we’re developing measuring devices for customers with different authentication methods.
It should be possible to connect with http Basic or Client certs. GenieACS does not have to check the Client cert.
Is it possible? The central Parameter cwmp.auth in admin/config is active for all cpes, isn’t it?
There’s currently no built-in support for client certificates. But you can put it behind a proxy and have the proxy take care of that.
The ACS has not to handle the client cert. But is it possible that the ACS handles clients
with HTTP-Basic auth and clients without auth at the same time?
You can think to a client using no http auth as a client using default known credentials for http basic auth.
HTTP authenticated client uses HTTP basic credentials: “unique_username” / “secret_password”
TLS cert authenticated client uses HTTP basic credentials: “authenticatedtlsclient” / “none”
Let us forget the authentication with client cert.
The first client HTTP authenticated client uses HTTP basic credentials: “unique_username” / “secret_password”
The second client doesn’t use a authentication method.
Is this possible?
Just to remind: Our GenieAcs is not a productive system. We develop measuring devices
for different customers/providers which use TR-069 for provisioning their clients.
That’s not trivial. How GenieACS could be capable of detecting whether a client, from any source network address, requesting the same resource (the CWMP API) at the same URL needs to be challenged for HTTP basic auth or not? I think this could be easier if you put the single GenieACS instance behind some kind of authentication proxy, doing TLS auth or HTTP auth on distinct ACS URLs.