Table of Contents
Advertisement
Chapter 2
Cisco CMTS Configuration Commands
The cable shared-secondary-secret command allows a cable operator to specify up to 16 alternate
DOCSIS shared secrets. If a CM has a MIC authentication failure during registration, the CMTS then
checks the MIC values using the alternate shared secrets. If a match is found, the CM is allowed online.
If none of the alternate MIC values match the value returned by the CM, the CMTS refuses to allow the
CM to come online and instead logs a MIC authentication failure.
The use of secondary shared secrets allow the MSO to gradually phase in changes to the shared secret
key. If a shared secret has been compromised, or if the MSO decides to regularly change the shared
secret, the MSO can use the
secret. The previous key can then be made a secondary shared secret, using the cable shared-secondary-
secret command, so that CMs can continue to register until the MSO can change all of the DOCSIS
configuration files to use the new shared secret.
To use the secondary shared-secret feature, you must do the following:
•
•
Tip
The shared-secret string itself is not saved in the DOCSIS configuration file, so you must re-enter the
string in the CMTS Authentication field whenever you create or edit a DOCSIS configuration file using
the Cisco DOCSIS Configurator tool.
•
•
You cannot use the shared secret feature with the files created by the internal DOCSIS configuration file
Note
editor
Examples
The following example shows how to specify multiple secondary shared-secret string using encrypted
keys:
Router# config t
Router(config)# service password-encryption
Router(config)# int c6/0
Router(config-if)# cable shared-secret n01jk_1a
Router(config-if)# cable shared-secondary-secret index 1 cabl3-x21b
Router(config-if)# cable shared-secondary-secret index 2 dasc9_ruld55ist5q3z
Router(config-if)# cable shared-secondary-secret index 3 j35u556_x_0
Router(config-if)# exit
OL-1581-08
cable shared-secret
You must specify a shared secret with the
secondary-secret command has no effect if you have not specified a primary shared secret.
At any particular time, the majority of CMs should use the primary shared secret to avoid
Note
excessive registration times.
Create DOCSIS configuration files that use the shared-secret encryption string to create the MD5
MIC value. This can be done using the Cisco DOCSIS Configurator tool by entering the shared-
secret string in the CMTS Authentication field in the Miscellaneous parameters.
Use the cable shared-secondary-secret command to configure the cable interfaces with one or
more matching shared-secret strings. The string configured on an interface must match the string
used to create the DOCSIS configuration files downloaded to the CMs on that interface, or the CMs
will not be able to register. You can use different shared secrets for each interface, if you are also
using a different set of configuration files for each interface.
To encrypt the shared-secret strings in the CMTS configuration, you must include the service
password-encryption global configuration command in the router's configuration.
(cable config-file
command).
command to immediately change the primary shared
cable shared-secret
command. The cable shared-
Cisco Broadband Cable Command Reference Guide
cable shared-secondary-secret
2-217
Advertisement
Table of Contents
