Cisco Cisco ONS 15454 M6 Multiservice Transport Platform (MSTP)
• You can use a shared secret of up to 128 characters in length. To protect your server and your RADIUS clients from brute force
attacks, use long shared secrets (more than 22 characters).
• Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your server and
your RADIUS clients from dictionary attacks. Shared secrets should contain characters from each of the three groups listed in
Table 6: Shared Secret Character Groups, on page 15
.
Table 6: Shared Secret Character Groups
Examples
Group
A, B, C, D and a, b, c, d
Letters (uppercase and lowercase)
0, 1, 2, 3
Numerals
Exclamation point (!), asterisk (*), colon (:)
Symbols (all characters not defined as letters or numerals)
The stronger your shared secret, the more secure the attributes (for example, those used for passwords and encryption keys) that are
encrypted with it. An example of a strong shared secret is 8d#>9fq4bV)H7%a3-zE13sW$hIa32M#m<PqAa72(.
encrypted with it. An example of a strong shared secret is 8d#>9fq4bV)H7%a3-zE13sW$hIa32M#m<PqAa72(.
TACACS+ Security
Terminal Access Controller Access-Control System Plus (TACACS+) is introduced in R10.1 in ONS 15454 and NCS 2000 platforms.
TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network
access server through one or more centralized servers. TACACS+ provides Authentication, Authorization and Accounting (AAA)
services. In R10.1, only authentication is supported.
access server through one or more centralized servers. TACACS+ provides Authentication, Authorization and Accounting (AAA)
services. In R10.1, only authentication is supported.
TACACS+ Authentication
When TACACS+ server is configured and protocol is enabled on the node, the user credentials are authenticated through TACACS+
server. When the user attempts to log into the node using CTC or TL1, the username and password is forwarded to the configured
TACACS+ servers and get authentication status. If the authentication fails through TACACS+ server, the credentials are sent to the
node and are authenticated against the node. If the authentication fails against the node, the user is not allowed to log into the node.
server. When the user attempts to log into the node using CTC or TL1, the username and password is forwarded to the configured
TACACS+ servers and get authentication status. If the authentication fails through TACACS+ server, the credentials are sent to the
node and are authenticated against the node. If the authentication fails against the node, the user is not allowed to log into the node.
Limitations
• The user can configure only five TACACS+ servers for a node.
• TACACS+ configuration is supported only in CTC.
• The user can enter up to 39 characters for user name in CTC from R10.5. It includes alphanumeric (a-z, A-Z, 0-9) characters
and the allowed special characters are @, " - " (hyphen), and " . " (dot).
• TACACS+ and RADIUS authentication cannot be enabled simultaneously.
• TACACS+ is not supported in GNE-ENE configuration.
15