OSPF auth

Unanswered Question
Jan 22nd, 2008
User Badges:

on router 1 interface i have following config

2821(config)#interface fastEthernet 0/1

2821(config-if)#ip ospf authentication message-digest

2821(config-if)#ip ospf authentication-key 7 1234567



while in show ip ospf interfaces i am getting following output


Message digest authentication enabled

No key configured, using default key id 0


wht this means ??


on the other end i have given difernet MD5 key as

ip ospf authentication-key 1 cisco.

The two routers shouldnt form adj bz of different MD5 keys but they are establishing the adj as i see in the neighbors tables of both routers and also they are able to ping each other

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
shrikar.dange Tue, 01/22/2008 - 02:20
User Badges:
  • Bronze, 100 points or more

hi,


have you configured authentication under ospf process for that particualr area?

can u post the whole config?


regards,


shri :)

mohammedmahmoud Tue, 01/22/2008 - 05:01
User Badges:
  • Green, 3000 points or more

Hi,


First of all you need "ip ospf message-digest-key" to define the key when using MD5 (type2) not "ip ospf authentication-key" which is used with plain text (type1) authentication.


Secondly if i remember correctly, with type 1 (plain text) if you enabled authentication and didn't define the key, a null password will be used by default, and OSPF adjacency will form, i'll make sure if this is correct also for MD5 and feed you back.


BR,

Mohammed Mahmoud.

munawar.zeeshan Tue, 01/22/2008 - 06:01
User Badges:

thanks mohammend...v v helpful


tell me one more thing


ip ospf message-digest-key 1 md5 cisco


what does this 1 means in the command, and i think we can use from 1 - 7 .Please explain whts these numbers means ?

shrikar.dange Tue, 01/22/2008 - 20:21
User Badges:
  • Bronze, 100 points or more

hi,


Specifying authentication for an area sets the authentication to Type 1 (simple password). If this command is not included in the configuration file, authentication of Type 0 (no authentication) is assumed.

The authentication type must be the same for all routers and access servers in an area. The authentication password for all OSPF routers on a network must be the same if they are to communicate with each other

via OSPF. Use the ip ospf authentication-key interface command to specify this password.

If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf message-digest-key interface command.


example:


interface ethernet 0

ip address 192.168.251.201 255.255.255.0

ip ospf authentication-key adcdefgh

!

interface ethernet 1

ip address 10.56.0.201 255.255.0.0

ip ospf authentication-key ijklmnop

!

router ospf 201

network 10.0.0.0 0.255.255.255 area 10.0.0.0

network 192.168.0.0 0.0.255.255 area 0

area 10.0.0.0 authentication

area 0 authentication



HTH,


regards,


shri :)

munawar.zeeshan Wed, 01/23/2008 - 02:00
User Badges:

Thanks...One more thing..


I have a router with one WAN and a LAN interface connected to my switch (3750).I have enabled MD5 auth for the WAN interface because this router's WAN is connected to my HO router which is using MD5. Furthermore i have also enabled auth on area level.


Now, the thing confusing me is that should i enable auth on the LAN interface also. I am not using OSPF on my 3750 switch.since i am advertising the LAN network on that switch (3750) so i am assuming to enable auth on that routers LAN interface and the interface of the switch also...


Help required ...



shrikar.dange Wed, 01/23/2008 - 02:13
User Badges:
  • Bronze, 100 points or more

hi,


As per your statement you are not running OSPF on 3750.Hence altthough you are advertising that network on to the wan its not neccessary to do authentication on LAN interface.Authentication is neccessary between two ospf neighbours to communicate and transfer information.

In your case 3750 is not an OSPF peer so no need to configure authentication there.Configure authentication on each router particiapting in ospf process under same authenticated area.


HTH,


regards,


shri :)


**EDIT: here i am assuming that there is no other L3 device (ospf speaking) beyond the 3750 in the same area.

mohammedmahmoud Wed, 01/23/2008 - 05:55
User Badges:
  • Green, 3000 points or more

Hi,


Sorry i needed time to access a rack to verify my point, i can now confirm that if you enabled authentication (both type1(plain text) or type2 (MD5)) and didn't define the key, a null password will be used by default (Key 0).


CE-6#sh ip ospf neighbor


Neighbor ID Pri State Dead Time Address Interface

150.1.4.4 1 FULL/DR 00:00:36 192.168.1.4 FastEthernet0/0

CE-6#sh run int f0/0

Building configuration...


Current configuration : 135 bytes

!

interface FastEthernet0/0

ip address 192.168.1.6 255.255.255.0

ip ospf authentication message-digest

duplex auto

speed auto

end



As for the 1 in the command, it is called the Key ID, it allows the router to reference multiple passwords, making password migration easier and more secure, and it can be from 1 to 255.


BR,

Mohammed Mahmoud.

shrikar.dange Wed, 01/23/2008 - 19:44
User Badges:
  • Bronze, 100 points or more

hi,


nice explanation by mohammed. :)

I will like to add one more poit here:

The passwords (or keys) do not need to be same throghout the authenticated area but both the key id & passwd must be same between neighbours.

Plus AFAIK ospf does not support key-chain confg as it is supported in rip v2 and eigrp.


HTH,


reagrds,


shri :)

Actions

This Discussion