Filter
Top Products
13-14
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Configuring Security for DPE Services
To configure authentication in the Basic or Digest mode from the DPE CLI, use:
# service {cwmp | http} num client-auth mode
• num—Identifies an instance the service, which could be 1 or 2.
• mode—Identifies the client authentication mode for the service. The client authentication mode
could be:
–
basic—Enables Basic HTTP authentication.
–
digest—Enables Digest HTTP authentication. This is the default configuration.
–
none—Disables Basic and Digest authentication.
For detailed information, see the Cisco Broadband Access Center 3.8 DPE CLI Reference.
Changing a Device Password
You can configure the shared secret for the device in Cisco BAC. The shared secret is stored on the
device record by using the
IPDeviceKeys.CPE_PASSWORD property. The CPE must prove knowledge of
this password during HTTP-based authentication.
In the Basic mode, the password is transmitted as encoded clear text, while in the Digest mode, the
device is allowed to prove knowledge of the password (shared secret) without transmitting it.
You can configure the password:
• On the API, using the property IPDeviceKeys.CPE_PASSWORD.
• On the administrator user interface, using the CPE Password field in the Devices > Add Device or
Modify Device pages.
Note You cannot change the CPE password if the DPE connection to the RDU is not available.
The CPE password is optional if you have enabled client authentication by using SSL and with client
certificates.
A distinction should be drawn between changing the password used by Cisco BAC and the password
used by the device. When you configure a password on the device record in Cisco BAC, the outcome
differs depending on the previous value of the password.
If the password was already set on the device record, Cisco BAC changes it and initiates the process of
changing the password on the actual device. However, if the prior password value on the device record
did not exist (or was an empty string), Cisco BAC sets the new password on the device record, but does
not initiate the change of password on the actual device.
Hence, if you wish to change the password from the existing value to another value only in Cisco BAC,
you must first reset the value in Cisco BAC (set it to an empty string) and then set it to a new value.
Figure 13-1 describes the process that Cisco BAC uses to change the password on the actual device. This
process is complicated by the fact that Cisco BAC needs to use the old password to authenticate the
device first, and then set the new password. Only after the password change is acknowledged can Cisco
BAC forget the previous password and remove it from its database.