Question about OSPF Authentication

Unanswered Question
Aug 10th, 2007
User Badges:

Hi All,


Can someone explain this one to me.

Two routers in the same area configured for authentication the following way:


On both devices:

router ospf 100

area 50 authentication

!

Interface g0/1

ip ospf message-digest-key 1 md5 key xx


This works because the two routers become OSPF neighbors but I don't get how they are working as Type 1 authentication is configured at router level, which does not use MD5, yet the interface is configured for a message-digest-key which would imply that Type2 authentication should be running on it but it isn't, it will be Type 1 as defined under the router ospf process.


So how is this working, or am I missing something?


Regards


Andrew Morris


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Andrew Morris Fri, 08/10/2007 - 05:20
User Badges:

Hi Ryusuke,


Yes, I already know this. I'm trying to figure out how this is actually working :)


I know authentication is not mandatory for 2x OSPF neighbors to become neighbors but if it is configured then the method type needs be the same which in this case it is, which is Type 1 clear text authentication but the key configured is an MD5 key.


Does Cisco default to using whatever key is configured if area x authentication command is just configured at router level. I would not have thought so.


Regards


Andrew Morris


Edison Ortiz Fri, 08/10/2007 - 13:28
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You only enabled plain text authentication, the md5 key information isn't doing anything in the config until you enable md5 OSPF authentication.


Currently, the routes are being authenticated with a null key (which is the default setting).


If you run a debug on OSPF packets, you will see the area is authenticated (show ip ospf also shows you that info), the key just brings you added security.


narbik Sat, 08/11/2007 - 19:35
User Badges:

In OSPF there are 2 types of authentication, clear text and MD5. Each of which can be configured in 2 ways: per-interface authentication and Area authentication.

Whether you are performing per-interface or Area authentication, the authentication must be enabled and then applied.

In per-interface authentication, authentication is enabled under the interface that requires authentication and its applied using the second command to the same interface as follows:


Per-interface Clear text:


Int F0/0

Ip ospf authentication

Ip ospf authentication-key CCIE


Per-interface MD5:


Int F0/0

Ip ospf authentication message-digest

IP ospf message-digest-key 1 md5 CCIE


Note the first command enables authentication and the second command applies the authentication to the interface.


Area authentication clear text:


Router ospf 1

Area 0 authentication


Inter F0/0

Ip ospf authentication-key CCIE


Area authentication MD5


Router ospf 1

Area 0 authentication message-digest


Inter F0/0

Ip ospf message-digest-key 1 md5 CCIE


Note in Area authentication, you must enable authentication under the Router OSPF 1 process and NOT the interface. This is handy if you have let?s say 100 routers and each router has 10 interfaces that need to have authentication, if area authentication is used, then authentication in ONLY enabled once per router, whereas, if per interface is used, authentication must be enabled under each interface before its applied to the same interface. The admin needs to enter 1000 commands versus 100 commands to enable authentication.

If both clear text and MD5 is configured, then MD5 will take precedence over clear text.


I hope this helps and sorry for the lengthy message.


Narbik Kocharians

CCSI, CCIE #12410 (R&S, Security and SP)

www.net-workbooks.com

[email protected]


Actions

This Discussion