OSPF auth

Unanswered Question
Jan 22nd, 2008

on router 1 interface i have following config

2821(config)#interface fastEthernet 0/1

2821(config-if)#ip ospf authentication message-digest

2821(config-if)#ip ospf authentication-key 7 1234567

while in show ip ospf interfaces i am getting following output

Message digest authentication enabled

No key configured, using default key id 0

wht this means ??

on the other end i have given difernet MD5 key as

ip ospf authentication-key 1 cisco.

The two routers shouldnt form adj bz of different MD5 keys but they are establishing the adj as i see in the neighbors tables of both routers and also they are able to ping each other

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.5 (3 ratings)
shrikar.dange Tue, 01/22/2008 - 02:20

hi,

have you configured authentication under ospf process for that particualr area?

can u post the whole config?

regards,

shri :)

mohammedmahmoud Tue, 01/22/2008 - 05:01

Hi,

First of all you need "ip ospf message-digest-key" to define the key when using MD5 (type2) not "ip ospf authentication-key" which is used with plain text (type1) authentication.

Secondly if i remember correctly, with type 1 (plain text) if you enabled authentication and didn't define the key, a null password will be used by default, and OSPF adjacency will form, i'll make sure if this is correct also for MD5 and feed you back.

BR,

Mohammed Mahmoud.

munawar.zeeshan Tue, 01/22/2008 - 06:01

thanks mohammend...v v helpful

tell me one more thing

ip ospf message-digest-key 1 md5 cisco

what does this 1 means in the command, and i think we can use from 1 - 7 .Please explain whts these numbers means ?

shrikar.dange Tue, 01/22/2008 - 20:21

hi,

Specifying authentication for an area sets the authentication to Type 1 (simple password). If this command is not included in the configuration file, authentication of Type 0 (no authentication) is assumed.

The authentication type must be the same for all routers and access servers in an area. The authentication password for all OSPF routers on a network must be the same if they are to communicate with each other

via OSPF. Use the ip ospf authentication-key interface command to specify this password.

If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf message-digest-key interface command.

example:

interface ethernet 0

ip address 192.168.251.201 255.255.255.0

ip ospf authentication-key adcdefgh

!

interface ethernet 1

ip address 10.56.0.201 255.255.0.0

ip ospf authentication-key ijklmnop

!

router ospf 201

network 10.0.0.0 0.255.255.255 area 10.0.0.0

network 192.168.0.0 0.0.255.255 area 0

area 10.0.0.0 authentication

area 0 authentication

HTH,

regards,

shri :)

munawar.zeeshan Wed, 01/23/2008 - 02:00

Thanks...One more thing..

I have a router with one WAN and a LAN interface connected to my switch (3750).I have enabled MD5 auth for the WAN interface because this router's WAN is connected to my HO router which is using MD5. Furthermore i have also enabled auth on area level.

Now, the thing confusing me is that should i enable auth on the LAN interface also. I am not using OSPF on my 3750 switch.since i am advertising the LAN network on that switch (3750) so i am assuming to enable auth on that routers LAN interface and the interface of the switch also...

Help required ...

shrikar.dange Wed, 01/23/2008 - 02:13

hi,

As per your statement you are not running OSPF on 3750.Hence altthough you are advertising that network on to the wan its not neccessary to do authentication on LAN interface.Authentication is neccessary between two ospf neighbours to communicate and transfer information.

In your case 3750 is not an OSPF peer so no need to configure authentication there.Configure authentication on each router particiapting in ospf process under same authenticated area.

HTH,

regards,

shri :)

**EDIT: here i am assuming that there is no other L3 device (ospf speaking) beyond the 3750 in the same area.

mohammedmahmoud Wed, 01/23/2008 - 05:55

Hi,

Sorry i needed time to access a rack to verify my point, i can now confirm that if you enabled authentication (both type1(plain text) or type2 (MD5)) and didn't define the key, a null password will be used by default (Key 0).

CE-6#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

150.1.4.4 1 FULL/DR 00:00:36 192.168.1.4 FastEthernet0/0

CE-6#sh run int f0/0

Building configuration...

Current configuration : 135 bytes

!

interface FastEthernet0/0

ip address 192.168.1.6 255.255.255.0

ip ospf authentication message-digest

duplex auto

speed auto

end

As for the 1 in the command, it is called the Key ID, it allows the router to reference multiple passwords, making password migration easier and more secure, and it can be from 1 to 255.

BR,

Mohammed Mahmoud.

shrikar.dange Wed, 01/23/2008 - 19:44

hi,

nice explanation by mohammed. :)

I will like to add one more poit here:

The passwords (or keys) do not need to be same throghout the authenticated area but both the key id & passwd must be same between neighbours.

Plus AFAIK ospf does not support key-chain confg as it is supported in rip v2 and eigrp.

HTH,

reagrds,

shri :)

Actions

Login or Register to take actions

This Discussion

Posted January 22, 2008 at 2:18 AM
Stats:
Replies:8 Avg. Rating:4.5
Views:435 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard