Customers Auths

This entity is responsible for authenticating and authorizing all calls received by Yeti.

Authentication - Step 1

The authentication process is based on a lookup of Customer Auth records by comparing incoming call parameters with attributes defined in the Match Conditions options.

Call attribute	Customer auth Attribute	Comparison logic
SIP Transport protocol	Transport Protocol	Strict match.
Remote IP address	IP	Network match
SEMS Node location	PoP	Strict match.
From URI userpart	SRC Prefix	Prefix longest match. Empty value means ANY
From URI userpart	SRC Number length min/max	Number length match
R-URI userpart	DST Prefix	Prefix longest match. Empty value means ANY
R-URI userpart	DST Number length min/max	Number length match
R-URI domain	URI Domain	Strict match. Empty value means ANY
From domain	From Domain	Strict match. Empty value means ANY
To domain	To Domain	Strict match. Empty value means ANY
X-Yeti-Auth Header value	X-Yeti-Auth	Strict match. Empty value means No X-Yeti-Auth header present
interface	Interface	Strict match. Empty value means ANY

To be considered a match, all Customer Auth attributes must match the incoming call parameters(logical AND condition).

Authentication - Step 2

The authentication procedure returns a single best-matching Customer Auth object.

To achieve this, all Customer Auths matched in Step 1 are sorted according to their matching level, and the most specific match is selected.

If the resulting Customer Auth object has the Require incoming auth flag enabled, Yeti challenges the call originator using SIP username/password authentication.

Authorization

Authorization in Yeti assigns call-related attributes such as:

• Customer
• Customer Account
• Rateplan
• Routing Plan
• and others

These attributes determine how the call is routed and processed by the system. All authorization attributes are defined within the selected Customer Auth object.

General attributes

Id

Unique identifier

Name

Unique name of Accounting profile. Uses for informational purposes and doesn't affect system behavior.

Enabled

Disabled records do not participate in the authentication process (they will be skipped).

Reject calls

Reject call.

Customer

Customer who will act as call originator for all calls authenticated by this Customer Auth.

Account

Customer Account which will be charged for calls authenticated by this Customer Auth.

Check account balance

If this flag is enabled Yeti will check current Balance of Account. If current balance is less than Min balance - call will be dropped with Disconnect code 8000 (Not enough customer balance).

Gateway

Gateway which related to this Customer Auth. This gateway will be used as Origination gateway and will define Yeti SIP and RTP stacks behavior on A-leg of a call.

Rateplan

Rateplan that will handle call originator billing for calls authenticated by this Customer Auth.

Routing Plan

Routing Plan that will handle routing of calls authenticated by this Customer Auth.

Dst Numberlist

Optional Numberlist to perform additional actions based on Destination Number.

Src Numberlist

Optional Numberlist to perform additional actions based on Source Number(CLI).

Dump Level

Dump Level for call tracing mechanism. Read more in Troubleshooting Guide.

Enable Audio Recording

If checked, the media for calls passing through this Customer Auth will be recorded.

Capacity

The capacity of the Customer Auth, i.e. how many concurrent calls it accepts.

Cps Limit

Maximum number of calls per second (CPS) allowed for this Customer Auth. Uses a token bucket filter (TBF) algorithm to track the call rate. The limit is enforced per node independently — it is not a cluster-wide limit.

INFO

CPS limiting is disabled by default and requires enabling in the system configuration before it takes effect.

If the incoming call rate exceeds the configured limit, the call is dropped with Disconnect code 8012 (CPS limit on customer auth). Leave empty to disable CPS rate limiting.

Allow Receive Rate Limit

A Customer may send special SIP header in which he sends the max per minute rate for this call he wants to pay. And YETI will rely on this price on the routing stage if we allow such a behavior.

Send Billing Information

If enabled, Yeti adds the SIP headers to 200OK SIP Response, which contains current rate for call, in order to a Customer should be informed.

Header	Description
X-VND-INIT-INT	Destination Initial Billing Interval in seconds
X-VND-NEXT-INT	Destination Next Billing Interval in seconds
X-VND-INIT-RATE	Destination Billing rate on initial billing interval
X-VND-NEXT-RATE	Destination Billing rate on next billing intervals
X-VND-CF	Destination Connection fee

Scheduler

Optional Scheduler that automatically enables or disables this Customer Auth based on configured time ranges.

External Id

Optional identifier used to reference this Customer Auth from an external system (e.g. billing platform, CRM). When both External Id and External Type are specified, the pair must be unique. If only External Id is set (without External Type), the value must be unique on its own. The value is exported in CDR records as customer_auth_external_id.

