CPE to ACS authentication

I’m trying geniacs v.1.2.9 and I’m able to add CPEs to genieACS but, as soon as I try to enable HTTP digest authentication, I get 401 authentication failure.

In genieACS config I’m conmfiguring fixed credentials with something like,

cwmp.auth = AUTH(‘test’, ‘test’)

and on CPE I configure ACS user and ACS password to those values.

If I capture the session with tcpdump I can see the first request from CPE, the challenge from ACS and the second request from CPE with the supposed credentials, I can see the correct user is being send on the request and it is supposed the password is correct too.

How could I debug this?

Without authentication rogue devices are added to ACS server from time to time.

In your CPE there should be two sets of credentials. One for ACS → CPE authentication and CPE → ACS authentication. cwmp.auth is for ACS → CPE authentication. If you are running the default provision scripts that come with GenieACS, then you have just broken the authentication. The default GenieACS provision scripts set a per-device username/password for ACS → CPE authentication.

To fix this, delete cwmp.auth. If you’d like to setup CPE → ACS auth (which you should), then set cwmp.auth to AUTH(username, password) OR AUTH("test", "test"). This will GenieACS to use Username and Password params from InternetGatewayDevice.ManagementServer or Device.ManagementServer (depending on which device model version is supposed by your CPE), and to fall back to the hard coded values.

In Admin → Config I have removed cwmp.auth.

Then I have configured it back as,

AUTH(username, password) OR AUTH(“test”, “test”)

After that I try to add a CPE to GenieACS by configuring on CPE configuration interface ACS URL, ACS user, ACS password. The request reach GenieACS but the device is not added to genieACS and on logs I can see Authentication failure.

In your CPE, remove the username/password credentials and disable “connection request authentication.” Then save the settings and see what happens.

I’m still stuck with 401 Authentication Failure on logs. Keep trying to understand. Thanks.

Try formatting this better like. AUTH("username", "password") OR AUTH("test", "test")
It maybe because you’re copying and pasting from the forum too so check the inverted commas " " by retyping them. You don’t have them on the first pass pair at all so put them there.

What I was interpreting is that the first pair are variables and that is why there are no quotes. The second pair is fixed string values and that’s why they are quoted.

If I try to use inverted single quote genieacs complains about wrong syntax.

And for the fixed pairs, no matter if I use single or double quotes on edition, genieacs converts them to double quotes.

Still stuck. If it is a syntax error I can’t understand which is the correct syntax.

Your understanding is correct. Ignore the above commenter. When I put the auth line in my original comment I did so by escaping it in a code block which forces the forum software to not switch up the quotes, etc.

Here is what I would do. Disable all authentication in the CPE. Then see what happens.

I’ve never read anywhere that states the first pair are variables. Care to explain your statement? This has been working for me for a few years now CPE authentication with 1.2.3 - #2 by webtron

The length of time you’ve been doing something has no relation to the validity of what you are doing.

It works because you’ve hard coded all possible credential combinations into cwmp.auth. This is highly inefficient. It requires GenieACS to cycle through n authentication attempts, instead of 1.

If you use the default GenieACS inform see line 58 of lib/init.ts, it sets a per device connection request username/password. And by setting cwmp.auth to AUTH(username, password) GenieACS will handle sorting out the credentials for the CPE. If cwmp.auth is not set, GenieACS defaults to AUTH(username, password) under the covers.

Thanks for the detailed reply. Does that mean having AUTH(username, password) in the cwmp.auth that devices that don’t have a user/pass set in the cpe can connect? I hard coded them because I was concerned that someone could just flood my server with new dummy devices.

There are two different types of authentication.

One is for ACS → CPE, the other is CPE → ACS.

ACS → CPE authentication prevents malicious actors from causing the CPE to inform to the ACS, thereby preventing a DDoS.

CPE → ACS authentication prevents any random CPE from connecting to your ACS.

And I misspoke above. cwmp.auth is for CPE → ACS authentication. So what you have is fine because GenieACS will try each username/password combination server side.

cwmp.connectionRequestAuth is for ACS → CPE authentication.

Thanks for clarifying that.

I have tried another CPE of different brand and it worked. But it is provisioned with a username for ACS to CPE authentication which contains % character. It is accepted by CPE on this autoconfiguration but if I try to edit that value, just for testing, the WebUI of CPE complaints about not allowed character.

For the CPE that does not work with authentication I was able to connect it to genieACS when I have no cwmp.auth configured. Then it is provisioned too with a username that contains %.

Could that unallowed character be related to the authentication problems?

Its possible your CPE vendor has weird restrictions on allowed characters and thats playing an issue with auth.

Try this, edit the inform script and replace this line

// Device ID as username
const username = declare("DeviceID.ID", {value: 1}).value[0];

to this

// Device ID as username
const username = declare("DeviceID.ID", {value: 1}).value[0].replaceAll('%', '_')

This will replace the % in the device id with an _.

This code worked perfectly and changes the character.

Sadly it does not solves the problem of the CPEs that doesn’t work. Is there a way I can debug why on those CPEs, from a specific brand, authentication is not working?

What I have seen on pcap capture is that there is a CPE to ACS communication, then the ACS replies asking for authentication, the CPE replies with the authentication attempt where I can see the username is the one I have configured fixed on ACS, “test”, and it uses MD5 digest. And on logs I see the corresponding authentication failure message.


You can enable debug for a specific CPE. Go to Admin → Config. Then click “new config”. For key enter cwmp.debug and value DeviceID.ID = "<YOUR_DEVICE_ID>"

The debug log will be where ever you have specified in the genieacs.env file. Here is my entry for example purposes only: