Asterisk IAX Authentication

This page attempts to document the process that Asterisk uses to authenticate incoming and outgoing IAX2 connections. To go directly to setup instructions, see instead "configuring IAX clients". Reference to "type=user" in the text below should be assumed to include "type=friend' as well, since a friend can act as a user. The same assumption holds for "type=peer" references below.

Incoming Connections

When Asterisk receives an incoming IAX connection, the initial call information can include a username (in the IAX2 USERNAME field) or not. In addition, the incoming connection has a source IP address that Asterisk can use for authentication as well.

If a username is supplied, Asterisk does the following:

• Search iax.conf for a "type=user" entry with a section name (eg [username]) matching the supplied username; if no matching entry is found, refuse the connection.
• If the found entry has allow and/or deny settings, compare the IP address of the caller to these lists. If the connection is not allowed, refuse the connection.
• Perform the desired secret checking (plaintext, md5 or rsa); if it fails, refuse the connection.
• Accept the connection and send the caller to the context specified in the "context" setting for this iax.conf entry.

If a username is not supplied, Asterisk does the following:

• Search for a "type=user" entry in iax.conf with no secret specified and also allow and/or deny restrictions that do not restrict the caller from connecting. If such an entry is found, accept the connection, and use the name of the found iax.conf entry as the connecting username.
• Search for a "type=user" entry in iax.conf with no secret specified and no allow and/or deny restrictions at all. If such an entry is found, accept the connection. and use the name of the found iax.conf entry as the connecting username.
• Search for a "type=user" entry in iax.conf with a secret (or RSA key) specified and also allow and/or deny restrictions that do not restrict the caller from connecting. If such an entry is found, attempt to authenticate the caller using the specified secret or key, and if that passes, accept the connection, and use the name of the found iax.conf entry as the connecting username.
• Search for a "type=user" entry in iax.conf with a secret (or RSA key) specified and no allow and/or deny restrictions at all. If such an entry is found, attempt to authenticate the caller using the specified secret or key, and if that passes, accept the connection, and use the name of the found iax.conf entry as the connecting username.

Suppose your iax.conf file has the following entries:

[guest]
type=user
context=guest

[iaxtel]
type=user
context=incoming
auth=rsa
inkeys=iaxtel

[iax-gateway]
type=friend
allow=192.168.0.1
context=incoming
host=192.168.0.1

[iax-friend]
type=user
secret=this_is_secret
auth=md5
context=incoming

If an incoming call has a specified username of:

• guest
• iaxtel
• iax-gateway
• iax-friend

then Asterisk will attempt to authenticate the connection using only the matching iax.conf entry. If any other username is specified, the connection will be refused.

If no username is specified at all, Asterisk will authenticate the connection as the guest user. However, if you do not have a guest (no secret) entry in your iax.conf file, the connecting user can specify the secret associated with any other iax.conf entry that is not IP address restricted, and connect as that user. In this case, if the connecting user happens to specify "this_is_secret" as their secret, they will be connected as the "iax-friend" user, without having actually supplied that username during the connection process. If you have a large number of non-IP-restricted iax.conf entries and no guest entry at all, this means that you have a large number of "guessable" secrets that anyone can use to connect to your system.

Using RSA keys as your secrets is one way to avoid this problem without creating a guest user (since they are not "guessable"), another method is using IP address restrictions on as many of your iax.conf entries as you can manage.

Outgoing Connections

Outgoing Asterisk connections can gather their authentication information from:

• the IAX2 channel description passed to the Dial command (see Asterisk IAX channels)
• a "type=peer" or "type=friend" entry in iax.conf
• a combination of these two sources

Suppose your iax.conf file has the following entries:

[iaxtel-outbound]
type=peer
username=iaxtel_username
secret=iaxtel_secret
host=iaxtel.com

[iax-gateway]
type=friend
allow=192.168.0.1
context=incoming
host=192.168.0.1

Then:

 Dial(IAX2/iaxtel-outbound/1234)

would connect to host "iaxtel.com", specifying the iax.conf-supplied username and secret for authentication.

 Dial(IAX2/user2:secret2@iaxtel-outbound/1234)

would also connect to host "iaxtel.com", but would specify "user2" and "secret2", overriding the entries in iax.conf.

 Dial(IAX2/iaxtel.com/1234)

Again, connection would be made to host "iaxtel.com", but no username or secret would be specified, as none were included in the IAX2 channel description and "iaxtel.com" does not match the names of any iax.conf "type=peer" entries (even though it matches a hostname specified within one of those entries).

 Dial(IAX2/iax-gateway/5678)

would connect to host 192.168.0.1, specifying no username at all, and if the host requests a secret, no secret will be supplied. Presumably this type of entry would be used for connections between very well trusted hosts.

See Also:

• Asterisk IAX channels
• Asterisk config iax.conf
• Asterisk No authority found

---

• Asterisk | Asterisk FAQ | Channels