Incorrect connection request credentials (v1.2)

Hi,

I moved some CPE´s from Version 1.1.3 to 1.2 beta. Everything is fine except contacting the CPE via UI. On version 1.1.3 I had a auth.js where I set the username/password thats configured on each CPE. Where do I set this in version 1.2? ACS is not allowed to contact the CPE right now.

Regards,
Sven

1 Like

Hi, I have the same problem, and I don’t find documentation to be able to set the authentication values ​​against the cpe

It’s not documented yet, but I hope this helps. Go to admin then config, and add the following config:

cwmp.connectionRequestAuth

For value, use something like this:

AUTH("myusername", "mypassword")

The current values of ConnectionRequestUsername and ConnectionRequestPassword can be referenced too:

AUTH(username, password)

The above expression is actually the defualt if no config is set. So you can simply create a preset that sets the connection request credentials and it should work.

Other variables that can be used are: id, serialNumber, productClass, oui, remoteAddress, username, password.

You can also call extensions as follows:

AUTH(serialNumber, EXT("extFile", "funcName", "arg1", "arg2))

Note that AUTH() and EXT() are special functions available only in certain options like cwmp.connectionRequestAuth.

Is it possible to have separate credentials? We have a case where Genie is provisioning new cpe’s, but we want to import the old ones that are managed by openACS. Problem is that they have authentication while the ones provisioned by Genie today does not. I figure that if we set these credentials they’ll be used on every cpe?

Or can I provide this directly in a script in order to reconfigure the old ones? Maybe I’m just thinking backwards?

You can use OR operator like this:

AUTH("username1", "password1") OR AUTH("username2", "password2")

Can anyone explain why genieacs allows access without authentication?

  1. Settings for genieacs:
    cwmp.connectionRequestAuth = AUTH(“sip”, “sip”)

  2. Settings for SIP phone
    20191125-sip

  3. genieacs-debug.yaml

    event: incoming HTTP request
    timestamp: 2019-11-25T07:46:38.156Z
    remoteAddress: y.y.y.y
    deviceId: 001565-SIP%2DT48G-000a6b05c1ee
    connection: 2019-11-25T07:46:38.156Z
    localPort: 7547
    method: POST
    url: /
    headers:
    host: x.x.x.x:7547
    user-agent: Tadiran T48G ver. 35.83.19.2 00:0a:6b:05:c1:ee avsystem-libcwmp/5.7.6
    content-type: text/xml; charset=utf-8
    soapaction: cwmp:Inform
    content-length: “2800”
    body: <soap:Envelope xmlns:soap=“http://schemas.xmlsoap.org/soap/envelope/

I tried to use the wrong username and password in the SIP settings of the phone, but it could still connect to genieacs. What am I doing wrong?

You didn’t say which version of GenieACS you are using… v1.0 and v1.1 do not support CPE -> ACS authentication. Only ACS -> CPE auth. v1.2 supports authentication both ways.

I’m using v.1.2 version. First installed from the repository according to the documentations. Yesterday I installed the latest fixes from the source code on github.com.

  1. HTTP post from CPE

  2. HTTP response from GenieACS 1.2

  3. Current config settings of GenieACS 1.2

A solution has been found - parameter cwmp.auth must be added.

  1. Source code of cwmp.ts
    20191126-cwmp-source

  2. Current config settings of GenieACS 1.2

  3. First HTTP request from CPE

  4. Authorization response from ACS

  5. HTTP post data from CPE to ACS with Digest authorization

Here GenieACS 1.2.0-beta.0 released@zaidka has already written about this. I read inattentively :frowning:

Replace ‘cwmp.connectionRequestAuth’ with ‘cwmp.auth’. Feel free to start a new thread if you’re having trouble with this.

1 Like

BTW, while studying the problem, I noticed that the first request from the CPE is not written to the genieacs-debug.yaml file if the request was without authorization.

  1. In file genieacs-debug.yaml we see only the first response from the ACS

  2. The debug information about the request is recorded in the parsedRpc function (cwmp.ts).

  3. But if authorization was not successful, then the parsedRpc is not called (cwmp.ts).
    20191126-cwmp-before-parseRpc