Customers Auths

This entity is responsible for authenticating and authorizing all calls received by Yeti.

Authentication - Step 1

The authentication process is based on a lookup of Customer Auth records by comparing incoming call parameters with attributes defined in the Match Conditions options.

Call attribute	Customer auth Attribute	Comparison logic
SIP Transport protocol	Transport Protocol	Strict match.
Remote IP address	IP	Network match
SEMS Node location	PoP	Strict match.
From URI userpart	SRC Prefix	Prefix longest match. Empty value means ANY
From URI userpart	SRC Number length min/max	Number length match
R-URI userpart	DST Prefix	Prefix longest match. Empty value means ANY
R-URI userpart	DST Number length min/max	Number length match
R-URI domain	URI Domain	Strict match. Empty value means ANY
From domain	From Domain	Strict match. Empty value means ANY
To domain	To Domain	Strict match. Empty value means ANY
X-Yeti-Auth Header value	X-Yeti-Auth	Strict match. Empty value means `No X-Yeti-Auth header present`
interface	Interface	Strict match. Empty value means ANY

To be considered a match, all Customer Auth attributes must match the incoming call parameters(logical AND condition).

Authentication - Step 2

The authentication procedure returns a single best-matching Customer Auth object.

To achieve this, all Customer Auths matched in Step 1 are sorted according to their matching level, and the most specific match is selected.

If the resulting Customer Auth object has the Require incoming auth flag enabled, Yeti challenges the call originator using SIP username/password authentication.

Authorization

Authorization in Yeti assigns call-related attributes such as:

Customer
Customer Account
Rateplan
Routing Plan
and others

These attributes determine how the call is routed and processed by the system. All authorization attributes are defined within the selected Customer Auth object.

General attributes

Id

Unique identifier

Name

Unique name of Accounting profile. Uses for informational purposes and doesn't affect system behavior.

Enabled

Disabled records not participate in authetication process(they will be skippe)

Reject calls

Reject call

Customer

Customer, who will acts as call originator for all calls authenticated Customer Auth

Account

Customer Account, witch will be charged for calls authenticated Customer Auth

Check account balance

If this flag is enabled Yeti will check current Balance of Account. If current balance is less than Min balance - call will dropped with Disconnect code 8000 (No enought customer balance).

Gateway

Gateway which related to this Customer Auth. This gateway will be used as Origination gateway and will define Yeti SIP and RTP stacks behavior on A-leg of a call.

Rateplan

Rateplan that will handle call originator billing for calls authenticated by this Customer Auth.

Routing Plan

Routing Plan that will handle routing of calls authenticated by this Customer Auth.

Dst Numberlist

Optional Numberlist to perform additional actions based on Destination Number.

Src Numberlist

Optional Numberlist to perform additional actions based on Source Number(CLI).

Dump Level

Dump Level for call tracing mechanism. Read more in Troubleshooting Guide.

Enable Audio Recording

If checked, the media for calls passing through this Customer Auth will be recorded.

Capacity

The capacity of the Customer Auth, i.e. how many concurrent calls it accepts.

Allow Receive Rate Limit

A Customer may send special SIP header in which he sends the max per minute rate for this call he wants to pay. And YETI will rely on this price on the routing stage if we allow such a behavior.

Send Billing Information

If enabled, Yeti adds the SIP headers to 200OK SIP Response, which contains current rate for call, in order to a Customer should be informed.

Header	Description
`X-VND-INIT-INT`	Destination Initial Billing Interval in seconds
`X-VND-NEXT-INT`	Destination Next Billing Interval in seconds
`X-VND-INIT-RATE`	Destination Billing rate on initial billing interval
`X-VND-NEXT-RATE`	Destination Billing rate on next billing intervals
`X-VND-CF`	Destination Connection fee

Match condition options

This part is crucial for authentication process of incoming calls. You should note that a one customer may have many of Customer Auth with almost the same parameters, so pay attention to parameters besides Ip address.

