开云体育

Well, did I miss the memo on this??...

I have a project that I've just wasted 4+ hours trouble-shooting so If this helps someone save time, you're welcome...:)

CP4 and a CEN-IO-IR-104
CP4 shows the unit ONLINE on its IP table
CEN unit Shows OFFLINE on its IP Table
CP4 can ping the CEN unit...

Apparently the CEN unit ALSO needs to have the processors Auth Creds to communicate (Because secure communications is critical to controlling a TV via IR...)

There is a console command:
SetCSauth that needs to be set:

setcsauth -n:<username> -p:<password>? (these are the UN/PW of the processor)
viola, it works...

There are so many anomalies to this unit, I don't have time to document. It worked great, but now the AUTH gods are off the charts with crap that is required and unexplained oddities....

HTH...

Chris,

Yup ... it's the same for the majority of devices now that secure gateway mode has taken over as the norm.
It's now my standard practice when setting up a processor for the first time to add a "device" user to the authentications for all of my GWEXERs, etc.

So ... I create my admin user, a device user, a Crestron interface user, and a Crestron Mobile device user.
Device = connects
Crestron interface = user
Crestron Mobile = operator

Prior to the later firmware updates, mobile devices just required the user level.
However, while on with TB a few months back, the support person told me that it now requires the operator level.
So, I decided to just include all of that in my standard "turn off all of the cloud stuff" initial setup.

I don't use the admin UN/PW of the processor just because basic devices don't need admin level (connects is fine).

Every day = new Crestron adventure,
Brian

Ha!? That'll be coming in the next firmware round of fixes ... or breaks ... or whatever surprises come next!

Ive used a handful of the CEN-IO devices recently with 3 and 4 series and I havent had to use the SETCSAUTH command on any of them. And I never have to do it with TSW/TSR panels either as long as my SECUREGATEWAYMODE is set to default.?

?

On Thu, Oct 21, 2021 at 08:16 AM, @johnmax wrote:

And I never have to do it with TSW/TSR panels either as long as my SECUREGATEWAYMODE is set to default.?

**and the TSW/TSR SSL is OFF (which is what's required for a device to connect via CIP 41794 instead of SCIP 41796).

IIRC a CEN-IO-XXX FW recently disabled the ability to turn SSL OFF, so you may be required to utilize SCIP for certain devices in the future.

On my CP4, the SECUREGATEWAYMODE is set to default, but the CEN-IO still needed the SETCSAUTH Creds...

What's interesting also is that the Processor IPT entry for the CEN-IO defaults to port 41794
BUT the CEN-IO entry for the processor defaulted to port 41796. I didn't set it that way (nor can I)...it's as if the the CEN unit 'sees' that the processor has AUTH set up and auto-set this....

In a previous install with a CP3 and only the standard/ootb SSH, crestron, <blank>, the CEN unit is using the 41794 port...

What's so frustrating for me is that just when I think I know what to do and create a routine, things change (SETCSAUTH), but it doesn't seem to be announced (did I miss something??) and best practices defined...leaving me (others??) to hack a way for hours days thinking something is wrong until we finally/accidentally learn something...? ? ?Case in point: this issue took 2 calls to Tech Support (1+ hours on hold each time...) with two techs (45+ minutes of working with them) and we accidentally found this solution - SETCSAUTH
How do we make money, sell more Crestron or satisfy clients with this kind of stuff...

"CP4, the SECUREGATEWAYMODE is set to default, but the CEN-IO still needed the SETCSAUTH Creds"

Because, as mentioned below, need for SETCSAUTH is based on the CEN-IO having SSL ON (independent of processor).
If Device SSL=ON then Device IPT=SCIP (which requires Processor AUTH+SSL ON to allow SCIP connections, and SETCSAUTH on the device).

"it's as if the the CEN unit 'sees' that the processor has AUTH set up and auto-set this"

Nope. Just based on the CEN-IO-XXX having SSL ON (IPT=41796) vs OFF (IPT=41794)

"Processor IPT entry for the CEN-IO defaults to port 41794"

Please refer to the first 2 sentences in the link I previously provided:
?

