Customers Auths

This entity authenticates calls from customers or gateways, applies them to routing table and has some useful filters and options. Authentication process is based on using following parameters:

PoP - Point of presence that received the call;
Remote IP address -- IP address from which the call was received;
Transport protocol - Protocol (TCP or UDP) that was used for transferring signaling information to Yeti;
URI name -- Destination number;
From name -- Source number;
URI domain -- Domain part of the URI;
From domain -- Domain part of the URI in the From header;
To domain -- Domain part of the URI in the To header;
X-Yeti-Auth - Custom SIP-header value.

::: {#customer_auth_algorithm} Authentication algorithm is represented on the picture below: :::

::: graphviz ../graphviz/auth.dot :::

On the first step of authentication algorithm Yeti is looking into Load Balancers <load_balancers> table for the records where Signaling IP <load_balancers_signalling_ip>{.interpreted-text role="ref"} is equal Remote IP address. If call was received from Load Balancer <load_balancers> Yeti will use special headers (X-ORIG-IP, X-ORIG-PORT and X-ORIG-PROTO) that were received from Load Balancer <load_balancers>{.interpreted-text role="ref"} for receiving information about real Remote IP address, port and Transport protocol. If call was received from IP address that isn't specified in the Load Balancers <load_balancers> table the original network parameters (Remote IP address and Transport protocol) will be used for future authentication process.

On the second step of authentication algorithm Yeti is looking into Customer Auth table for the records that are matching ALL following conditions:

