Shared Secrets for NPS and RADIUS Clients

Applies To: Windows Server 2008

Shared secrets

A shared secret is a text string that serves as a password between:

  • A RADIUS client and RADIUS server.

  • A RADIUS client and a RADIUS proxy.

  • A RADIUS proxy and a RADIUS server.


Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared secret used between the RADIUS proxy and the RADIUS server.

Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password. To provide verification for Access-Request messages, you can enable use of the RADIUS Message Authenticator attribute for both the RADIUS client configured on the server running NPS and the access server.

When creating and using a shared secret:

  • Use the same case-sensitive shared secret on both RADIUS devices.

  • If you specify RADIUS clients by using an IP address range, all RADIUS clients within the address range must use the same shared secret.

  • Use a different shared secret for each RADIUS server-RADIUS client pair.

  • Generate a random sequence at least 22 characters long.

  • Use any standard alphanumeric and special characters.

  • Make the shared secret up to 128 characters in length. To protect your NPS server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).

  • Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your NPS server and your RADIUS clients from dictionary attacks. Shared secrets should contain characters from each of the following three groups:

Group Examples

Letters (uppercase and lowercase)

A, B, C and a, b, c


0, 1, 2, 3

Symbols (all characters not defined as letters or numerals)

Exclamation point (!), asterisk (*), colon (:)

The stronger your shared secret, the more secure are the attributes (for example, those used for passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is 8d#>9jq4rV)H7%a3-zM13sW.


When Password Authentication Protocol (PAP) is used between an access client and an access server (a RADIUS client), the access server encrypts the PAP password by using the shared secret and sends it in an Access-Request packet. If the access server sends the Access-Request message to a RADIUS proxy, the RADIUS proxy must first decrypt the PAP password with the shared secret that was used between the RADIUS proxy and the access server. Next, it encrypts the PAP password with the shared secret that was used between the RADIUS proxy and the RADIUS server before forwarding the Access-Request message. Because a malicious user or process at a RADIUS proxy can record user names and passwords for PAP connections after they are decrypted but before they are encrypted, the use of PAP is highly discouraged.