Transport Protocol: Transport protocol (Any, TCP, UDP, TLS, WSS), which the customer uses for sending calls to YETI.
Ip: IP address or array of IP-addresses (separated by comma(,)) of the originator (Customer).
Require incoming auth: In case of enabling this checkbox additional username/password authentication will be requested by sending 401 response. Incoming auth creadentials should be configured in origination gateway Incoming auth username/password
Pop: Point of presence (PoP), which receives calls from the Customer. If a call will come to the different PoP (a node which receives calls belongs to different PoP), such call will be processed with other Customer Auth entity.
Src Prefix: You can define a prefix or array of prefixes (separated by comma(,)) which necessarily should be presented in Src-number for every call from the customer. Just a prefix (or prefixes) must be used here, not a regular expression.
Dst Prefix: You can define a prefix or array of prefixes (separated by comma(,)) which necessarily should be presented in a Dst-number for every call from the customer. Just a prefix (or prefixes) must be used here, not a regular expression.
Dst number min length: Minimum length of destination number allowed for this Customer Auth. In case of receiving destination number that is less than this minimal value other Customer Auth entity will be used (if any) for authentication.
Dst number max length: Maximum length of destination number allowed for this Customer Auth. In case of receiving destination number that is longer than this maximum value call other Customer Auth entity will be used (if any) for authentication.
Uri Domain: If specified, YETI checks the domain part of the URI for every call. If the domain part is not the same as specified other Customer Auth entity will be used (if any) for authentication. You can specify more than one Uri Domain (separated by comma(,)).
From Domain: If specified, YETI checks the domain part of the URI in the From header for every call. If presented domain mismatches other Customer Auth entity will be used (if any) for authentication. You can specify more than one From Domain (separated by comma(,)).
To Domain: If specified, YETI checks the domain part of the URI in the To header for every call. If presented domain mismatches other Customer Auth entity will be used (if any) for authentication. You can specify more than one To Domain (separated by comma(,)).
X Yeti Auth: It's possible to define the custom SIP-header X-Yeti-Auth or array of headers (separated by comma(,)) for the customer's calls and specify its value in YETI. In case they match, YETI passes such calls with using this Customer Auth entity for authentication.

Number translation options

Privacy mode

Processing mode for Private calls <sip_headers_privacy>. Available options:

Allow any calls
Reject private calls - Private calls will be rejected
Reject critical private calls - Critical private calls will be rejected
Reject anonymous calls(no CLI/PAI/PPI) - Private calls with anonymous From, PAI, PPI headers will be rejected

Diversion policy

Defines what to do with Diversion header received in initial INVITE from call originator. Available options:

Do not accept: Yeti will not process incoming Diversion header
Accept: Yeti will accept Diversion header. It will be possible to relay it to termination gateway according to Diversion Send Mode configuted on termination gateway. Also Diversion information will be stored to CDR attribute Diversion In

Diversion rewrite rule/Diversion rewrite result

Rewrite rules for Diversion URI user-part. See how to use POSIX Regular Expressions in Yeti.

PAI Policy

P-Asserted-Identity and P-Preferred-Identity headers processing logic. Available options:

Do not accept: Do not accept incoming P-Asserted-Identity and P-Preferred-Identity data. It will not be possible to relay PAI and PPI to termination gateway
Accept: Accept incoming P-Asserted-Identity and P-Preferred-Identity data. It will be possible to relay PAI and PPI to termination gateway
Require: Yeti will reject call if no P-Asserted-Identity header received from call originator

INFO

P-Asserted-Identity and P-Preferred-Identity values received from call originator will be saved in CDR attributes PAI In and PPI In

PAI Rewrite rule/PAI Rewrite result

Rewrite rules for P-Asserted-Identity and P-Preferred-Identity URI user-part. See how to use POSIX Regular Expressions in Yeti.

WARNING

Experimental feature. Disabled by default.

