Cisco 887 unable to autorize

Using a cisco 887 with this config :
cwmp agent
enable download
management server username username
management server password 0 password
management server url http://myurl.com:7547/

On the cisco I see :
*Aug 19 11:30:24.583: CWMP: cwmp_session_response_data → HTTP ACS Response code 401
*Aug 19 11:30:24.583: CWMP: cwmp_session_response_data → HTTP ACS Response string Unauthorized
*Aug 19 11:30:24.583: CWMP ERROR: cwmp_session_response_data → HTTPC Response failed with httpc error 5

What am i missing ? what needs to be done on genieacs ?
Thanks

Have you enabled authentication in GenieACS?

Thank you so much for your reply akcoder.
I have 2 Draytech devices and they authenticate just fine . This seems to be a Cisco “specific” issue. So yes … I have auth set .
Could I have missed something ? Is there something extra I need to do for cisco boxes ?

No clue on Cisco stuff. I’d start with a packet capture and verify everything looks like it should. If it doesn’t, then you will have to kick it up to Cisco.

One thing I just thought of is the Cisco cwmp client could be so old and busted it doesn’t support the auth mechanism genie is using.

I have updated to the last IOS image for the device but … same thing .
Still not authorised .
Its got to be a cisco only thing and being a large vendor I would have figured SOMEONE would have sorted this out ?
I mean it wouldnt make much sense to have a ACS system that doesnt support cisco …

Here is what you need to get comfortable in in this space. Every single vendor is terrible at complying with the standards. Some are more terrible than others.

At this point, you need to fire up wireshark and dig into the packets. The packets don’t lie.

Sorted.
There’s a difference between the http headers of cisco and everyone else it seems. Auth with Http had to go through NGinx after which it worked. Https was another matter. The root ca of the 887 were out of date. cisco released an update. The update wont load completely on the 887 . Forced a Root ca to trusted and it worked . The root cert of the the cert I was trying to reach was downloaded from the web page itself (pem file) and forced onto the cisco … this allowed https with auth.
Not easy , the documentation on genieacs is a mess , its NOT user friendly and this will completely kill it.
This would be the best app in the world and used all over if you could do something simple , like change an interface description of a device within 2 days of installing Genieacs.
Too much BS , to little USEFUL paperwork , ZERO examples will kill your user base.

GenieACS is free software. There is an option for paid support, and if you need that, I would highly encourage you visit the Commercial Support - GenieACS page.

One of the big downsides to free software is the documentation is usually not the best. And it comes down to developers want to work on whats fun. And solving a deeply technical problem is fun. Writing documentation is not.

Wanna step up and help improve the documentation? Email me at zaid@genieacs.com and name your price.

1 Like