Incorrect connection request credentials (v1.2)

Or can I provide this directly in a script in order to reconfigure the old ones? Maybe I’m just thinking backwards?

You can use OR operator like this:

AUTH("username1", "password1") OR AUTH("username2", "password2")

Can anyone explain why genieacs allows access without authentication?

  1. Settings for genieacs:
    cwmp.connectionRequestAuth = AUTH(“sip”, “sip”)

  2. Settings for SIP phone
    20191125-sip

  3. genieacs-debug.yaml

    event: incoming HTTP request
    timestamp: 2019-11-25T07:46:38.156Z
    remoteAddress: y.y.y.y
    deviceId: 001565-SIP%2DT48G-000a6b05c1ee
    connection: 2019-11-25T07:46:38.156Z
    localPort: 7547
    method: POST
    url: /
    headers:
    host: x.x.x.x:7547
    user-agent: Tadiran T48G ver. 35.83.19.2 00:0a:6b:05:c1:ee avsystem-libcwmp/5.7.6
    content-type: text/xml; charset=utf-8
    soapaction: cwmp:Inform
    content-length: “2800”
    body: <soap:Envelope xmlns:soap=“http://schemas.xmlsoap.org/soap/envelope/

I tried to use the wrong username and password in the SIP settings of the phone, but it could still connect to genieacs. What am I doing wrong?

You didn’t say which version of GenieACS you are using… v1.0 and v1.1 do not support CPE -> ACS authentication. Only ACS -> CPE auth. v1.2 supports authentication both ways.

I’m using v.1.2 version. First installed from the repository according to the documentations. Yesterday I installed the latest fixes from the source code on github.com.

  1. HTTP post from CPE

  2. HTTP response from GenieACS 1.2

  3. Current config settings of GenieACS 1.2

A solution has been found - parameter cwmp.auth must be added.

  1. Source code of cwmp.ts
    20191126-cwmp-source

  2. Current config settings of GenieACS 1.2

  3. First HTTP request from CPE

  4. Authorization response from ACS

  5. HTTP post data from CPE to ACS with Digest authorization

Here GenieACS 1.2.0-beta.0 released@zaidka has already written about this. I read inattentively :frowning:

Replace ‘cwmp.connectionRequestAuth’ with ‘cwmp.auth’. Feel free to start a new thread if you’re having trouble with this.

1 Like

BTW, while studying the problem, I noticed that the first request from the CPE is not written to the genieacs-debug.yaml file if the request was without authorization.

  1. In file genieacs-debug.yaml we see only the first response from the ACS

  2. The debug information about the request is recorded in the parsedRpc function (cwmp.ts).

  3. But if authorization was not successful, then the parsedRpc is not called (cwmp.ts).
    20191126-cwmp-before-parseRpc

Hi everyone,

I’m using Genieacs 1.2 version. Everything works fine for both “cwmp.connectionRequestAuth” and “cwmp.auth” when I set a value like this:

AUTH(“myusername”, “mypassword”)

When I try to use variables like the example below, authentication works well for “cwmp.auth” but does not work for “cwmp.connectionRequestAuth”:

AUTH( “myusername”, serialNumber)

Did I miss something?

Br,
Abdelhamid

Hello,

I have the same issue as @ahamdaoui and I can’t figure out how to make it work.
Hopefully someone has the answer.

Regards,
Ioan

It worked here too when I add the cwmp.auth in the config section. However, the authentication used in this authorization is “Digest” mode. Is therey any way to change genieACS configuration to work in “Basic Mode”?

According to what I found in the GenieACS code:

if (getRequestOrigin(sessionContext.httpRequest).encrypted) {
      resHeaders["WWW-Authenticate"] = `Basic realm="${REALM}"`;
} else {
      const nonce = crypto.randomBytes(16).toString("hex");
      sessionsNonces.set(sessionContext.httpRequest.connection, nonce);
      let d = `Digest realm="${REALM}"`;
      d += ',qop="auth,auth-int"';
      d += `,nonce="${nonce}"`;

      resHeaders["WWW-Authenticate"] = d;
}

It seems like it works dynamically, in other words, when the CPE request is HTTPS, the message is formatted in “Basic” authentication mode, and when it’s not (HTTP), in “Digest” mode. Am I right? (Only when cwmp.auth is defined in Admin > Config):

The code below set encrypted for HTTPS messages:

if (parsed["proto"] === "https") {
      origin.encrypted = true;
      origin.localPort = 443;
 } else if (parsed["proto"] === "http") {
      origin.encrypted = false;
      origin.localPort = 80;
 }

You can add this in the config section:

cwmp.connectionRequestAllowBasicAuth

The value should be a boolean (true/false)

1 Like

Hi, is there a setting to force only Basic authentication for CPE to ACS ?

If you enable HTTPS it’ll default to Basic auth.

1 Like

The username/password variables are available only in certain circumstances (e.g. https) or something is changed? In every attempt I made, they always returned to me empty.

Hi, I am trying to enable Basic auth over HTTP, and have tried adding

cwmp.connectionRequestAllowBasicAuth = true

But the CPE is still sending credentials in digest mode. Is this the correct way to change the behaviour?

Hi all,

In my case same type of CPE have preconfigured tr069 username and password and some have just blank user and pass.

So when i add cwmp.auth with secrets the ones with blank have auth errors.

Is it possible to add for both scenarios ( with and without credentials ) or allowing whatever they connection username or pasword it is .

I found solution by setting connection user and pas to blank , everything is ok now

how ?

it didn’t work for me.
How to debug in v1.2.6+20210916212615 .
can anybody help me?
thanks!

Yes, work on 1.2.8 for ont huawei HG8245W5