5.4.2 Shared Secrets
The server runs on a central computer typically at the customer's site, while the clients reside in the
dial-up access servers and can be distributed throughout the network.
An ONS 15600 node operates as a client of RADIUS. The client is responsible for passing user
information to designated RADIUS servers, and then acting on the response that is returned. RADIUS
servers are responsible for receiving user connection requests, authenticating the user, and returning all
configuration information necessary for the client to deliver service to the user. The RADIUS servers
can act as proxy clients to other kinds of authentication servers. Transactions between the client and
RADIUS server are authenticated through the use of a shared secret, which is never sent over the
network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This
eliminates the possibility that someone snooping on an unsecured network could determine a user's
password. Refer to the Cisco ONS 15600 Procedure Guide for detailed instructions for implementing
5.4.2 Shared Secrets
A shared secret is a text string that serves as a password between:
For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared
secret that is used between the RADIUS client and the RADIUS proxy can be different than the shared
secret used between the RADIUS proxy and the RADIUS server.
Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request
message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared
secrets also verify that the RADIUS message has not been modified in transit (message integrity). The
shared secret is also used to encrypt some RADIUS attributes, such as User-Password and
When creating and using a shared secret:
Cisco ONS 15600 Reference Manual, R7.0
A RADIUS client and RADIUS server
A RADIUS client and a RADIUS proxy
A RADIUS proxy and a RADIUS server
Use the same case-sensitive shared secret on both RADIUS devices.
Use a different shared secret for each RADIUS server-RADIUS client pair.
To ensure a random shared secret, generate a random sequence at least 22 characters long.
You can use any standard alphanumeric and special characters.
You can use a shared secret of up to 128 characters in length. To protect your server and your
RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).
Make the shared secret a random sequence of letters, numbers, and punctuation and change it often
to protect your server and your RADIUS clients from dictionary attacks. Shared secrets should
contain characters from each of the three groups listed in