External Type

Optional qualifier for External Id that identifies which external system the ID belongs to. Requires External Id to be set. Allows multiple external systems to assign their own IDs to the same Customer Auth without conflicts.

Match condition options

This part is crucial for authentication process of incoming calls. You should note that a one customer may have many of Customer Auth with almost the same parameters, so pay attention to parameters besides Ip address.

Transport Protocol

Transport protocol (Any, TCP, UDP, TLS, WSS), which the customer uses for sending calls to YETI.

Ip

IP address or array of IP-addresses (separated by comma(,)) of the originator (Customer).

Require incoming auth

In case of enabling this checkbox additional username/password authentication will be requested by sending 401 response. Incoming auth credentials should be configured in origination gateway Incoming auth username/password

Pop

Point of presence (PoP), which receives calls from the Customer. If a call will come to the different PoP (a node which receives calls belongs to different PoP), such call will be processed with other Customer Auth entity.

Src Prefix

You can define a prefix or array of prefixes (separated by comma(,)) which necessarily should be presented in Src-number for every call from the customer. Just a prefix (or prefixes) must be used here, not a regular expression.

Dst Prefix

You can define a prefix or array of prefixes (separated by comma(,)) which necessarily should be presented in a Dst-number for every call from the customer. Just a prefix (or prefixes) must be used here, not a regular expression.

Dst number min length

Minimum length of destination number allowed for this Customer Auth. In case of receiving destination number that is less than this minimal value other Customer Auth entity will be used (if any) for authentication.

Dst number max length

Maximum length of destination number allowed for this Customer Auth. In case of receiving destination number that is longer than this maximum value call other Customer Auth entity will be used (if any) for authentication.

Uri Domain

If specified, YETI checks the domain part of the URI for every call. If the domain part is not the same as specified other Customer Auth entity will be used (if any) for authentication. You can specify more than one Uri Domain (separated by comma(,)).

From Domain

If specified, YETI checks the domain part of the URI in the From header for every call. If presented domain mismatches other Customer Auth entity will be used (if any) for authentication. You can specify more than one From Domain (separated by comma(,)).

To Domain

If specified, YETI checks the domain part of the URI in the To header for every call. If presented domain mismatches other Customer Auth entity will be used (if any) for authentication. You can specify more than one To Domain (separated by comma(,)).

X Yeti Auth

It's possible to define the custom SIP-header X-Yeti-Auth or array of headers (separated by comma(,)) for the customer's calls and specify its value in YETI. In case they match, YETI passes such calls with using this Customer Auth entity for authentication.

Number translation options

Privacy mode

Processing mode for Private calls <sip_headers_privacy>. Available options:

• Allow any calls
• Reject private calls - Private calls will be rejected
• Reject critical private calls - Critical private calls will be rejected
• Reject anonymous calls(no CLI/PAI/PPI) - Private calls with anonymous From, PAI, PPI headers will be rejected

Diversion policy

Defines what to do with Diversion header received in initial INVITE from call originator. Available options:

Do not accept

Yeti will not process incoming Diversion header

Accept

Yeti will accept Diversion header. It will be possible to relay it to termination gateway according to Diversion Send Mode configuted on termination gateway. Also Diversion information will be stored to CDR attribute Diversion In

Diversion rewrite rule/Diversion rewrite result

Rewrite rules for Diversion URI user-part. See how to use POSIX Regular Expressions in Yeti.

Src Numberlist use Diversion

When enabled and a Src Numberlist is configured, Yeti will use the value from the Diversion header as a fallback lookup key if the source number is not found in the numberlist. This is useful when the original calling number is carried in the Diversion header (e.g. for call forwarding scenarios).

PAI Policy

P-Asserted-Identity and P-Preferred-Identity headers processing logic. Available options:

Do not accept

Do not accept incoming P-Asserted-Identity and P-Preferred-Identity data. It will not be possible to relay PAI and PPI to termination gateway

Accept

Accept incoming P-Asserted-Identity and P-Preferred-Identity data. It will be possible to relay PAI and PPI to termination gateway

Require

Yeti will reject call if no P-Asserted-Identity header received from call originator

INFO

P-Asserted-Identity and P-Preferred-Identity values received from call originator will be saved in CDR attributes PAI In and PPI In

PAI Rewrite rule/PAI Rewrite result

Rewrite rules for P-Asserted-Identity and P-Preferred-Identity URI user-part. See how to use POSIX Regular Expressions in Yeti.

WARNING

Experimental feature. Disabled by default.

