Cisco Systems OL-27172-01 Mobility Aid User Manual

Open as PDF

of 322

13-13

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Chapter 13 Configuring CWMP Service Security

Configuring Security for DPE Services

dpe# dpe reload

Process dpe has been restarted.

% OK

Note For detailed information, see the Cisco Broadband Access Center 3.8 DPE CLI Reference.

Configuring CPE Authentication

CPE authentication is supported through:

• Shared secret by using HTTP Basic or Digest authentication.

• Client certificates by using SSL. You can use certificate-based client authentication in lieu of or in

addition to shared secret HTTP-based authentication.

• External client certificate authentication. In this scenario, the SSL connection is terminated at the

hardware load balancer, which also authenticates the client.

The objective of authentication is to establish a trusted device ID, which is used to look up device

instructions in the DPE cache. This device ID correlates to the device identifier preprovisioned for the

device record at the Cisco BAC RDU database. In case of shared secret HTTP-based authentication, the

username serves to establish the identity of the device and is treated as a device ID.

In case of authentication using unique client certificates, the device ID is obtained from the device

certificate's CN field. With client certificate authentication by an external entity (such as a Cisco ACE

4710 load balancer), the certificate data, including the CN field, is passed to the DPE in the HTTP

headers.

You can also choose the option of having no client authentication if clients are trusted. For example, the

clients can already be authenticated for network access based on the subscriber physical line. In this case,

you can configure Cisco BAC with no-authentication and it will derive the trusted device ID from the

Inform message.

You can configure CPE authentication options from the DPE CLI.

Shared Secret Authentication

Cisco BAC supports HTTP authentication based on a shared password between the CPE and the DPE.

This authentication is available in two modes: Basic and Digest.

Note To limit security risks during client authentication, Cisco recommends using the Digest mode (the

default configuration). You should not allow client authentication in the Basic mode.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems OL-27172-01 Mobility Aid User Manual