5-9
Cisco ONS 15310-MA SDH Reference Manual, Release 9.1 and Release 9.2
78-19417-01
Chapter 5 Security
RADIUS Security
For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared
secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared
secret used between the RADIUS proxy and the RADIUS server.
Shared secrets are used to:
• Verify that RADIUS messages, with the exception of the Access-Request message, are sent by a
RADIUS-enabled device that is configured with the same shared secret.
• Verify that the RADIUS message has not been modified in transit (message integrity).
• Encrypt some RADIUS attributes, such as User-Password and Tunnel-Password.
When creating and using a shared secret:
• Use the same case-sensitive shared secret on both RADIUS devices.
• Use a different shared secret for each RADIUS server-RADIUS client pair.
• Generate a random sequence at least 22 characters long to ensure a random shared secret.
• Use any standard alphanumeric and special characters.
• Use a shared secret of up to 128 characters in length. To protect your server and your RADIUS
clients from brute force attacks, use long shared secrets (more than 22 characters).
• Make the shared secret a random sequence from each of the following three categories: letters (upper
or lower case), numbers, and punctuation.
• Change the shared secret often to protect your server and your RADIUS clients from dictionary
attacks. An example of a strong shared secret is
8d#>9fq4bV)H7%a3-zE13sW$hIa32M#m<PqAa72(.