Src name Field

Src name Field setting defined where yeti reading Src Name from. Available options:

From URI Display name

use From header display name as Src Name

From URI userpart

use From header user part as Src Name

Src name rewrite rule/Src name rewrite result

Rewrite rules for SRC Name. See how to use POSIX Regular Expressions in Yeti.

Src number Field

Src number Field setting defined where yeti reading Src Number from. Available options:

From URI userpart

use From header user part as Src Name

From URI Display name

use From header display name as Src Name

Src rewrite rule/Src rewrite result

Rewrite rules for SRC Number. See how to use POSIX Regular Expressions in Yeti.

Dst number field

Defines which SIP header field is used to extract the destination number. Available options:

R-URI userpart (default)

Extract destination number from the Request-URI user part.

To URI userpart

Extract destination number from the To header user part.

Top Diversion header userpart

Extract destination number from the user part of the topmost Diversion header.

Dst rewrite rule/Dst rewrite result

Rewrite rules for Destination number. See how to use POSIX Regular Expressions in Yeti.

Cnam Database

Optional CNAM Database to use for caller name enrichment. See the CNAM Databases page for details on how the lookup works.

Lua Script

Optional Lua script to execute custom call processing logic for calls authenticated by this Customer Auth. The script runs after number translation and receives the current call profile as its argument. It can modify call attributes (numbers, headers, routing parameters) using Lua code defined in System → Lua Scripts.

WARNING

This feature is not functional yet.

Variables

Variables to assign to call processed by this Customer Auth object. For details read How to use variables

Radius options

Radius auth profile

Must be specified if the additional radius authentication is required.

Src number radius rewrite rule/Src number radius rewrite result

Rewrite rules for changing Source-number which will be send to Radius-server if it's required. See how to use POSIX Regular Expressions in Yeti.

Dst number radius rewrite rule/Dst number radius rewrite result

Rewrite rules for changing Destination-number which will be send to Radius-server if it's required. See how to use POSIX Regular Expressions in Yeti.

Radius accounting profile

Must be specified if the radius accounting is required.

Routing Tags options

Tag action/Tag action value

Call tags modification logic. See Using Routing tags guide

STIR/SHAKEN Attributes

SS Mode

Defines how Yeti processes the Identity header received from the origination gateway. Possible values:

Disable STIR/SHAKEN processing

No validation or signing is performed. LegA SS Status is always None.

Validate identity

Yeti validates the Identity header signature against the configured trusted certificates and repositories. The source and destination numbers used for comparison can be pre-processed with SS Src/Dst Rewrite Rule/Result before matching against the PASSporT claims. The result is stored in LegA SS Status:

• None — no Identity header was present.
• Invalid — signature validation failed (bad signature, number mismatch, or certificate error).
• A, B, or C — signature is valid with the corresponding attestation level.

When the status is Invalid or None, the configured SS Invalid Identity Action or SS No Identity Action determines the next step.

Force rewrite attestation level

The incoming identity is not validated. Yeti replaces it with a new signature at the level set in Rewrite SS Status. LegA SS Status is set to that level regardless of what was received.

SS Invalid Identity Action

Defines system behavior when signature validation produces an Invalid result. Possible values:

Do nothing

The call continues. LegA SS Status remains Invalid.

Reject call

The call is rejected with disconnect code 8019.

Rewrite

The invalid status is replaced with the attestation level configured in Rewrite SS Status.

SS No Identity Action

Defines system behavior when no Identity header is present in the incoming INVITE. Possible values:

Do nothing

The call continues. LegA SS Status remains None.

Reject call

The call is rejected with disconnect code 8018.

Rewrite

A new identity is signed at the attestation level configured in Rewrite SS Status.

Rewrite SS Status

Allows overriding the original attestation level. During the Identity signing procedure, this value determines the attestation level of the outgoing call. Additionally, the attestation level can be overridden in Numberlist Item configuration, which enables logic where the attestation level depends on the call's Source/Destination number or prefix.

SS Src Rewrite Rule/Result

A regular expression applied to the original Source Number (Src Number In) from SIP signaling before comparing it with the orig.tn attribute in the signature. See how to use POSIX Regular Expressions in Yeti.

SS Dst Rewrite Rule/Result

A regular expression applied to the original Destination Number (Dst Number In) from SIP signaling before comparing it with the dest.tn attribute in the signature. See how to use POSIX Regular Expressions in Yeti.

STIR/SHAKEN Certificate

The STIR/SHAKEN certificate to be used for the Identity Signing procedure

WARNING

STIR/SHAKEN mechanisms are disabled by default.