Shared secrets

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Shared secrets

A shared secret is a text string that serves as a password between:

  • A RADIUS client and RADIUS server.

  • A RADIUS client and a RADIUS proxy.

  • A RADIUS proxy and a RADIUS server.

For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared secret that is used between the RADIUS client and the RADIUS proxy can be different than the shared secret used between the RADIUS proxy and the RADIUS server.

Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password. To provide verification for Access-Request messages, you can enable use of the RADIUS Message Authenticator attribute for both the RADIUS client configured on the IAS server and the access server. For more information, see Message Authenticator attribute and Configure the Message Authenticator attribute and shared secret.

When creating and using a shared secret:

  • You must use the same case-sensitive shared secret on both RADIUS devices.

  • Use a different shared secret for each RADIUS server-RADIUS client pair.

  • To ensure a random shared secret, generate a random sequence at least 22 characters long.

  • You can use any standard alphanumeric and special characters.

  • You can use a shared secret of up to 128 characters in length. To protect your IAS server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).

  • Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your IAS server and your RADIUS clients from dictionary attacks. Shared secrets should contain characters from each of the following three groups:

Group Examples

Letters (uppercase and lowercase)

A, B, C and a, b, c

Numerals

0, 1, 2, 3

Symbols (all characters not defined as letters or numerals)

Exclamation point (!), asterisk (*), colon (:)

The stronger your shared secret, the more secure are the attributes (for example, those used for passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is 8d#>9fq4bV)H7%a3-zE13sW.

Notes

  • When Password Authentication Protocol (PAP) is used between an access client and an access server (a RADIUS client), the access server encrypts the PAP password by using the shared secret and sends it in an Access-Request packet. If the access server sends the Access-Request message to a RADIUS proxy, the RADIUS proxy must first decrypt the PAP password with the shared secret that was used between the RADIUS proxy and the access server. Next, it encrypts the PAP password with the shared secret that was used between the RADIUS proxy and the RADIUS server before forwarding the Access-Request message. Because a malicious user or process at a RADIUS proxy can record user names and passwords for PAP connections after they are decrypted but before they are encrypted, the use of PAP is highly discouraged.

  • If you specify RADIUS clients by using an IP address range, all RADIUS clients within the address range must use the same shared secret.

  • If you are using a password-based authentication method, it is strongly recommended that you use MS-CHAP v2, MS-CHAP, or CHAP with strong passwords to provide password protection from dictionary attacks.

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.