CPE authentication with 1.2.3

Has anyone got any info or examples on how to enable cpe to acs authentication using multiple usernames and passwords? I currently do this with Nginx but was hoping to find a way to do this directly with Genieacs. I see here in the install guide that you can have a single static user/pass or use the EXT() function. " The EXT() function makes it possible to call an extension script from the auth expression. This can be used to fetch the credentials from an external source:" I’m looking for examples for this if possible. Thanks.

For anyone that comes across this I sorted this with adding a new config under Admin > Config with the key “cwmp.auth” and the value

AUTH(“username1”, “password1”) OR AUTH(“username2”, “password2”) OR AUTH(“username3”, “password3”) OR AUTH(“username4”, “password4”) etc

.
I’ve 24 got user/pass combos in so far but not sure how many until I hit a limit.

1 Like

Currently we can authenticate your CPEs with an cwmp.auth value as follows:
AUTH(EXT("cwmp_password", "getUsername", DeviceID.OUI, DeviceID.SerialNumber, DeviceID.ProductClass), EXT("cwmp_password", "getPassword", DeviceID.OUI, DeviceID.SerialNumber))
the ext script then looks up the data from an sql database

We have an individual user and password for every device so handling the passwords in the genieacs configuration is not possible beyond the testing setup

2 Likes

Thanks wesx I’ll have a look at that as it does look a lot more flexible.

Hallo wesx,

could you please share the ext file? I’m trying to do se same, but unforunaly…

Hi, here is the script.

var mysql = require('mysql');
var pool  = mysql.createPool({
  connectionLimit : 10,
  host            : '127.0.0.1',
  user            : 'acs',
  password        : 'password',
  database        : 'cwmp_passwords'
});

function getUsername(args, callback){
  callback(null,args[0]+"-"+args[1]);
}

function getPassword(args, callback){
  var username = args[0] + "-" + args[1];
  pool.query(
    'SELECT password from cwmp_passwords where cwmp_id = ?',
    [username],
    function(error, results, fields) {
      if (error){
        console.log(err);
        callback(err);
      } else {
        callback(null, results[0].password);
    }
  });
}
exports.getUsername = getUsername;
exports.getPassword = getPassword;

Thank you!!
It will be very useful.

In our case the getUsername function will likely need more logic, as we have boxes that use an other username schema, that is not reflected in the database

I’ve just upgraded to 2.4 and seeing an auth error in the logs now but it works. “Authentication failure” at the start of the inform in the logs. If I change the password in the modem the inform stops on that error so it’s definately authenticating. If I remove the cwmp.auth line from the Config section the error disappears. Are any of your seeing this?

This could be because the devices are behind NAT because I’m getting a 401 error the first 2 times in the outgoing request then it works and gives a 200.

event: outgoing HTTP response
timestamp: 2021-02-26T00:52:39.833Z
remoteAddress: xxx.xxx.xxx.xxx
deviceId: D84732-IGD-xxxxxxxxxx
connection: 2021-02-26T00:52:39.830Z
statusCode: 401