ASA - RADIUS common password

When configuring a Cisco ASA device to function in conjunction with a RADIUS server for AAA, there is an optional parameter called radius-common-pw that can be configured.

This parameter is used internally by the ASA for its communication with the RADIUS server for all authorization transactions. The syntax is:

radius-common-pw string

Cisco in its ASA command line reference states the following about this command:

The RADIUS authorization server requires a password and username for each connecting user. The ASA provides the username automatically. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this ASA. Be sure to provide this information to your RADIUS server administrator.

If you do not specify a common user password, each user password is the username. If you are using usernames for common user passwords, as a security precaution, do not use the RADIUS server for authorization anywhere else on your network.

It also says (interestingly):

The string argument is essentially a space-filler. The RADIUS server expects and requires it, but does not use it. Users do not need to know it.

So this configuration is optional, but the administrator of the RADIUS server must know what has been configured in order to correctly communicate with the ASA. Note also, that this password is used only for internal communication between the ASA and the RADIUS server, and only for authorization mechanisms. End users don’t need to know this password. They simply use their own credentials.