9-9
Cisco ONS 15454 Reference Manual, R7.0.1
OL-9217-01
Chapter 9 Security
9.4 9.4.2 Shared Secrets
client and server are authenticated through the use of a shared secret, which is never sent over the
network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This
eliminates the possibility that someone monitoring an unsecured network could determine a user's
password. Refer to the Cisco ONS 15454 Procedure Guide for detailed instructions for implementing
RADIUS authentication.
9.4.2 Shared Secrets
A shared secret is a text string that serves as a password between:
• A RADIUS client and RADIUS server
• A RADIUS client and a RADIUS proxy
• A RADIUS proxy and a RADIUS server
For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared
secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared
secret used between the RADIUS proxy and the RADIUS server.
Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request
message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared
secrets also verify that the RADIUS message has not been modified in transit (message integrity). The
shared secret is also used to encrypt some RADIUS attributes, such as User-Password and
Tunnel-Password.
When creating and using a shared secret:
• Use the same case-sensitive shared secret on both RADIUS devices.
• Use a different shared secret for each RADIUS server-RADIUS client pair.
• To ensure a random shared secret, generate a random sequence at least 22 characters long.
• You can use any standard alphanumeric and special characters.
• You can use a shared secret of up to 128 characters in length. To protect your server and your
RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).
• Make the shared secret a random sequence of letters, numbers, and punctuation and change it often
to protect your server and your RADIUS clients from dictionary attacks. Shared secrets should
contain characters from each of the three groups listed in Table 9-5.
The stronger your shared secret, the more secure are the attributes (for example, those used for
passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is
8d#>9fq4bV)H7%a3-zE13
sW$hIa32M#m<PqAa72(.
Table 9-5 Shared Secret Character Groups
Group Examples
Letters (uppercase and lowercase) A, B, C, D and a, b, c, d
Numerals 0, 1, 2, 3
Symbols (all characters not defined as letters or
numerals)
Exclamation point (!), asterisk (*), colon (:)
To Next Page
Loading...