This all boils back down to whether or not the CEN-IO-XXX device has SSL ON or OFF.
And as I mentioned before, I believe the latest CEN-IO-XXX FW requires SSL ON.
(Meaning you must have Processor AUTH+SSL ON & CEN-IO-XXX must have SETCSAUTH spec'd prior to IPT)

If you can find something you think is missing from OLH 5571 or can be more clearly explained, please let me know.

Thanks Dave, I always appreciate your chiming in with good info - It is very welcome on this forum, for sure!! it does 'Make sense'...

It's really just old guys like me trying to keep up with continuous changes that make it hard to get things done, though tech support should have been able to solve this quicker (not to mention the hold times...)
But, although I do understand why this kind of stuff is torturing us all now, I remember a time when turning a TV on with IR in a client's family room did not warrant a high security communications path...:)

On Thu, Oct 21, 2021 at 03:00 PM, Dave H - Crestron TS wrote:

"it's as if the the CEN unit 'sees' that the processor has AUTH set up and auto-set this"

Nope. Just based on the CEN-IO-XXX having SSL ON (IPT=41796) vs OFF (IPT=41794)

As just a follow up to show that things are more convoluted than we think:
I have a project with a CP3 (v1.8000.4522.24170) with AUTH OFF, and the CEN-IO unit (v1.4830.00009) with AUTH ON (SSL/TLS) and the IPT entry port is 41794, not 41796.

So we have (2) CEN-IO units with the same FW and Auth settings, but their IPT entries show differently. only difference, one proc has AUTH ON and the other doesn't...
For me this kind of stuff is very confusing....

To continue the rant...
Can Crestron please pick one flavor of console commands....:(

Processor:
setcsauthentication

CEN-IO-xx:
setcsauth

On Thu, Oct 21, 2021 at 06:13 PM, ckangis wrote:

CEN-IO unit (v1.4830.00009) with AUTH ON (SSL/TLS) and the IPT entry port is 41794, not 41796.

Don't conflate the AUTH & SSL functions - they must be treated separately and the SSL parameters must be checked independently of AUTH.
For example, with many devices, you can have AUTH ON (requiring credentials for SSH/servicing), but SSL OFF (CIP 41794 used for communication with processor).

Also note that the "Encrypt Connection" toggle in the IP Table section of the WebUI for some newer devices/firmwares toggles SSL (doesn't affect AUTH).?
?

I would advise comparing the current SSL settings of each (see if one is set to OFF), as well as the available options in "SSL ?" on that FW version on each.
(It may be possible to update w/ SSL OFF and have it remain OFF, but IIRC you may not have the ability to disable it on that newest firmware version once it's been enabled.)

Thanks, Dave, that's enlightening. I'll check...
That picture must be of the Processor not the CEN-IO, yes?

FTR, both units came ootb w/ v1.3408 and were upgraded to v1.4803
Just looked at the older CEN-IO install and although Auth and SSL are ON? with a UN/PW, I was able to connect into the unit with a browser without it asking me to log in!!!

The more I'm looking into things the more confusing and inconsistent things appear to be...

You'd be checking the CEN-IO SSL.
If it's on, the CEN-IO IPT should show 41796 and SETCSAUTH must be set.
If it's off, the CEN-IO IPT should show 41794 and doesn't require processor creds.

I don't have access to a v1.3408 unit, but v1.4803 release notes call out "Hardened security" so it's possible WebUI credentials may be one of the items that was addressed. You may also want to use CTRL+F5 in the browser or use an incognito/private browsing window to ensure page caching isn't coming into play.

Well...I refer to my previous comment...:)

Good find. That's seemingly unexpected behavior & possible it got into that state following the FW update.

You may need to remove/readd the IPT entry (REMM/ADDM) for it to reflect correctly as 41796, or toggle SSL OFF & ON again.

Thanks Dave, let me add that to me list...:)

This does not work for CEN-GWEXER. Trying to find a solution