Customers Auths¶

This entity authenticates calls from customers or gateways, applies them to routing table and has some useful filters and options. Authentication process is based on using following parameters:

PoP - Point of presence that received the call;
Remote IP address – IP address from which the call was received;
Transport protocol - Protocol (TCP or UDP) that was used for transferring signaling information to Yeti;
URI name – Destination number;
From name – Source number;
URI domain – Domain part of the URI;
From domain – Domain part of the URI in the From header;
To domain – Domain part of the URI in the To header;
X-Yeti-Auth - Custom SIP-header value.

Authentication algorithm is represented on the picture below:

$digraph Auth { node [style=filled; fillcolor="#FCF9A5"]; graph [nodesep=0.1, ranksep=0.001, mindist=0.01]; subgraph cluster_dbfiltering { shape=doubleoctagon; block0 [label = "Looking into Customer Auth table for the records that are matching following conditions:"; shape=box; sides=4 ]; subgraph cluster_dbfiltering1 { node [style=filled; fillcolor="#FCD975"]; condition1; condition2; condition3; } subgraph cluster_dbfiltering2 { node [style=filled; fillcolor="#DCD975"]; condition4; condition5; condition6; } subgraph cluster_dbfiltering3 { node [style=filled; fillcolor="#CCD975"]; condition7; condition8; condition9; } subgraph cluster_dbfiltering4 { node [style=filled; fillcolor="#BCD975"]; condition10; condition11; condition12; } block00 [label = "Result of selection"; shape=box; sides=4 ]; } block1 [label = "Looking into Load Balancers table for the records where Signaling IP is equal Remote IP address"; shape=box; sides=4 ]; block2 [label = "Call was received from Load Balancer?"; shape=diamond]; block3 [label = "Using special headers that were\n received from Load Balancer for\n receiving information about real\n Remote IP address, port and\n Transport protocol"; shape=box; sides=4]; condition1 [label = "IP address of Customer\n Auth record contains or\n equals Remote\n IP address"; shape=box; sides=4]; condition2 [label = "Dst Prefix of Customer\n Auth record is in the\n prefix range of\n URI name"; shape=box; sides=4]; condition3 [label = "Src Prefix of Customer\n Auth record is in the\n prefix range of\n From name"; shape=box; sides=4]; condition4 [label = "PoP of Customer\n Auth record (if chosen)\n equals PoP that received\n the call"; shape=box; sides=4]; condition5 [label = "X-Yeti-Auth of Customer\n Auth record (if not\n empty) equals\n X-Yeti-Auth"; shape=box; sides=4]; condition6 [label = "URI domain of Customer\n Auth record (if not\n empty) equals\n URI domain"; shape=box; sides=4]; condition7 [label = "To domain of Customer\n Auth record (if not\n empty) equals\n To domain"; shape=box; sides=4]; condition8 [label = "From domain of\n Customer Auth record (if\n not empty) equals\n From domain"; shape=box; sides=4]; condition9 [label = "Transport protocol of\n Customer Auth record (if\n chosen) equals Transport\n protocol"; shape=box; sides=4]; condition10 [label = "Length of URI name is\n between Dst number min\n and max length values of\n Customer Auth record"; shape=box; sides=4]; condition11 [label = "\nCustomer Auth\n record is enabled\n "; shape=box; sides=4]; condition12 [label = "Contractor that is\n associated with\n Customer Auth record\n has Customer status"; shape=box; sides=4]; block4 [label = "Exit from authentication procedure with\n Disconnect Code 110\n (Can't find Customer or Customer locked)"; shape=box; sides=4]; block5 [label = "Sorting of Customer Auth records with following rules: records with\n the longest mask of IP address first; records with chosen Transport\n protocol, PoP and with entered Uri domain, To domain and From\n domain values first; records with longest Dst and Src Prefixes first"; shape=box; sides=4]; block6 [label = "Continuation of routing procedure with using first record from the\n sorted list of Customer Auth records that was received"; shape=box; sides=4]; block1 -> block2; block2 -> block3 [ label = "Yes"; fontcolor = "darkgreen" ]; block2 -> block0 [ label = "No" ; fontcolor = "tomato"]; block3 -> block0; condition11 -> block00 [style=invis]; block00 -> block4 [ label = "Not\n Found"; fontcolor = "tomato" ]; block00 -> block5 [ label = "Found"; fontcolor = "darkgreen" ]; block5 -> block6; block0 -> condition2 [style=invis]; condition2 -> condition5 [style=invis]; condition5 -> condition8 [style=invis]; condition8 -> condition11 [style=invis]; }$

On the first step of authentication algorithm Yeti is looking into Load Balancers table for the records where Signaling IP is equal Remote IP address. If call was received from Load Balancer Yeti will use special headers (X-ORIG-IP, X-ORIG-PORT and X-ORIG-PROTO) that were received from Load Balancer for receiving information about real Remote IP address, port and Transport protocol. If call was received from IP address that isn’t specified in the Load Balancers table the original network parameters (Remote IP address and Transport protocol) will be used for future authentication process.

