Filter
Top Products
13-17
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Configuring Security for DPE Services
Authentication Options in Cisco BAC
This section provides a summary of possible combinations of client-authentication options available in
Cisco BAC for the CWMP and the HTTP file services. You can configure each instance of these services
separately from the DPE CLI to suit your requirements.
Cisco BAC supports HTTP authentication in the Basic and Digest modes based on a shared password
between the CPE and the DPE. If HTTP-based authentication is used, Cisco recommends use of the
Digest mode.
You can also configure CPE authentication by using certificates unique to each CPE. In this case, HTTP
authentication is not necessary. However, if you configure CPE authentication using generic certificates
that are common to all CPE or a large subset of CPE, it is recommended that you configure the DPE to
require an additional HTTP authentication.
Table 13-3 lists the various options that Cisco BAC supports and the commands you use to configure
authentication from the DPE CLI. For details on each command, see the Cisco Broadband Access Center
3.8 DPE CLI Reference.
Table 13-3 Authentication Options in Cisco BAC
Option Refer to ...
Using HTTP
Enable device authentication by
using HTTP in the Basic or Digest
mode
service {cwmp | http} num client-auth {basic | digest}
Disable device authentication
using HTTP
service {cwmp | http} num client-auth none
Note If device authentication using HTTP is disabled, trusted device identity is formed using the
values in the Inform message from the device.
Using SSL
Enable device authentication in
HTTP Basic or Digest mode over
SSL connection but without client
certificate authentication
service {cwmp | http} num client-auth {basic | digest}
service {cwmp | http} num ssl client-auth none
Enable device authentication in
HTTP Basic or Digest mode over
SSL connection based on unique
client certificates
service {cwmp | http} num client-auth {basic | digest}
service {cwmp | http} num ssl client-auth client-cert-unique
Note When you configure the DPE to require HTTP-based (Basic or Digest) and authentication by
using unique certificates, the device is authenticated by using both mechanisms. In this double
authentication scenario, the device’s unique identifier is formed by using the CN field of the
client certificate; thus establishing trusted device ID.
Enable device authentication in
HTTP Basic or Digest mode over
SSL connection based on generic
client certificates
service {cwmp | http} num client-auth {basic | digest}
service {cwmp | http} num ssl client-auth client-cert-generic