HTTP/. 401 Unauthorized when using Digest Authentication


After creating the cwmp.auth configuration in Admin > Config section I successfully added a CPE into GenieACS using the Digest authentication. However, I have a second type of CPE that Genie is not authorizing it. I verified that request “nonce” value and response “nonce” value are equals too:

The request message for the situation that works is shown below:

event: incoming HTTP request
timestamp: 2020-05-29T12:30:06.104Z
deviceId: FerdinandoDevice
connection: 2020-05-29T12:30:02.576Z
localPort: 7547
method: POST
url: /
  user-agent: WebClient/1.0
  accept: "*/*"
  authorization: Digest username="sip", realm="GenieACS",
    nonce="294667096334b0d5d8cde2444c5866f3", qop=auth, nc=0000000a,
    response="e3bc158696b12ca9ef17153649af92df", uri="/"
  content-type: text/xml; charset=utf-8
  content-length: "10637"
  soapaction: ""
  cookie: session=5ddbebea87953286

And the CPE that is not working:

event: incoming HTTP request
timestamp: 2020-05-29T12:07:35.616Z
deviceId: FerdinandoDevice2
connection: 2020-05-29T12:07:35.412Z
localPort: 7547
method: POST
url: /
  user-agent: BCM_TR69_CPE_04_00
  connection: keep-alive
  authorization: Digest username="sip", realm="GenieACS", algorithm="MD5", qop="auth",
    uri="/", nonce="d96e2f0bac4b17eac665e7aac1ec7d6e", cnonce="MDAwNTk2AA==",
    nc=00000001, response="64861a2e47104e840e06c8bc56182e7c"
  soapaction: ""
  content-type: text/xml
  content-length: "3035"

event: outgoing HTTP response
timestamp: 2020-05-29T17:09:03.947Z
deviceId: FerdinandoDevice2
connection: 2020-05-29T17:09:03.755Z
statusCode: 401
  content-length: 12
  connection: close
body: Unauthorized

Can you tell me why one works and the other one doesn’t (got Unauthorized message)?? Remembering that username and password in CPE are the same used in wcmp.auth variable config (AUTH(“user”, “pass”)).

Look what I found in RFC 7616:

"For historical reasons, a sender MUST only generate the quoted string syntax for the following parameters: username, realm, nonce, uri, response, cnonce, and opaque.
For historical reasons, a sender MUST NOT generate the quoted string syntax for the following parameters: algorithm, qop, and nc.

If a parameter or its value is improper, or required parameters are missing, the proper response is a 4xx error code. "

qop and MD5 is quoted in the second situation. Is the CPE sending the request in bad format? This detail is considered by Genie?

Ferdinando Terada

Hi, in RFC 2617 I found that CPE can start new session with authorization header included (from the last session).
Currently GenieACS v1.2 returns “401 Unauthorized” and close connection, but in the RFC document is pointed that ACS server should response with “401 Unauthorized” and include “WWW-Authenticate: Digest…” header with new parameters.

In the code (of genieacs-cwmp) I made this change:

if (e.httpRequest.headers.authorization) -> if (0 && e.httpRequest.headers.authorization).

async function responseUnauthorized(e) {
                const t = {};
                if (e.httpRequest.headers.authorization)
                        message: "Authentication failure",
                        sessionContext: e

Is it in the correct place?