Incorrect connection request credentials (v1.2)


I moved some CPE´s from Version 1.1.3 to 1.2 beta. Everything is fine except contacting the CPE via UI. On version 1.1.3 I had a auth.js where I set the username/password thats configured on each CPE. Where do I set this in version 1.2? ACS is not allowed to contact the CPE right now.


1 Like

Hi, I have the same problem, and I don’t find documentation to be able to set the authentication values ​​against the cpe

It’s not documented yet, but I hope this helps. Go to admin then config, and add the following config:


For value, use something like this:

AUTH("myusername", "mypassword")

The current values of ConnectionRequestUsername and ConnectionRequestPassword can be referenced too:

AUTH(username, password)

The above expression is actually the defualt if no config is set. So you can simply create a preset that sets the connection request credentials and it should work.

Other variables that can be used are: id, serialNumber, productClass, oui, remoteAddress, username, password.

You can also call extensions as follows:

AUTH(serialNumber, EXT("extFile", "funcName", "arg1", "arg2))

Note that AUTH() and EXT() are special functions available only in certain options like cwmp.connectionRequestAuth.


Is it possible to have separate credentials? We have a case where Genie is provisioning new cpe’s, but we want to import the old ones that are managed by openACS. Problem is that they have authentication while the ones provisioned by Genie today does not. I figure that if we set these credentials they’ll be used on every cpe?

Or can I provide this directly in a script in order to reconfigure the old ones? Maybe I’m just thinking backwards?

You can use OR operator like this:

AUTH("username1", "password1") OR AUTH("username2", "password2")

Can anyone explain why genieacs allows access without authentication?

  1. Settings for genieacs:
    cwmp.connectionRequestAuth = AUTH(“sip”, “sip”)

  2. Settings for SIP phone

  3. genieacs-debug.yaml

    event: incoming HTTP request
    timestamp: 2019-11-25T07:46:38.156Z
    remoteAddress: y.y.y.y
    deviceId: 001565-SIP%2DT48G-000a6b05c1ee
    connection: 2019-11-25T07:46:38.156Z
    localPort: 7547
    method: POST
    url: /
    host: x.x.x.x:7547
    user-agent: Tadiran T48G ver. 00:0a:6b:05:c1:ee avsystem-libcwmp/5.7.6
    content-type: text/xml; charset=utf-8
    soapaction: cwmp:Inform
    content-length: “2800”
    body: <soap:Envelope xmlns:soap=“

I tried to use the wrong username and password in the SIP settings of the phone, but it could still connect to genieacs. What am I doing wrong?

You didn’t say which version of GenieACS you are using… v1.0 and v1.1 do not support CPE -> ACS authentication. Only ACS -> CPE auth. v1.2 supports authentication both ways.

I’m using v.1.2 version. First installed from the repository according to the documentations. Yesterday I installed the latest fixes from the source code on

  1. HTTP post from CPE

  2. HTTP response from GenieACS 1.2

  3. Current config settings of GenieACS 1.2

A solution has been found - parameter cwmp.auth must be added.

  1. Source code of cwmp.ts

  2. Current config settings of GenieACS 1.2

  3. First HTTP request from CPE

  4. Authorization response from ACS

  5. HTTP post data from CPE to ACS with Digest authorization

Here GenieACS 1.2.0-beta.0 released@zaidka has already written about this. I read inattentively :frowning:

Replace ‘cwmp.connectionRequestAuth’ with ‘cwmp.auth’. Feel free to start a new thread if you’re having trouble with this.

1 Like

BTW, while studying the problem, I noticed that the first request from the CPE is not written to the genieacs-debug.yaml file if the request was without authorization.

  1. In file genieacs-debug.yaml we see only the first response from the ACS

  2. The debug information about the request is recorded in the parsedRpc function (cwmp.ts).

  3. But if authorization was not successful, then the parsedRpc is not called (cwmp.ts).

Hi everyone,

I’m using Genieacs 1.2 version. Everything works fine for both “cwmp.connectionRequestAuth” and “cwmp.auth” when I set a value like this:

AUTH(“myusername”, “mypassword”)

When I try to use variables like the example below, authentication works well for “cwmp.auth” but does not work for “cwmp.connectionRequestAuth”:

AUTH( “myusername”, serialNumber)

Did I miss something?



I have the same issue as @ahamdaoui and I can’t figure out how to make it work.
Hopefully someone has the answer.


It worked here too when I add the cwmp.auth in the config section. However, the authentication used in this authorization is “Digest” mode. Is therey any way to change genieACS configuration to work in “Basic Mode”?

According to what I found in the GenieACS code:

if (getRequestOrigin(sessionContext.httpRequest).encrypted) {
      resHeaders["WWW-Authenticate"] = `Basic realm="${REALM}"`;
} else {
      const nonce = crypto.randomBytes(16).toString("hex");
      sessionsNonces.set(sessionContext.httpRequest.connection, nonce);
      let d = `Digest realm="${REALM}"`;
      d += ',qop="auth,auth-int"';
      d += `,nonce="${nonce}"`;

      resHeaders["WWW-Authenticate"] = d;

It seems like it works dynamically, in other words, when the CPE request is HTTPS, the message is formatted in “Basic” authentication mode, and when it’s not (HTTP), in “Digest” mode. Am I right? (Only when cwmp.auth is defined in Admin > Config):

The code below set encrypted for HTTPS messages:

if (parsed["proto"] === "https") {
      origin.encrypted = true;
      origin.localPort = 443;
 } else if (parsed["proto"] === "http") {
      origin.encrypted = false;
      origin.localPort = 80;

You can add this in the config section:


The value should be a boolean (true/false)

Hi, is there a setting to force only Basic authentication for CPE to ACS ?

If you enable HTTPS it’ll default to Basic auth.

The username/password variables are available only in certain circumstances (e.g. https) or something is changed? In every attempt I made, they always returned to me empty.

Hi, I am trying to enable Basic auth over HTTP, and have tried adding

cwmp.connectionRequestAllowBasicAuth = true

But the CPE is still sending credentials in digest mode. Is this the correct way to change the behaviour?

Hi all,

In my case same type of CPE have preconfigured tr069 username and password and some have just blank user and pass.

So when i add cwmp.auth with secrets the ones with blank have auth errors.

Is it possible to add for both scenarios ( with and without credentials ) or allowing whatever they connection username or pasword it is .