TR-069 ACS for ISPs: Centralized CPE Management & Auto-Provisioning

What TR-069 Actually Does

TR-069 (CWMP — CPE WAN Management Protocol, defined by the Broadband Forum) is a SOAP-over-HTTPS protocol that lets a server (an ACS — Auto Configuration Server) read and write parameters on a remote CPE. The CPE initiates the connection on a periodic Inform, and the ACS may respond with RPCs:

• GetParameterValues — read WAN IP, signal strength, uptime, connected hosts
• SetParameterValues — change PPPoE creds, WiFi SSID/password, DHCP scope
• Download — push a firmware image or config file
• Reboot / FactoryReset — recover a misbehaving CPE without dispatching a tech
• ConnectionRequest — wake an idle CPE to fetch new config immediately

Why ISPs Care

• Zero-touch onboarding. A new subscriber CPE auto-registers with PPPoE creds the moment it boots.
• Mass WiFi changes. Rotate the default WiFi key for 5,000 routers in one batch.
• Fewer L1 calls. Reset a frozen router remotely instead of a 60 BDT phone call ending in “please power-cycle”.
• Firmware fleet management. Push security updates organized by model.
• Diagnostics-first support. Your tier-1 sees signal strength, throughput, and connected device list before the customer finishes typing.

Reference Architecture

A production TR-069 deployment for a small/mid ISP looks like this:

Subscriber CPE  ──HTTPS Inform──►  GenieACS-CWMP (port 7547)
                                          │
                                          ▼
                                     MongoDB (CPE state, params, presets)
                                          │
   Operator dashboard ──► GenieACS-UI ────┘
   ISPbills (REST) ─────► GenieACS-NBI (port 7557)
   ConnectionRequest ◄── GenieACS-FS (firmware images, port 7567)

GenieACS is open-source, scales to ~50k devices on a 4-core VM, and exposes a clean REST API (NBI) — perfect for billing-platform integration.

Installing GenieACS on Ubuntu

# 1) Install Node.js 18 and MongoDB 7
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt install -y nodejs mongodb-org

# 2) Install GenieACS
sudo npm install -g genieacs@1.2

# 3) Create dedicated user + dirs
sudo useradd --system --no-create-home --user-group genieacs
sudo mkdir -p /opt/genieacs/{ext,extensions} /var/log/genieacs
sudo chown -R genieacs:genieacs /opt/genieacs /var/log/genieacs

# 4) systemd units (create one each: cwmp, nbi, fs, ui)
sudo systemctl enable --now genieacs-cwmp genieacs-nbi genieacs-fs genieacs-ui

Open /admin on the UI and create your first admin user. Set the CPE-facing CWMP URL to the public-reachable HTTPS endpoint (use Caddy or NGINX in front for TLS termination).

First Provisioning Preset

Presets define what the ACS does when a CPE Informs. The example below assigns PPPoE credentials that are stored as tags on the device:

// /admin/presets — provision script
const tags = declare("Tags", {value: 1});
if (!tags.value) return;

if (tags.value['pppoe-user'] && tags.value['pppoe-pass']) {
  declare(
    "InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.Username",
    {value: 1},
    {value: tags.value['pppoe-user']}
  );
  declare(
    "InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.Password",
    {value: 1},
    {value: tags.value['pppoe-pass']}
  );
}

Bulk WiFi SSID/Password Rotation

# Tag all CPEs of a subscriber group, then push via NBI
curl -X POST "http://genieacs:7557/devices/$DEVICE_ID/tasks?connection_request" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "setParameterValues",
    "parameterValues": [
      ["InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.SSID", "ISPbills-WiFi", "xsd:string"],
      ["InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.KeyPassphrase", "newpass-2026", "xsd:string"]
    ]
  }'

In production, fan this out via your billing platform — never push 5,000 ConnectionRequests in a tight loop. Stagger them.

Firmware Upgrades, Safely

• Stage your firmware image on the GenieACS FS endpoint and tag canary devices first.
• Schedule the rollout in batches of 50–200 to avoid backhaul saturation.
• Always include a post-upgrade health check (PPP up, WAN IP present) before declaring success.
• Keep a 1-version rollback image hot for 7 days.

Security Considerations

TR-069 has had a rough security history (think Mirai-class CPE worms via port 7547 exposed to the internet). Lock it down:

• Run CWMP behind TLS only — terminate with NGINX/Caddy and reject plain HTTP.
• Require CPE-side digest authentication with per-device passwords.
• Allow only your access network ranges to reach port 7547. Blackhole the rest.
• For ConnectionRequest, use a per-CPE random username/password (default admin/admin is a recipe for compromise).
• Patch GenieACS regularly — the project is small but actively maintained.

TR-069 vs the Alternatives

How ISPbills Works with TR-069

• Tag-based provisioning — when a subscriber is created in ISPbills, the platform pushes the PPPoE credentials as tags to GenieACS via the NBI.
• CPE inventory sync — serial-mapped CPEs appear in the subscriber profile alongside their ONU.
• Suspension automation — when an invoice goes overdue, the operator can choose between PPPoE disconnect, walled-garden, or a full CPE config push.
• Live diagnostics in the support widget — your tier-1 sees WAN IP, signal, uptime, and last reboot pulled from the ACS in real time.