IP address <customer_auth_ip_address>{.interpreted-text role="ref"} of Customer Auth record contains or equals Remote IP address;
::: note ::: title Note :::
Examples:
- IP address of Customer Auth record = 0.0.0.0/0 ; Remote IP address = 8.8.8.8 =*TRUE*
- IP address of Customer Auth record = 192.168.1/24 ; Remote IP address = 192.168.1.1 =*TRUE*
- IP address of Customer Auth record = 192.168.1/24 ; Remote IP address = 192.168.2.1 =*FALSE*
- IP address of Customer Auth record = 192.168.1/24, 192.168.2.1 ; Remote IP address = 192.168.2.1 => TRUE
- IP address of Customer Auth record = 192.168.1/24, 192.168.2.1 ; Remote IP address = 195.5.30.10 => FALSE :::
Dst Prefix <customer_auth_dst_prefix>{.interpreted-text role="ref"} of Customer Auth record is in the prefix range of URI name;
::: note ::: title Note :::
Examples:
- Dst Prefix of Customer Auth record = ** ; URI name = 0662296132 =*TRUE*
- Dst Prefix of Customer Auth record = 066 ; URI name = 0662296132 =*TRUE*
- Dst Prefix of Customer Auth record = 066[1-3] ; URI name = 0662296132 =*TRUE*
- Dst Prefix of Customer Auth record = 066[1-3] ; URI name = 0665296132 =*FALSE*
- Dst Prefix of Customer Auth record = 066[1-3], 0665 ; URI name = 0665296132 =*TRUE*
- Dst Prefix of Customer Auth record = 066[1-3], 0665 ; URI name = 0666296132 =*FALSE* :::
Src Prefix <customer_auth_src_prefix>{.interpreted-text role="ref"} of Customer Auth record is in the prefix range of From name;
::: note ::: title Note :::
Examples:
- Src Prefix of Customer Auth record = ** ; From name = 0662296132 =*TRUE*
- Src Prefix of Customer Auth record = 066 ; From name = 0662296132 =*TRUE*
- Src Prefix of Customer Auth record = 066[1-3] ; From name = 0662296132 =*TRUE*
- Src Prefix of Customer Auth record = 066[1-3] ; From name = 0665296132 =*FALSE*
- Src Prefix of Customer Auth record = 066[1-3], 0665 ; From name = 0665296132 =*TRUE*
- Src Prefix of Customer Auth record = 066[1-3], 0665 ; From name = 0666296132 =*FALSE* :::
PoP <customer_auth_pop> of Customer Auth record (if chosen) equals PoP that received the call;
::: note ::: title Note :::
Examples:
- PoP of Customer Auth record = Any ; PoP = ONAT.EDU.UA DC =*TRUE*
- PoP of Customer Auth record = ONAT.EDU.UA DC ; PoP = ONAT.EDU.UA DC =*TRUE*
- PoP of Customer Auth record = City ; PoP = ONAT.EDU.UA DC =*FALSE* :::
X-Yeti-Auth <customer_auth_x_yeti_auth>{.interpreted-text role="ref"} of Customer Auth record (if not empty) equals X-Yeti-Auth;
::: note ::: title Note :::
Examples:
- X-Yeti-Auth of Customer Auth record = ** ; X-Yeti-Auth = 18unID =*TRUE*
- X-Yeti-Auth of Customer Auth record = 18unID ; X-Yeti-Auth = 18unID =*TRUE*
- X-Yeti-Auth of Customer Auth record = 18unID ; X-Yeti-Auth = ** =*FALSE*
- X-Yeti-Auth of Customer Auth record = 18unID, 20Pd4A ; X-Yeti-Auth = 20Pd4A =*TRUE*
- X-Yeti-Auth of Customer Auth record = 18unID, 20Pd4A ; X-Yeti-Auth = 24578 =*FALSE* :::
URI domain <customer_auth_uri_domain>{.interpreted-text role="ref"} of Customer Auth record (if not empty) equals URI domain;
::: note ::: title Note :::
Examples:
- URI domain of Customer Auth record = ** ; URI domain = onat.edu.ua =*TRUE*
- URI domain of Customer Auth record = onat.edu.ua ; URI domain = onat.edu.ua =*TRUE*
- URI domain of Customer Auth record = onat.edu.ua ; URI domain = yeti-switch.org =*FALSE*
- URI domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; URI domain = yeti-switch.org => TRUE
- URI domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; URI domain = demo.yeti-switch.org => FALSE :::
To domain <customer_auth_to_domain> of Customer Auth record (if not empty) equals To domain;
::: note ::: title Note :::
Examples:
- To domain of Customer Auth record = ** ; To domain = onat.edu.ua =*TRUE*
- To domain of Customer Auth record = onat.edu.ua ; To domain = onat.edu.ua =*TRUE*
- To domain of Customer Auth record = onat.edu.ua ; To domain = yeti-switch.org =*FALSE*
- To domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; To domain = yeti-switch.org => TRUE
- To domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; To domain = demo.yeti-switch.org => FALSE :::
From domain <customer_auth_from_domain>{.interpreted-text role="ref"} of Customer Auth record (if not empty) equals From domain;
::: note ::: title Note :::
Examples:
- From domain of Customer Auth record = ** ; From domain = onat.edu.ua =*TRUE*
- From domain of Customer Auth record = onat.edu.ua ; From domain = onat.edu.ua =*TRUE*
- From domain of Customer Auth record = onat.edu.ua ; From domain = yeti-switch.org =*FALSE*
- From domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; From domain = yeti-switch.org => TRUE
- From domain of Customer Auth record = onat.edu.ua, yeti-switch.org ; From domain = demo.yeti-switch.org => FALSE :::
Transport protocol <customer_auth_transport_protocol>{.interpreted-text role="ref"} of Customer Auth record (if chosen) equals Transport protocol;
::: note ::: title Note :::
Examples:
- Transport protocol of Customer Auth record = TCP ; Transport protocol = TCP =*TRUE*
- Transport protocol of Customer Auth record = Any ; Transport protocol = UDP =*TRUE*
- Transport protocol of Customer Auth record = UDP ; Transport protocol = TCP =*FALSE* :::
Length of URI name is between Dst number min and max length <customer_auth_dst_number_min_length>{.interpreted-text role="ref"} values of Customer Auth record;
::: note ::: title Note :::
Examples:
- Dst number min length of Customer Auth record = 3 ; Dst number max length of Customer Auth record = 15 ; URI name = 380662296132 =*TRUE*
- Dst number min length of Customer Auth record = 7 ; Dst number max length of Customer Auth record = 7 ; URI name = 7050460 =*TRUE*
- Dst number min length of Customer Auth record = 0 ; Dst number max length of Customer Auth record = 7 ; URI name = 0487050460 =*FALSE* :::
Customer Auth record is enabled;
Contractor <contractors> that is associated with Customer Auth record has Customer <contractor_customer> status.

