed May 4 12:35:00 EDT 2016
Yes, sip-ua tells CUBE to send REGISTER messages towards a Registrar
server globally with the authentication and credential parameters. These
REGISTER messages will be bound to the interface that is bound under
voice service voip -> sip. However, in the 15.6(2)T version, the tenant
configurations under the dial-peers will instruct the CUBE to send out
REGISTER messages.
I just checked with the router in my lab and actually, option 2 won't be
possible. It won't instruct the CUBE to send out REGISTER messages. It
will only instruct the CUBE to add authentication credentials and realm
settings when sending out the INVITE messages towards the session target
configured under the dial-peer.
You will have to go with option 1.
*1. Create the voice class tenant for the SIP trunk to ITSP and bind it
with the right interface.*
voice class tenant 1
registrar dns:cisco.com expires 3600
credentials username cisco password cisco realm cisco.com
authentication username cisco123 password 7 cisco123
sip-server dns:cisco.com
bind control source-interface GigabitEthernet0/2
bind media source-interface GigabitEthernet0/2
early-offer forced
*2. Apply the voice class tenant to the dial-peer. Create specific
dial-peers towards ITSP.*
dial-peer voice X voip
voice-class sip tenant 1
When this is done, CUBE will send REGISTER messages as well towards this
ITSP with the traffic bound to gig0/2.
This way you can have multiple ITSP trunks on 1 CUBE.
Sreekanth
On Wednesday 04 May 2016 09:29 PM, Nick Barnett wrote:
> I'm currently on c3900e-universalk9-mz.SPA.153-3.M6, but can totally
> upgrade. Was actually planning on going to 15.4 this weekend. Jumping
> 3 versions kind of scares me, so maybe staging is in order.
>
> *I do have some limited auth commands on the dial peer, if this is
> what you were talking about... but I don't think it applies in this
> scenario. I don't have any options for credentials:*
> CUBE(config-dial-peer)#voice-class sip authenticate ?
> redirecting-number Use redirecting number credentials while
> authenticating
>
> CUBE(config-dial-peer)#voice-class sip cred
> CUBE(config-dial-peer)#voice-class sip c?
> call-route calltype-video conn-reuse copy-list
> *
> *
> *There is also the registration commands:*
> CUBE(config-dial-peer)#voice-class sip registration ?
> passthrough SIP Registration Passthrough Options
>
> CUBE(config-dial-peer)#voice-class sip registration passthrough ?
> dynamic SIP Registration Use dynamic Registrar Details
> (default)
> local-fallback Local Fallback - (e2e)
> rate-limit SIP Registration pass-through rate-limit Options
> reg-sync Registration Sync - send REGISTER when registrar up
> (p2p)
> registrar-index Registrar Index(s) used for registration passthrough
> static SIP Registration Use static Registrar Details
> system Use global registration passthrough CLI setting
> <cr>
>
> *I tried using the system passthrough setting, but it did not work.*
> *
> *
> *I need to make sure I understand what is actually happening.*
> *
> *
> *I don't think the CUBE is even looking at dial-peers for REGISTER
> messages. Am I correct? If so, no amount of dial peer settings is
> going to make any difference here... unless there is a way to create a
> dial-peer that will intercept REGISTER messages. I believe it is using
> the REALM settings in the credentials and authentication strings (that
> I entered into sip-ua). And sip-ua is using the global bind settings I
> set within voice service voip -> SIP (which are set to the inside
> interface).*
> *
> *
> *Please set me straight!*
>
> Thanks,
> Nick
>
> On Wed, May 4, 2016 at 10:37 AM, Sreekanth Narayanan (sreenara)
> <sreenara at cisco.com <mailto:sreenara at cisco.com>> wrote:
>
> What IOS version are you running on the CUBE? I can think of a
> couple of things.
> 1. In 15.6(2)T, a new feature has been introduced called
> multi-tenant where you can configure separate voice class tenants.
> Each tenant can have separate authentication mutually exclusive to
> one another and can be bound to different interfaces.
>
> 2. In your current IOS, check if you are able to configure the
> authentication and credential commands at the dial peer level. I
> am not sure which IOS had this introduced but it is worth a try.
>
>
>
> Sreekanth
>
> Sent from a phone.
>
>
> -------- Original message --------
> From: Nick Barnett <nicksbarnett at gmail.com
> <mailto:nicksbarnett at gmail.com>>
> Date: 5/4/16 8:03 PM (GMT+05:30)
> To: Brian Meade <bmeade90 at vt.edu <mailto:bmeade90 at vt.edu>>
> Cc: Cisco VoIP Group <cisco-voip at puck.nether.net
> <mailto:cisco-voip at puck.nether.net>>
> Subject: Re: [cisco-voip] Authenticating sip trunk to ITSP from CUBE?
>
> I'm binding control and media to my inside interface:
>
> sip
>
> bind control source-interface GigabitEthernet0/0
> bind media source-interface GigabitEthernet0/0
>
> I suspect this is the issue... is there any way to make the
> REGISTER messages come from the outside gi0/1 interface?
>
> The reason I'm binding to inside is that we have a a very fluid
> internal network. I have to make and modify internal dial peers
> almost daily. When I need to create a dial peer and put the bind
> statements on the dial peer, it won't bind properly since there
> are active SIP calls on the CUBE... so I bound it globally. My
> external dial peers rarely change, so I bind those directly to
> gi0/1 (on the DP).
>
> I was under the impression that REGISTER events can take place
> without a dial peer... but is there a way to, i dunno, make a dial
> peer for register messages? Can I use SIP profile magic to get it
> working as is?
>
> I found this article which is pretty much exactly what I'm dealing
> with, but it doesn't mention REGISTER at all...
>
> https://supportforums.cisco.com/blog/154506
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__supportforums.cisco.com_blog_154506&d=CwMFAg&c=M-KQspD_LQogCbR-BWCHOaeDEPOhF8vWqHZTaiwxT3c&r=T9uVLZucbHG2NKKKzOrp-o5cpdReHj02PkJJsCVkgfwcv7S0R5lDeFJg2VRbiNih&m=UIAzGDQs8RCZld9kCbExwqpJhTgzpDVwM0k8_I7JRqU&s=jZN-R2pRsZOWN3r5is-aSivDlf9hqddUzDIoOWRWc3E&e=>
>
>
>
> On Wed, May 4, 2016 at 9:06 AM, Brian Meade <bmeade90 at vt.edu
> <mailto:bmeade90 at vt.edu>> wrote:
>
> Do you already have the SIP bind under voice service voip?
> voice service voice
> sip
> bind all source-interface FastEthernet0
>
> On Wed, May 4, 2016 at 9:58 AM, Nick Barnett
> <nicksbarnett at gmail.com <mailto:nicksbarnett at gmail.com>> wrote:
>
> I've never dealt with an authenticated SIP trunk before
> and I'm having some issues. I was wondering if anyone has
> had a similar experience. I already have 2 SIP trunks from
> ITSP-1 that do NOT require authentication. These are
> working fine and have been for years.
>
> We are adding ITSP-2 and their SIP service DOES require
> auth. I've followed their integration guide (which left a
> lot to be desired) and their acceptance team is telling me
> my auth is coming from our private class A address.
>
> Our CUBE is in HA with an inside (10.x.x.x) and outside
> (public) IP address. They are seeing REGISTER messages
> sourcing the inside VIP.
>
> I was looking around for an auth BIND statement or
> something like that, but I haven't had any luck. Any pointers?
>
> Thanks,
> Nick
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160504/180d5372/attachment.html>
More information about the cisco-voip
mailing list