Cisco Systems OL-27172-01 Mobility Aid User Manual

Open as PDF

of 322

13-16

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Chapter 13 Configuring CWMP Service Security

Configuring Security for DPE Services

Step 5 Click Submit.

The password is now changed on the device record in the RDU; no change of password on the actual

device is initiated after this procedure.

Client Certificate Authentication

You can configure the DPE to require a validated device-provided certificate for authentication. These

certificates could be:

• Generic—Enables device certificate authentication through SSL by using a generic certificate

common to all CPE or a large subset of CPE.

• Unique—Enables client certificate authentication through SSL by using the unique certificate that

each CPE provides.

If the device certificates are unique, it is not necessary to use HTTP authentication. But if the same

certificate is used for all devices (that is, a single device certificate that a service provider uses), you

should configure an additional HTTP authentication.

To configure client certification authentication from the DPE CLI, use:

# service {cwmp | http} num ssl client-auth mode

• num—Identifies the instance of the service, which could be 1 or 2. By default, client certificate

authentication with SSL is:

–

Disabled for service 1.

–

Disabled for service 2.

• mode—Identifies the mode of client certificate authentication. Cisco BAC supports:

–

client-cert-generic—Uses a certificate common to a set of devices.

–

client-cert-unique—Uses a certificate unique to a device.

–

client-cert-ext—Uses a load balancer, such as ACE, to validate the client certificate.

–

none—Disables client certificate authentication.

External Client Certificate Authentication

An SSL connection can be terminated outside of the DPE, such as at a load balancer. In this case, the

DPE may be configured without SSL service.

If a load balancer such as ACE, is used to terminate the SSL connections, the DPE does not receive the

unique certificate, making it impossible to identify the device without HTTP authentication (Basic or

Digest). To overcome this, the load balancer inserts additional HTTP headers that include the certificate

information.

If a single session includes multiple TCP connections, each of the connections will be authenticated (if

enabled). The session cookie binds the device to the existing session state.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems OL-27172-01 Mobility Aid User Manual