2-217
Cisco Broadband Cable Command Reference Guide
OL-1581-08
Chapter 2 Cisco CMTS Configuration Commands
cable shared-secondary-secret
The
cable shared-secondary-secret
command allows a cable operator to specify up to 16 alternate
DOCSIS shared secrets. If a CM has a MIC authentication failure during registration, the CMTS then
checks the MIC values using the alternate shared secrets. If a match is found, the CM is allowed online.
If none of the alternate MIC values match the value returned by the CM, the CMTS refuses to allow the
CM to come online and instead logs a MIC authentication failure.
The use of secondary shared secrets allow the MSO to gradually phase in changes to the shared secret
key. If a shared secret has been compromised, or if the MSO decides to regularly change the shared
secret, the MSO can use the
cable shared-secret
command to immediately change the primary shared
secret. The previous key can then be made a secondary shared secret, using the
cable shared-secondary-
secret
command, so that CMs can continue to register until the MSO can change all of the DOCSIS
configuration files to use the new shared secret.
To use the secondary shared-secret feature, you must do the following:
•
You must specify a shared secret with the
cable shared-secret
command. The
cable shared-
secondary-secret
command has no effect if you have not specified a primary shared secret.
Note
At any particular time, the majority of CMs should use the primary shared secret to avoid
excessive registration times.
•
Create DOCSIS configuration files that use the shared-secret encryption string to create the MD5
MIC value. This can be done using the Cisco DOCSIS Configurator tool by entering the shared-
secret string in the
CMTS Authentication
field in the
Miscellaneous
parameters.
Tip
The shared-secret string itself is not saved in the DOCSIS configuration file, so you must re-enter the
string in the
CMTS Authentication
field whenever you create or edit a DOCSIS configuration file using
the Cisco DOCSIS Configurator tool.
•
Use the
cable shared-secondary-secret
command to configure the cable interfaces with one or
more matching shared-secret strings. The string configured on an interface must match the string
used to create the DOCSIS configuration files downloaded to the CMs on that interface, or the CMs
will not be able to register. You can use different shared secrets for each interface, if you are also
using a different set of configuration files for each interface.
•
To encrypt the shared-secret strings in the CMTS configuration, you must include the
service
password-encryption
global configuration command in the router’s configuration.
Note
You cannot use the shared secret feature with the files created by the internal DOCSIS configuration file
editor (
cable config-file
command).
Examples
The following example shows how to specify multiple secondary shared-secret string using encrypted
keys:
Router#
config t
Router(config)#
service password-encryption
Router(config)#
int c6/0
Router(config-if)#
cable shared-secret n01jk_1a
Router(config-if)#
cable shared-secondary-secret index 1 cabl3-x21b
Router(config-if)#
cable shared-secondary-secret index 2 dasc9_ruld55ist5q3z
Router(config-if)#
cable shared-secondary-secret index 3 j35u556_x_0
Router(config-if)#
exit