If no records were found on previous step the procedure of Authentication will be exited with Disconnect Code 110 (Can't find Customer or Customer locked).

On the third step of authentication algorithm Yeti sorts of Customer Auth records (if any were found on the previous step) with following rules:

records with the longest mask of IP address <customer_auth_ip_address>{.interpreted-text role="ref"} first;
::: note ::: title Note :::
Examples:
- Record with IP address <customer_auth_ip_address>{.interpreted-text role="ref"} = 192.168.30.1 will be higher than record with IP address <customer_auth_ip_address>{.interpreted-text role="ref"} = 192.168.30.0/24
- Record with IP address <customer_auth_ip_address>{.interpreted-text role="ref"} = 192.168.30.0/24 will be higher than record with IP address <customer_auth_ip_address>{.interpreted-text role="ref"} = 0.0.0.0/0
- Record with IP address <customer_auth_ip_address>{.interpreted-text role="ref"} = 192.168.30.0/24 will be on same level with record with IP address <customer_auth_ip_address>{.interpreted-text role="ref"} = 195.5.30.0/24 :::
records with chosen Transport protocol <customer_auth_transport_protocol>{.interpreted-text role="ref"}, PoP <customer_auth_pop> and with entered URI domain <customer_auth_uri_domain>{.interpreted-text role="ref"}, To domain <customer_auth_to_domain>{.interpreted-text role="ref"} and From domain <customer_auth_from_domain>{.interpreted-text role="ref"} values first;
records with longest Dst Prefix <customer_auth_dst_prefix>{.interpreted-text role="ref"} and Src Prefix <customer_auth_src_prefix>{.interpreted-text role="ref"} first.

After sorting of Customer Auth records routing procedure will be continued with using first record from the sorted list of Customer Auth records that was received.

Customer Auth form contains few tabs and each one is described below.

General attributes

Id

Unique Customers Auth's id.

Name

Unique name of Accounting profile. Uses for informational purposes and doesn't affect system behavior.

Enabled

Disabled records will be ignored.

Customer

Customer, who this Customer Auth belongs to.

Account

Account of Customer, which this Customer Auth belongs to.

Check account balance

If this flag is enabled Yeti will check current Balance of Account. If current balance is less than Min balance - call will dropped with Disconnect code 8000 (No enought customer balance).

Gateway

Gateway which related to this Customer Auth. This gateway will be used as Origination gateway and will define Yeti SIP and RTP stacks behavior on A-leg of a call.

Rateplan

Rateplan that will handle call originator billing for calls authenticated by this Customer Auth.

Routing Plan

Routing Plan that will handle routing of calls authenticated by this Customer Auth.

Dst Numberlist

Optional Numberlist to perform additional actions based on Destination Number.

Src Numberlist

Optional Numberlist to perform additional actions based on Source Number(CLI).

Dump Level

Dump Level for call tracing mechanism. Read more in Troubleshooting Guide.

Enable Audio Recording

If checked, the media for calls passing through this Customer Auth will be recorded.

Capacity

The capacity of the Customer Auth, i.e. how many concurrent calls it accepts at the moment.

Allow Receive Rate Limit

A Customer may send special SIP header in which he sends the max per minute rate for this call he wants to pay. And YETI will rely on this price on the routing stage if we allow such a behavior.

Send Billing Information

If enabled, Yeti adds the SIP headers to 200OK SIP Response, which contains current rate for call, in order to a Customer should be informed.

