register SPA2102 on any account/domain

[pbxuser911]

3.4.0.3202 version

A client is able to log into his SPA2102 box and change the line 1 information from his extension info to another one and register without any issues, how is that possible?

all he changed was his PROXY info from companya.pbx.som to companyb.pbx.som, the display/auth/user name from 101 to 755 which is an active account on the compoanyb domains and start making and receiving calls

 

what have i done wrong that allows the user to do so?

[pbx support]

3.4.0.3202 version

A client is able to log into his SPA2102 box and change the line 1 information from his extension info to another one and register without any issues, how is that possible?

all he changed was his PROXY info from companya.pbx.som to companyb.pbx.som, the display/auth/user name from 101 to 755 which is an active account on the compoanyb domains and start making and receiving calls

 

what have i done wrong that allows the user to do so?

 

Is he registering with invalid user name/password?

[pbxuser911]

he is not changing password, only user name and domain name

[MarkW S7]

he is not changing password, only user name and domain name

 

Have you locked the admin interface? To password protect the admin login along with the user login; you can change it's password in the Voice//System page. I also recommend having the spa2102 only accessible on a different http port besides 80. I put my ATA's on a separate port for security and also for remote management if we have the ability to change/request the NAT rules.

 

If this end user is changing his login user id settings along with his proxy address and you use the same SIP password across your accounts, then he's just registering with ease. I'm not sure if you can set up a authentication challenge for these ATA's with pbxnsip. My recommendation is lock down those interfaces if not only the admin access.

 

Also I'd recommend putting a "1" in the Lines field of the registration page of the account's settings on the PBX. I'd recommend putting in the MAC address in the registration page also, but note that if that ATA ever changes you'll need to update that setting or face some negative results.

[pbxuser911]

I use diff SIP passwords across all account

all he did was change the proxy and extension number, and was able to place and receive calls as that extension

[MarkW S7]

I use diff SIP passwords across all account

all he did was change the proxy and extension number, and was able to place and receive calls as that extension

 

Hmm. Sounds like he's not getting authenticated and just passing calls. This is definitely a question for the for our admins. I've always been curious if we can force authentication on our subscribers without the using MAC addresses. In the meantime try locking up the interface and charging a technical fee with a notice of potential fraud .

[Bill H]

I use diff SIP passwords across all account

all he did was change the proxy and extension number, and was able to place and receive calls as that extension

 

I am experiencing a similar issue here.

 

I am connecting an Audiocodes FXS gateway to our system that is set up for a PER ENDPOINT registration.

 

It should only register in PBXNSIP to the extension numbers with valid passwords I have entered.

 

I was confused why the gateway was registering to the extensions that I had not entered a password for.

 

I tried a wrong password and it (the extension) still registered.

 

I tried NO PASSWORD and the extension still registered.

 

Then I tried a different SIP device and it also registered with NO PASSWORD.

 

I looked at the Extension XML file and there was a password there.

 

This does not happen on all extensions, just some of them.

 

I hope this info helps to resolve the problem.

[Vodia PBX]

The PBX trusts the Call-ID to a certain degree. This is like a token or session-ID. The Call-ID is challenged only every ~100 registration attempts. When you are using 30 second refresh time, that means after approx. one hour the situation should stabilize.

 

There are devices out there which do not generate unique Call-ID because they don't initialize the random number generator--it always starts with the same number for all devices out there! Not sure if the SPA have that bug. However, if they do that the registration would get pretty much messed up and you will have all kind of "funny" effects, especially inbound calls will be a mess. Needless to say, if all devices have the same random numbers, those devices will not give you any security anyway. Security has a lot to do with randomness and the possibility to predict device behavior.

[MarkW S7]

Are we able to force Authentication though?

[Vodia PBX]

Are we able to force Authentication though?

 

It would not help. If these devices share the same Call-ID there will be a lot of confusion anyway. If a device chooses a non-random Call-ID, even appending the local IP address will not really help and just make the confusion bigger. If another client has the same IP address pool (typically 192.168.0.x), then the probability of a conflict is lower, but not zero and it just makes it even harder to find the problem.

 

The PBX writes log messages and even sends out emails when such IP address conflict (they look like changes) occur. This thread shows the gravity of that message.