Advanced Remote Authenticate

Allows:

  • specify password to be used for authentication via CLI
  • authentication by:
    • IP or MAC address of remote VoIP peer
    • ANI, DNIS or tech-prefix
    • Use flexible user-name translation rules (e.g. carrier reports ANI in the format '0296355111', but we should authenticate '4202963555111')
    • passport user ID (PUID) and password from the SIP INVITE request.

Requires IOS 12.2(11)T or later.

This script is using tone generator instead of the pre-recorded beep.au file, and thus improves the billing accuracy taking into account beep duration.

contact The price of the Advanced Remote Authenticate module is $499. For more information about Advanced Remote Authenticate please contact our sales team.

Configuration parameters.

Specified as a VSA parameters, in a form of call application voice

  • authenticate-by
    Specifies what shall be used as a User-Name for the authentication
    requests. Possible values are:
    • ip - IP address of the remote GW (including network substitution)
    • mac - MAC address of the remote gateway
    • prefix - tech. prefix in the Called-Station-Id. So if the CLD received was 789#16041234567, 789 will be used as a username for authentication
    • pin#dnis - similar to the one above. The phone number will contain PIN and destination number, separated by #. The only difference from "prefix" method that PIN# will be stripped off from the destination number.
    • sip - SIP username from the INVITE
    • sip-ip - SIP username if available, otherwise user remote IP
    • ani - Calling-Station-Id (ANI)
    • dnis - Called-Station-Id (DNIS)
    • fixed - Fixed string, provided as "user-name" parameter
  • method-list-name
    Specifies which authentication methods should be used for authentication. h323 by default.
  • update-accounting
    Whether script should attempt to update information in the accounting requests. aaa accounting update is not available in older IOSes, so you might need to turn this feature off if you are using one. Possible values on and off, by default is on.
  • original-cld
    Send the DNIS number to the billing in the PortaBilling_Original_CLD h323-ivr-out attribute. This is necessary to bill incoming telephony calls or to apply different tariffs depending on the access number.
    By default if off.
  • password
    Password to be used for authentication queries. By default is cisco.
  • skip-password yes|no
    PortaBilling specific. In some cases (for example incoming call from PSTN to SIP device) we might not know the valid password for the account. Nevertheless we need to do the rest of the authentication. If this switch is turned on, scripts sends the special attribute which instructs PortaBilling to skip the password check (so any supplied password matches), but do the rest of the authentication
  • warning-time
    When user should be warned by beep before the maximum allowed sesion duration. Default is 60 seconds.
  • auth-always-ok
    Sometimes for the debugging purposes it might be useful to perform authentication requests to the billing, but still allow the call go through if the authentication fails. (For example you are creating new settings in the billing and want to see if the call will be authorized or no without disrupting service to your customers. If given value "yes" to this parameter, script will emulate that authentication result is always successful. The default is "no".
    NOTE: It requires the following lines to be included in the config of the gateway:
    • aaa authentication login loopback local
    • aaa authorization exec loopback local
    • username loopback password 0 loopback
  • translate
    Allows to apply translation rules to the username, used for authentication. This allows to change username depending on the situation without actually modifying application source, just by using CLI. is a regexp in a format /pattern/replace-with/ (in the TCL regexp syntax. For example to add 1 in from of the number wil be done with /^.+/1&/ )
  • user-name
    Specifies fixed string to be used as a User-Name for authentication.
  • redirect
    Use the account's redirect number as a dstination number instead of DNIS

Configuration example

!
call application voice remote_ip_auth flash:app_remote_authenticate.tcl
call application voice remote_ip_auth password my_password
call application voice remote_ip_auth authenticate-by ip
call application voice remote_ip_auth keep-username trusted

call application voice remote_mac_auth flash:app_remote_authenticate.tcl
call application voice remote_mac_auth authenticate-by mac
call application voice remote_mac_auth warning-time 30
call application voice remote_mac_auth update-accounting no
!
call application voice remote_sip_auth flash:app_remote_authenticate.tcl
call application voice remote_sip_auth authenticate-by sip
!
call application voice remote_prefix_auth flash:app_remote_authenticate.tcl
call application voice remote_prefix_auth authenticate-by prefix
call application voice remote_prefix_auth update-accounting no
!
call application voice remote_ani_auth flash:app_remote_authenticate.tcl
call application voice remote_ani_auth authenticate-by ani
call application voice remote_ani_auth translate "/^0/420/"
call application voice remote_ani_auth skip-password yes
!
 dial-peer voice 1 voip
  application remote_ip_auth
  incoming called-number 1.
!
dial-peer voice 2 voip
 application remote_mac_auth
 incoming called-number 2.
!
dial-peer voice 3 voip
 application remote_sip_auth
 incoming called-number 3.
!
dial-peer voice 4 voip
 application remote_prefix_auth
 incoming called-number 4.
!
dial-peer voice 5 voip
 application remote_ani_auth
 incoming called-number 4.
!
DOCUMENTATION

NewProcinctus Support Documentation HW Requirements




©2000-2012 PortaOne, Inc. All rights reserved