Hello,
After changing the provisioning MTA flow from Hybrid Flow to Basic Flow, my Arris and Ubee MTA's are not working. In the other hands, Sagemcom is working properly. I can see in the Arris device, SubOption 7 Authorization method (MTA should get TGT) to FALSE. Is that Okay?
What could be the cause/ Any OID in the configuration file expected or need to be removed?
BR,
AP
Basic 1 or Basic 2?
What DHCP options are you sending?
for Arris at least and Basic.1 you need
DHCP options:
domain-name
host-name
provision-server
krb-realm-name
dns-server
and the reverse DNS for host-name.domain-name needs to resolve to IP assigned to the MTA, which can be done with dynamic DNS updates from dhcpd.
// DHCPD.conf
// turn on DDNS updates
ddns-update-style interim;
// Setup a key
key dhcpupdate {
algorithm HMAC-MD5;
secret "your key here";
}
// setup a zone to update and use key to update, obviously will need a DNS server to update as well but is out of scope for this post
zone mta.domains.net. {
primary ns1.domains.net;
key dhcpupdate;
}
# Map option 122 values for booting packetcable Devices
option space docsis-mta;
option docsis-mta.dhcp-server-1 code 1 = ip-address;
option docsis-mta.dhcp-server-2 code 2 = ip-address;
option docsis-mta.provision-server code 3 = { integer 8, string };
option docsis-mta.as-req-as-rep-1 code 4 = { integer 32, integer 32, integer 32 };
option docsis-mta.as-req-as-rep-2 code 5 = { integer 32, integer 32, integer 32 };
option docsis-mta.krb-realm-name code 6 = string;
option docsis-mta.tgs-util code 7 = integer 8;
option docsis-mta.timer code 8 = integer 8;
option docsis-mta.ticket-ctrl-mask code 9 = integer 16;
option docsis-mta-pkt code 122 = encapsulate docsis-mta;
// set domain name
option domain-name "domains.net";
// Sets hostname to mta + mac address
option host-name = concat ("mta",suffix (concat ("0", binary-to-ascii (16, 8, "", substring (hardware, 1, 1))),2), "", suffix (concat ("0", binary-to-ascii (16, 8, "", substring (hardware, 2, 1))),2), "", suffix (concat ("0", binary-to-ascii (16, 8, "", substring (hardware, 3, 1))),2), "", suffix (concat ("0", binary-to-ascii (16, 8, "", substring (hardware, 4, 1))),2), "", suffix (concat ("0", binary-to-ascii (16, 8, "", substring (hardware, 5, 1))),2), "", suffix (concat ("0", binary-to-ascii (16, 8, "", substring (hardware, 6, 1))),2));
// needs to be provided but does not need to resolve, can use google.com if you want, but needs to be null terminated i.e. \000 and each part of the domain needs length before the value e.g \003 then mta
option docsis-mta.provision-server 0 "\003mta\007domains\003net\000";
option docsis-mta.krb-realm-name "\005BASIC\0011\000";
// DNS servers to do the reverse DNS lookup
option domain-name-servers 192.168.173.14;
Ages ago I wrote up some Arris MTA provisioning notes
https://www.docsis.org/comment/3063#comment-3063
Might be worth a look?
And watch out, BASIC.1 is insecure. A hacker could potentially grab all the MTA config files, extract the username/passwords and go to town on your voice server....
My SW, HW and FW info. are below:
SOFTWARE VERSION
Firmware Name TS0901103ASA19_110818_1692.GW
Software Filename TS0901103ASA19_110818_NA.1692.GW.ATOM.img
Provisioning Method PacketCable Basic1
Hardware Information
System: ARRIS DOCSIS 3.0 / PC 1.5 Touchstone Residential Gateway
HW_REV: 2
VENDOR: ARRIS Group, Inc.
BOOTR: 2.2.0.45
SW_REV: 9.1.103ASA19
MODEL: TG2482AL
Serial Number: 8BR2D566D201067
Options:
Firmware Build and Revisions
Firmware Name: TS0901103ASA19_110818_1692.GW
Firmware Build Time: Thu Nov 8 15:24:37 EST 2018
eSAFE 0 FW Revision: TS0901103ASA19_110818_ARRIS_GW
Does it need the pktcMtaDevConfigHash OID?
PacketCable(MTA) Events
4/18/2022 16:31 65521 ConfigFile - BadAuthentication
4/18/2022 16:31 25 MTA PROV: Failed
MTA PACKETCABLE OPTIONS:
SubOption Type 122
SubOption 3 Service Provider's SNMP Entity xxx.xx.xxx.xx
SubOption 4 AS-REQ/REP Backoff/Retry -----
SubOption 5 AP-REQ/REP Backoff/Retry -----
SubOption 6 Kerberos Realm Name
SubOption 7 Authorization method (MTA should get TGT) FALSE
SubOption 8 Provisioning timer (minutes) 0
SubOption 9 Security Ticket Invalidation 0