Asterisk user authentication

There are at least a couple of reasons why you would want to authenticate a user:
  • restrict access to voicemail
  • give authenticated users access to more extensions such as allow them to call in and then make outgoing calls (useful for people at hotels and possibly reduced log distance rates for cell phone users)

There are 4 ways that I know of to authenticate a user:
  • voicemail system. Once authenticated, user can:
    • change their own password
    • change voicemail messages
    • listen to, save, forward, and delete voicemail messages
    • voicemail.conf allows you to specify certain mailboxes that the user, once authenticated, can get forwarded to another context (this is how you can give them access to additional extensions). Read about the dialout parameter http://www.voip-info.org/tiki-index.php?page=Asterisk+config+voicemail.conf
    • this method does not currently allow you to read passwords from db or ldap (I think) but does allow each user to use (and maintain) their own password. I really hope that read/write ldap support will be added in the near future.
  • DISA command provides a dialtone, user must enter a password to get forwarded to the specified context where they get another dial tone and they can then use extensions in that new context. Usually used with no-password argument (with authenticate command before it since the the authenticate command is more user friendly). When used with no-password, DISA is only different than WaitExten in that it will forward the entered extension to another context
  • authenticate command asks a user to enter a given password in order to continue execution (it asks again if an incorrect password is given). A file or database can also be used to list passwords. Hopefully this will be modified in the future to prompt for both user name password AND add support for ldap storage
  • authenticate by caller id. This isn't particularly secure since callerid can be spoofed .. but is the easiest for users to use since the user doesn't have to enter any authentication password). This method requires that the nember calling in be known and authenticated prior to the caller using this system.


exten => s,1,Wait(0)
exten => s,2,Macro(authbyCID,${CALLERIDNUM})
exten => s,3, whatever happens if they don't authenticate by callerid

; Forward authorized callers to trusted
exten => s,1,GotoIf($~np~[${ARG1} = 5195551234]~/np~?trusted,s,1)        ; Brian's house

; used by trusted extensions or authenticated users to get access to external lines and internal extensions

exten => s,1,Answer
exten => s,2,DigitTimeout(10)      ; Set Digit Timeout to 10 seconds
exten => s,3,ResponseTimeout(12)     ; Set Response Timeout to 12 seconds
exten => s,4,Background(trusted)        ; play message telling them they can dial extensions (I have "1" set up to ring into office like a normal incoming call)
exten => s,5,WaitExten(8)                ; could be replaced with DISA(no-password,trusted) for same effect
exten => s,6,Hangup

authenticate and DISA

exten => s,1,Authenticate(XXXXX)
exten => s,2,DISA,no-password|toll-access
exten => s,3,Hangup

See Also

Created by: bjohnson, Last modification: Thu 04 of Nov, 2010 (05:56 UTC) by admin
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+