Src name Field

Src name Field setting defined where yeti reading Src Name from. Available options:

From URI Display name: use From header display name as Src Name
From URI userpart: use From header user part as Src Name

Src name rewrite rule/Src name rewrite result

Rewrite rules for SRC Name. See how to use POSIX Regular Expressions in Yeti.

Src number Field

Src number Field setting defined where yeti reading Src Number from. Available options:

From URI userpart: use From header user part as Src Name
From URI Display name: use From header display name as Src Name

Src rewrite rule/Src rewrite result

Rewrite rules for SRC Number. See how to use POSIX Regular Expressions in Yeti.

Dst number field

TODO - R-URI userpart - To URI userpart - Top Diversion header userpart{.interpreted-text role="spelling:ignore"}

Dst rewrite rule/Dst rewrite result

Rewrite rules for Destination number. See how to use POSIX Regular Expressions in Yeti.

Cnam Database

TODO

Variables

Variables to assign to call processed by this Customer Auth object. For details read How to use variables

Radius options

Radius auth profile: Must be specified if the additional radius authentication is required.
Src number radius rewrite rule/Src number radius rewrite result: Rewrite rules for changing Source-number which will be send to Radius-server if it's required. See how to use POSIX Regular Expressions in Yeti.
Dst number radius rewrite rule/Dst number radius rewrite result: Rewrite rules for changing Destination-number which will be send to Radius-server if it's required. See how to use POSIX Regular Expressions in Yeti.
Radius accounting profile: Must be specified if the radius accounting is required.

Routing Tags options

Tag action/Tag action value: Call tags modification logic. See Using Routing tags guide

STIR/SHAKEN Attributes

SS Mode

Defines the STIR/SHAKEN operating mode. Possible values:

Disable STIR/SHAKEN processing: No validation or signing is performed.
Validate identity: Perform STIR/SHAKEN signature validation.
Force rewrite attestation level: Override the attestation level. Since it is not possible to change the attestation level within an existing signature, this option replaces the existing signature with a new one.

SS Invalid Identity Action

Defines system behavior when an invalid STIR/SHAKEN signature is received.

SS No Identity Action

Defines system behavior when a call is received without an Identity header.

Rewrite SS Status

Allows overriding the original attestation level. During the Identity signing procedure, this value determines the attestation level of the outgoing call. Additionally, the attestation level can be overridden in Numberlist Item configuration, which enables logic where the attestation level depends on the call's Source/Destination number or prefix.

SS Src Rewrite Rule/Result

A regular expression applied to the original Source Number (Src Number In) from SIP signaling before comparing it with the orig.tn attribute in the signature. See how to use POSIX Regular Expressions in Yeti.

SS Dst Rewrite Rule/Result

A regular expression applied to the original Destination Number (Dst Number In) from SIP signaling before comparing it with the dest.tn attribute in the signature. See how to use POSIX Regular Expressions in Yeti.

STIR/SHAKEN Certificate

The STIR/SHAKEN certificate to be used for the Identity Signing procedure

WARNING

STIR/SHAKEN mechanisms are disabled by default.

Version 1.13

Web Interface

Billing

Equipment

Routing

CDR

Reports

Realtime Data

Logs

System

Routing Quick Start

Yeti Module

Customers Auths

Authentication - Step 1

Authentication - Step 2

Authorization

General attributes

Match condition options

Number translation options

Radius options

Routing Tags options

STIR/SHAKEN Attributes

Version 1.13

Billing

Routing

Customers Auths ​

Authentication - Step 1 ​

Authentication - Step 2 ​

Authorization ​

General attributes ​

Match condition options ​

Number translation options ​

Radius options ​

Routing Tags options ​

STIR/SHAKEN Attributes ​

Customers Auths

Authentication - Step 1

Authentication - Step 2

Authorization

General attributes

Match condition options

Number translation options

Radius options

Routing Tags options

STIR/SHAKEN Attributes