Question about OSPF Authentication

Andrew Morris · ‎08-10-2007

Hi All,

Can someone explain this one to me.

Two routers in the same area configured for authentication the following way:

On both devices:

router ospf 100

area 50 authentication

!

Interface g0/1

ip ospf message-digest-key 1 md5 key xx

This works because the two routers become OSPF neighbors but I don't get how they are working as Type 1 authentication is configured at router level, which does not use MD5, yet the interface is configured for a message-digest-key which would imply that Type2 authentication should be running on it but it isn't, it will be Type 1 as defined under the router ospf process.

So how is this working, or am I missing something?

Regards

Andrew Morris

rkitagawa2003 · ‎08-10-2007

Hi Andrew,

You configured,

Router(config-router)# area 50 authentication

This configuration is clear text authentication in area.

You should configure,

Router(config-router)# area 50 authentication message-digest

This configuration is MD5 authentication in area.

OSPF area authentication

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a8072.html#wp1063542

Ryusuke.

Andrew Morris · ‎08-10-2007

Hi Ryusuke,

Yes, I already know this. I'm trying to figure out how this is actually working :)

I know authentication is not mandatory for 2x OSPF neighbors to become neighbors but if it is configured then the method type needs be the same which in this case it is, which is Type 1 clear text authentication but the key configured is an MD5 key.

Does Cisco default to using whatever key is configured if area x authentication command is just configured at router level. I would not have thought so.

Regards

Andrew Morris

Edison Ortiz · ‎08-10-2007

You only enabled plain text authentication, the md5 key information isn't doing anything in the config until you enable md5 OSPF authentication.

Currently, the routes are being authenticated with a null key (which is the default setting).

If you run a debug on OSPF packets, you will see the area is authenticated (show ip ospf also shows you that info), the key just brings you added security.

narbik · ‎08-11-2007

In OSPF there are 2 types of authentication, clear text and MD5. Each of which can be configured in 2 ways: per-interface authentication and Area authentication.

Whether you are performing per-interface or Area authentication, the authentication must be enabled and then applied.

In per-interface authentication, authentication is enabled under the interface that requires authentication and its applied using the second command to the same interface as follows:

Per-interface Clear text:

Int F0/0

Ip ospf authentication

Ip ospf authentication-key CCIE

Per-interface MD5:

Int F0/0

Ip ospf authentication message-digest

IP ospf message-digest-key 1 md5 CCIE

Note the first command enables authentication and the second command applies the authentication to the interface.

Area authentication clear text:

Router ospf 1

Area 0 authentication

Inter F0/0

Ip ospf authentication-key CCIE

Area authentication MD5

Router ospf 1

Area 0 authentication message-digest

Inter F0/0

Ip ospf message-digest-key 1 md5 CCIE

Note in Area authentication, you must enable authentication under the Router OSPF 1 process and NOT the interface. This is handy if you have let?s say 100 routers and each router has 10 interfaces that need to have authentication, if area authentication is used, then authentication in ONLY enabled once per router, whereas, if per interface is used, authentication must be enabled under each interface before its applied to the same interface. The admin needs to enter 1000 commands versus 100 commands to enable authentication.

If both clear text and MD5 is configured, then MD5 will take precedence over clear text.

I hope this helps and sorry for the lengthy message.

Narbik Kocharians

CCSI, CCIE #12410 (R&S, Security and SP)

www.net-workbooks.com

narbikk@hotmail.com