On the second step of authentication algorithm Yeti is looking into Customer Auth table for the records that are matching ALL following conditions:

IP address of Customer Auth record contains or equals Remote IP address;
Note

Examples:
- IP address of Customer Auth record = 0.0.0.0/0 ; Remote IP address = 8.8.8.8 => TRUE
- IP address of Customer Auth record = 192.168.1/24 ; Remote IP address = 192.168.1.1 => TRUE
- IP address of Customer Auth record = 192.168.1/24 ; Remote IP address = 192.168.2.1 => FALSE
- IP address of Customer Auth record = 192.168.1/24, 192.168.2.1 ; Remote IP address = 192.168.2.1 => TRUE
- IP address of Customer Auth record = 192.168.1/24, 192.168.2.1 ; Remote IP address = 195.5.30.10 => FALSE
Dst Prefix of Customer Auth record is in the prefix range of URI name;
Note

Examples:
- Dst Prefix of Customer Auth record = ** ; URI name = 0662296132 => TRUE
- Dst Prefix of Customer Auth record = 066 ; URI name = 0662296132 => TRUE
- Dst Prefix of Customer Auth record = 066[1-3] ; URI name = 0662296132 => TRUE
- Dst Prefix of Customer Auth record = 066[1-3] ; URI name = 0665296132 => FALSE
- Dst Prefix of Customer Auth record = 066[1-3], 0665 ; URI name = 0665296132 => TRUE
- Dst Prefix of Customer Auth record = 066[1-3], 0665 ; URI name = 0666296132 => FALSE
Src Prefix of Customer Auth record is in the prefix range of From name;
Note

Examples:
- Src Prefix of Customer Auth record = ** ; From name = 0662296132 => TRUE
- Src Prefix of Customer Auth record = 066 ; From name = 0662296132 => TRUE
- Src Prefix of Customer Auth record = 066[1-3] ; From name = 0662296132 => TRUE
- Src Prefix of Customer Auth record = 066[1-3] ; From name = 0665296132 => FALSE
- Src Prefix of Customer Auth record = 066[1-3], 0665 ; From name = 0665296132 => TRUE
- Src Prefix of Customer Auth record = 066[1-3], 0665 ; From name = 0666296132 => FALSE
PoP of Customer Auth record (if chosen) equals PoP that received the call;
Note

Examples:
- PoP of Customer Auth record = Any ; PoP = ONAT.EDU.UA DC => TRUE
- PoP of Customer Auth record = ONAT.EDU.UA DC ; PoP = ONAT.EDU.UA DC => TRUE
- PoP of Customer Auth record = City ; PoP = ONAT.EDU.UA DC => FALSE
X-Yeti-Auth of Customer Auth record (if not empty) equals X-Yeti-Auth;
Note

Examples:
- X-Yeti-Auth of Customer Auth record = ** ; X-Yeti-Auth = 18unID => TRUE
- X-Yeti-Auth of Customer Auth record = 18unID ; X-Yeti-Auth = 18unID => TRUE
- X-Yeti-Auth of Customer Auth record = 18unID ; X-Yeti-Auth = ** => FALSE
- X-Yeti-Auth of Customer Auth record = 18unID, 20Pd4A ; X-Yeti-Auth = 20Pd4A => TRUE
- X-Yeti-Auth of Customer Auth record = 18unID, 20Pd4A ; X-Yeti-Auth = 24578 => FALSE
URI domain of Customer Auth record (if not empty) equals URI domain;
Note

Examples:
- URI domain of Customer Auth record = ** ; URI domain = onat.edu.ua => TRUE
- URI domain of Customer Auth record = onat.edu.ua ; URI domain = onat.edu.ua => TRUE
- URI domain of Customer Auth record = onat.edu.ua ; URI domain = yeti-switch.org => FALSE
- URI domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; URI domain = yeti-switch.org => TRUE
- URI domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; URI domain = demo.yeti-switch.org => FALSE
To domain of Customer Auth record (if not empty) equals To domain;
Note

Examples:
- To domain of Customer Auth record = ** ; To domain = onat.edu.ua => TRUE
- To domain of Customer Auth record = onat.edu.ua ; To domain = onat.edu.ua => TRUE
- To domain of Customer Auth record = onat.edu.ua ; To domain = yeti-switch.org => FALSE
- To domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; To domain = yeti-switch.org => TRUE
- To domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; To domain = demo.yeti-switch.org => FALSE
From domain of Customer Auth record (if not empty) equals From domain;
Note

