Filter
Top Products
13-18
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Configuring Security for RDU Services
Configuring Security for RDU Services
Cisco BAC supports local authentication as well as TACACS+ authentication. Local authentication is
managed locally at the:
• DPE server, for DPE CLI
• RDU server, for the
–
Administrator user interface
–
Cisco BAC APIs
TACACS+ authentication relies on the TACACS+ protocol to support centrally managed user
authentication using the TACACS+ server. The TACACS+ username, login password, and enable
password are configurable at the TACACS+ server.
Enable device authentication by
using HTTP Basic or Digest
authentication and client certificate
authentication by ACE
service {cwmp| http} num client-auth {basic | digest}
service {cwmp | http} num ssl client-auth client-cert-ext
Note In this double authentication scenario, the trusted device ID is established based on
authentication by ACE and communicated to the DPE using the HTTP headers.
Enable device authentication based
on client certificates validated by
ACE
service {cwmp | http} num ssl client-auth client-cert-ext
Disable device authentication and
client certificate authentication.
service {cwmp | http} num client-auth none
service {cwmp | http} num ssl client-auth none
Note If device authentication and client-certificate authentication is disabled, devices are considered
to be trusted or pre-authenticated, and the DPE uses data from the CWMP Inform message to
establish trusted device identity.
Disable HTTP-based device
authentication and enable client
authentication through SSL by
using the unique certificate
provided by each CPE
service {cwmp | http} num client-auth none
service {cwmp | http} num ssl client-auth client-cert-unique
Disable HTTP-based device
authentication and enable client
authentication through SSL by
using a generic certificate
service {cwmp | http} num client-auth none
service {cwmp | http} num ssl client-auth client-cert-generic
Note If HTTP-based device authentication is disabled and client-certificate authentication is enabled
to use generic certificates, devices are considered to be trusted or pre-authenticated and the
DPE uses data from the CWMP Inform message to establish trusted device identity.
Disable HTTP-based device
authentication and enable
authentication based on client
certificates validated by ACE
service {cwmp | http} num client-auth none
service {cwmp | http} num ssl client-auth client-cert-ext
Table 13-3 Authentication Options in Cisco BAC (continued)
Option Refer to ...