Table 9-5 Shared Secret Character Groups; Shared Secrets - Cisco ONS 15454 Reference Manual
Hide thumbs
Also See for ONS 15454:
- Procedure manual (850 pages) ,
- Troubleshooting manual (558 pages) ,
- Software feature and configuration manual (232 pages)
Table of Contents
Advertisement
Chapter 9
Security
client and server are authenticated through the use of a shared secret, which is never sent over the
network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This
eliminates the possibility that someone monitoring an unsecured network could determine a user's
password. Refer to the Cisco ONS 15454 Procedure Guide for detailed instructions for implementing
RADIUS authentication.
9.4.2 Shared Secrets
A shared secret is a text string that serves as a password between:
•
•
•
For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared
secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared
secret used between the RADIUS proxy and the RADIUS server.
Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request
message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared
secrets also verify that the RADIUS message has not been modified in transit (message integrity). The
shared secret is also used to encrypt some RADIUS attributes, such as User-Password and
Tunnel-Password.
When creating and using a shared secret:
•
•
•
•
•
•
Table 9-5
Group
Letters (uppercase and lowercase)
Numerals
Symbols (all characters not defined as letters or
numerals)
The stronger your shared secret, the more secure are the attributes (for example, those used for
passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is
8d#>9fq4bV)H7%a3-zE13sW$hIa32M#m<PqAa72(.
OL-9217-01
A RADIUS client and RADIUS server
A RADIUS client and a RADIUS proxy
A RADIUS proxy and a RADIUS server
Use the same case-sensitive shared secret on both RADIUS devices.
Use a different shared secret for each RADIUS server-RADIUS client pair.
To ensure a random shared secret, generate a random sequence at least 22 characters long.
You can use any standard alphanumeric and special characters.
You can use a shared secret of up to 128 characters in length. To protect your server and your
RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).
Make the shared secret a random sequence of letters, numbers, and punctuation and change it often
to protect your server and your RADIUS clients from dictionary attacks. Shared secrets should
contain characters from each of the three groups listed in
Shared Secret Character Groups
Table
9-5.
Examples
A, B, C, D and a, b, c, d
0, 1, 2, 3
Exclamation point (!), asterisk (*), colon (:)
Cisco ONS 15454 Reference Manual, R7.0.1
9.4 9.4.2 Shared Secrets
9-9
Advertisement
Table of Contents