Header	Description
`X-VND-INIT-INT`	Destination Initial Billing Interval in seconds
`X-VND-NEXT-INT`	Destination Next Billing Interval in seconds
`X-VND-INIT-RATE`	Destination Billing rate on initial billing interval
`X-VND-NEXT-RATE`	Destination Billing rate on next billing intervals
`X-VND-CF`	Destination Connection fee

Match condition options

This part is crucial for authentication process of incoming calls. You should note that a one customer may have many of Customer Auth with almost the same parameters, so pay attention to parameters besides Ip address.

Transport Protocol: Transport protocol (Any/TCP/UDP/TLS), which the customer uses for sending calls to YETI.
Ip: IP address or array of IP-addresses (separated by comma(,)) of the originator (Customer).
Require incoming auth: In case of enabling this checkbox incoming authorization of Gateway (in case of using Gateway as Originator of calls) will be required. Authorization parameters <incoming_auth_params> (username and password) are available in the Signaling tab (Origination section) of Gateway attributes (Equipment menu). Call will be dropped in case of incorrect authorization.
Pop: Point of presence (PoP), which receives calls from the Customer. If a call will come to the different PoP (a node which receives calls belongs to different PoP), such call will be processed with other Customer Auth entity.
Src Prefix: You can define a prefix or array of prefixes (separated by comma(,)) which necessarily should be presented in Src-number for every call from the customer. Just a prefix (or prefixes) must be used here, not a regular expression.
Dst Prefix: You can define a prefix or array of prefixes (separated by comma(,)) which necessarily should be presented in a Dst-number for every call from the customer. Just a prefix (or prefixes) must be used here, not a regular expression.
Dst number min length: Minimum length of destination number allowed for this Customer Auth. In case of receiving destination number that is less than this minimal value other Customer Auth entity will be used (if any) for authentication.
Dst number max length: Maximum length of destination number allowed for this Customer Auth. In case of receiving destination number that is longer than this maximum value call other Customer Auth entity will be used (if any) for authentication.
Uri Domain: If specified, YETI checks the domain part of the URI for every call. If the domain part is not the same as specified other Customer Auth entity will be used (if any) for authentication. You can specify more than one Uri Domain (separated by comma(,)).
From Domain: If specified, YETI checks the domain part of the URI in the From header for every call. If presented domain mismatches other Customer Auth entity will be used (if any) for authentication. You can specify more than one From Domain (separated by comma(,)).
To Domain: If specified, YETI checks the domain part of the URI in the To header for every call. If presented domain mismatches other Customer Auth entity will be used (if any) for authentication. You can specify more than one To Domain (separated by comma(,)).
X Yeti Auth: It's possible to define the custom SIP-header X-Yeti-Auth or array of headers (separated by comma(,)) for the customer's calls and specify its value in YETI. In case they match, YETI passes such calls with using this Customer Auth entity for authentication.

Number translation options

Privacy mode

Processing mode for Private calls <sip_headers_privacy>. Available options:

Allow any calls
Reject private calls - Private calls will be rejected
Reject critical private calls - Critical private calls will be rejected
Reject anonymous calls(no CLI/PAI/PPI) - Private calls with anonymous From, PAI, PPI headers will be rejected

Diversion policy

Defines what to do wit Diversion <sip_headers_diversion> header received in initial INVITE from call originator. Available options:

Do not accept: Yeti will not process incoming Diversion header
Accept: Yeti will accept Diversion header. It will be possible to relay it to termination gateway according to Diversion Send Mode

Diversion rewrite rule/Diversion rewrite result

Rewrite rules for Diversion URI user-part. See how to use POSIX Regular Expressions in Yeti.

PAI Policy

P-Asserted-Identity and P-Preferred-Identity headers processing logic. Available options:

Do not accept: Do not accept incoming P-Asserted-Identity and P-Preferred-Identity data. It will not be possible to relay PAI and PPI to termination gateway
Accept: Accept incoming P-Asserted-Identity and P-Preferred-Identity data. It will be possible to relay PAI and PPI to termination gateway
Require: Yeti will reject call if no P-Asserted-Identity header received from call originator

INFO

P-Asserted-Identity and P-Preferred-Identity values received from call originator will be saved in CDR attributes PAI In and PPI In

PAI Rewrite rule/PAI Rewrite result

Rewrite rules for P-Asserted-Identity and P-Preferred-Identity URI user-part. See how to use POSIX Regular Expressions in Yeti.