Examples:
- From domain of Customer Auth record = ** ; From domain = onat.edu.ua => TRUE
- From domain of Customer Auth record = onat.edu.ua ; From domain = onat.edu.ua => TRUE
- From domain of Customer Auth record = onat.edu.ua ; From domain = yeti-switch.org => FALSE
- From domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; From domain = yeti-switch.org => TRUE
- From domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; From domain = demo.yeti-switch.org => FALSE
Transport protocol of Customer Auth record (if chosen) equals Transport protocol;
Note

Examples:
- Transport protocol of Customer Auth record = TCP ; Transport protocol = TCP => TRUE
- Transport protocol of Customer Auth record = Any ; Transport protocol = UDP => TRUE
- Transport protocol of Customer Auth record = UDP ; Transport protocol = TCP => FALSE
Length of URI name is between Dst number min and max length values of Customer Auth record;
Note

Examples:
- Dst number min length of Customer Auth record = 3 ; Dst number max length of Customer Auth record = 15 ; URI name = 380662296132 => TRUE
- Dst number min length of Customer Auth record = 7 ; Dst number max length of Customer Auth record = 7 ; URI name = 7050460 => TRUE
- Dst number min length of Customer Auth record = 0 ; Dst number max length of Customer Auth record = 7 ; URI name = 0487050460 => FALSE
Customer Auth record is enabled;
Contractor that is associated with Customer Auth record has Customer status.

If no records were found on previous step the procedure of Authentication will be exited with Disconnect Code 110 (Can’t find Customer or Customer locked).

On the third step of authentication algorithm Yeti sorts of Customer Auth records (if any were found on the previous step) with following rules:

records with the longest mask of IP address first;
Note

Examples:
- Record with IP address = 192.168.30.1 will be higher than record with IP address = 192.168.30.0/24
- Record with IP address = 192.168.30.0/24 will be higher than record with IP address = 0.0.0.0/0
- Record with IP address = 192.168.30.0/24 will be on same level with record with IP address = 195.5.30.0/24
records with chosen Transport protocol, PoP and with entered URI domain, To domain and From domain values first;
records with longest Dst Prefix and Src Prefix first.

After sorting of Customer Auth records routing procedure will be continued with using first record from the sorted list of Customer Auth records that was received.

Customer Auth form is splitted to 3 tabs and each one is described below.

General Customers Auth’s attributes:¶

Id
Unique Customers Auth’s id.

Name
Unique name of Accounting profile. Uses for informational purposes and doesn’t affect system behaviour.

Enabled
Disabled records will be ignored.

Customer
Customer, who this Customer Auth belongs to.

Account
Account of Customer, which this Customer Auth belongs to.

Check account balance
If this flag is enabled Yeti will check current Balance of Account that is associated with this Customer Auth record. If current balance is less than Min balance call will dropped with Disconnect code 8000 (No enought customer balance).

Gateway
Gateway which related to this Customer Auth. That gateway (its parameters), will be used for media handling on the A-leg of a call.

Require incoming auth
In case of enabling this checkbox incoming authorization of Gateway (in case of using Gateway as Originator of calls) will be required. Authorization parameters (username and password) are available in the Signaling tab (Origination section) of Gateway’s attributes (Equipment menu). Call will be dropped in case of incorrect authorization.

Rateplan
Rateplan, which this Customer Auth belongs to.

Routing Plan
Routing Plan that is associated with this Customer Auth. Only Dialpeers that are related to this Routing Plan could be used for routing of the calls that were received in the framework of this Customer Auth.

Dst Numberlist
You may apply Dst Numberlist (Destination) and check B-numbers, by prefix or full-match, then reject it or allow.

Src Numberlist
You may apply Src Numberlist (Source) and check B-numbers, by prefix or full-match, then reject it or allow.

Dump Level
It is possible to capture calls to PCAP files, using this option. You may choose what kind of information should be captured. Possible values are: Capture nothing, Capture signalling traffic, Capture RTP traffic, Capture all traffic.

Enable Audio Recording
If checked, the media for calls passing through this Customer Auth will be stored in WAV files.

Capacity
The capacity of the Customer Auth, i.e. how many calls it accepts at the moment.

Allow Receive Rate Limit
A Customer may send special SIP-header in which he sends the price for this call he wants to pay. And YETI will rely on this price on the routing stage if we allow such a behaviour.

Send Billing Information
If enabled, YETI adds the special SIP-header into 200 SIP-message, which contains current price for calls, in order to a Customer should be informed.

Match condition Customers Auth’s options¶

This part is crucial for authentication process of incoming calls. You should note that a one customer may have many of Customer Auth with almost the same parameters, so pay attention to parameters besides Ip address.

Transport Protocol
Transport protocol (Any/TCP/UDP), which the customer uses for sending calls to YETI.

Ip
IP address or array of IP-addresses (separated by comma(,)) of the originator (Customer).