WARNING

Experimental feature. Disabled by default.

Src name Field

Src name Field setting defined where yeti reading Src Name from. Available options:

From URI Display name: use From header display name as Src Name
From URI userpart: use From header user part as Src Name

Src name rewrite rule/Src name rewrite result

Rewrite rules for SRC Name. See how to use POSIX Regular Expressions in Yeti.

Src number Field

Src number Field setting defined where yeti reading Src Number from. Available options:

From URI userpart: use From header user part as Src Name
From URI Display name: use From header display name as Src Name

Src rewrite rule/Src rewrite result

Rewrite rules for SRC Number. See how to use POSIX Regular Expressions in Yeti.

Dst number field

TODO - R-URI userpart - To URI userpart - Top Diversion header userpart{.interpreted-text role="spelling:ignore"}

Dst rewrite rule/Dst rewrite result

Rewrite rules for Destination number. See how to use POSIX Regular Expressions in Yeti.

Cnam Database

TODO

Radius options

Radius auth profile: Must be specified if the additional radius authentication is required.
Src number radius rewrite rule/Src number radius rewrite result: Rewrite rules for changing Source-number which will be send to Radius-server if it's required. See how to use POSIX Regular Expressions in Yeti.
Dst number radius rewrite rule/Dst number radius rewrite result: Rewrite rules for changing Destination-number which will be send to Radius-server if it's required. See how to use POSIX Regular Expressions in Yeti.
Radius accounting profile: Must be specified if the radius accounting is required.

Routing Tags options

Tag action/Tag action value: Call tags modification logic. See Using Routing tags guide

STIR/SHAKEN Attributes

SS Mode

Defines the STIR/SHAKEN operating mode. Possible values:

Disable STIR/SHAKEN processing: No validation or signing is performed.
Validate identity: Perform STIR/SHAKEN signature validation.
Force rewrite attestation level: Override the attestation level. Since it is not possible to change the attestation level within an existing signature, this option replaces the existing signature with a new one.

SS Invalid Identity Action

Defines system behavior when an invalid STIR/SHAKEN signature is received.

SS No Identity Action

Defines system behavior when a call is received without an Identity header.

Rewrite SS Status

Allows overriding the original attestation level. During the Identity signing procedure, this value determines the attestation level of the outgoing call. Additionally, the attestation level can be overridden in Numberlist Item configuration, which enables logic where the attestation level depends on the call's Source/Destination number or prefix.

SS Src Rewrite Rule/Result

A regular expression applied to the original Source Number (Src Number In) from SIP signaling before comparing it with the orig.tn attribute in the signature. See how to use POSIX Regular Expressions in Yeti.

SS Dst Rewrite Rule/Result

A regular expression applied to the original Destination Number (Dst Number In) from SIP signaling before comparing it with the dest.tn attribute in the signature. See how to use POSIX Regular Expressions in Yeti.

STIR/SHAKEN Certificate

The STIR/SHAKEN certificate to be used for the Identity Signing procedure

WARNING

STIR/SHAKEN mechanisms are disabled by default.

Version 1.13

Web Interface

Billing

Equipment

Routing

CDR

Reports

Realtime Data

Logs

System

Routing Quick Start

Customers Auths

General attributes

Match condition options

Number translation options

Radius options

Routing Tags options

STIR/SHAKEN Attributes

Billing

Routing

Customers Auths ​

General attributes ​

Match condition options ​

Number translation options ​

Radius options ​

Routing Tags options ​

STIR/SHAKEN Attributes ​

Customers Auths

General attributes

Match condition options

Number translation options

Radius options

Routing Tags options

STIR/SHAKEN Attributes