Pop
Point of presence (PoP), which receives calls from the Customer. If a call will come to the different PoP (a node which receives calls belongs to different PoP), such call will be processed with other Customer Auth entity.

Src Prefix
You can define a prefix or array of prefixes (separated by comma(,)) which necessarily should be presented in Src-number for every call from the customer. Just a prefix (or prefixes) must be used here, not a regular expression.

Dst Prefix
You can define a prefix or array of prefixes (separated by comma(,)) which necessarily should be presented in a Dst-number for every call from the customer. Just a prefix (or prefixes) must be used here, not a regular expression.

Dst number min length
Minimum length of destination number allowed for this Customer Auth. In case of receiving destination number that is less than this minimal value other Customer Auth entity will be used (if any) for authentication.

Dst number max length
Maximum length of destination number allowed for this Customer Auth. In case of receiving destination number that is longer than this maximum value call other Customer Auth entity will be used (if any) for authentication.

Uri Domain
If specified, YETI checks the domain part of the URI for every call. If the domain part is not the same as specified other Customer Auth entity will be used (if any) for authentication. You can specify more than one Uri Domain (separated by comma(,)).

From Domain
If specified, YETI checks the domain part of the URI in the From header for every call. If presented domain mismatches other Customer Auth entity will be used (if any) for authentication. You can specify more than one From Domain (separated by comma(,)).

To Domain
If specified, YETI checks the domain part of the URI in the To header for every call. If presented domain mismatches other Customer Auth entity will be used (if any) for authentication. You can specify more than one To Domain (separated by comma(,)).

X Yeti Auth
It’s possible to define the custom SIP-header X-Yeti-Auth or array of headers (separated by comma(,)) for the customer’s calls and specify its value in YETI. In case they match, YETI passes such calls with using this Customer Auth entity for authentication.

Number translation Customers Auth’s options¶

Diversion policy
Defines what to do with Diversion header within SIP-signalization. Default value is “Clear header”, so this header will be deleted.

Diversion rewrite rule
This option should contain a regular expression for changing a Diversion header. See how to use POSIX Regular Expressions in Yeti.

Diversion rewrite result
The result of changing a Diversion header, using the Rewrite Rule above. See how to use POSIX Regular Expressions in Yeti.

Src name rewrite rule
This field should contain a regular expression for changing the Name field in the Source-number within SIP-signalization. See how to use POSIX Regular Expressions in Yeti.

Src name rewrite result
The result of changing the Name field in the Source-number, using the Src name rewrite rule above. See how to use POSIX Regular Expressions in Yeti.

Src rewrite rule
This field should contain a regular expression for changing the Source-number within SIP-signalization. See how to use POSIX Regular Expressions in Yeti.

Src rewrite result
The result of changing the Source-number, using the Src rewrite rule above. See how to use POSIX Regular Expressions in Yeti.

Dst rewrite rule
This field should contain a regular expression for changing the Destination-number within SIP-signalization. See how to use POSIX Regular Expressions in Yeti.

Dst rewrite result
The result of changing the Name field in the Destination-number, using the Dst rewrite rule above. See how to use POSIX Regular Expressions in Yeti.

Radius Customers Auth’s options¶

Radius auth profile
Must be specified if the additional radius authentication is required.

Src number radius rewrite rule
Should contain regular expression for changing Source-number which will be send to Radius-server if it’s required. See how to use POSIX Regular Expressions in Yeti.

Src number radius rewrite result
The result of applying the Src number radius rewrite rule to Source-number. See how to use POSIX Regular Expressions in Yeti.

Dst number radius rewrite rule
Should contain regular expression for changing Destination-number which will be send to Radius-server if it’s required. See how to use POSIX Regular Expressions in Yeti.

Dst number radius rewrite result
The result of applying the Dst number radius rewrite rule to Destination-number. See how to use POSIX Regular Expressions in Yeti.

Radius accounting profile
Must be specified if the radius accounting is required.

Routing Tags Customers Auth’s options¶

Tag action
Describes one of the possible actions that could be applied to the current set of Routing Tags that are applied for the call with using Tag action value below. Usually Authentication it is first step where Routing Tags can be added to the call. Following actions can be selected in this field:

Clear tags. Removes all Routing Tags from the call (if any were added early);

Remove selected tags. Removes only Routing Tags that were chosen in the Tag action value field bellow (if any were chosen) from the call;

Append selected tags. Appends Routing Tags that were chosen in the Tag action value field bellow (if any were chosen) to the call;

Intersection with selected tags. Yeti leaves as is Routing Tags that were chosen in the Tag action value field bellow (if any were chosen) in the call in case of their presence in the current set of Routing Tags and removes any other Routing Tags from the call.

Tag action value
In this field Routing Tags for making some Tag action above could be chosen.