01-22-2008 02:18 AM - edited 03-03-2019 08:21 PM
on router 1 interface i have following config
2821(config)#interface fastEthernet 0/1
2821(config-if)#ip ospf authentication message-digest
2821(config-if)#ip ospf authentication-key 7 1234567
while in show ip ospf interfaces i am getting following output
Message digest authentication enabled
No key configured, using default key id 0
wht this means ??
on the other end i have given difernet MD5 key as
ip ospf authentication-key 1 cisco.
The two routers shouldnt form adj bz of different MD5 keys but they are establishing the adj as i see in the neighbors tables of both routers and also they are able to ping each other
01-22-2008 02:20 AM
hi,
have you configured authentication under ospf process for that particualr area?
can u post the whole config?
regards,
shri :)
01-22-2008 05:01 AM
Hi,
First of all you need "ip ospf message-digest-key" to define the key when using MD5 (type2) not "ip ospf authentication-key" which is used with plain text (type1) authentication.
Secondly if i remember correctly, with type 1 (plain text) if you enabled authentication and didn't define the key, a null password will be used by default, and OSPF adjacency will form, i'll make sure if this is correct also for MD5 and feed you back.
BR,
Mohammed Mahmoud.
01-22-2008 06:01 AM
thanks mohammend...v v helpful
tell me one more thing
ip ospf message-digest-key 1 md5 cisco
what does this 1 means in the command, and i think we can use from 1 - 7 .Please explain whts these numbers means ?
01-22-2008 08:21 PM
hi,
Specifying authentication for an area sets the authentication to Type 1 (simple password). If this command is not included in the configuration file, authentication of Type 0 (no authentication) is assumed.
The authentication type must be the same for all routers and access servers in an area. The authentication password for all OSPF routers on a network must be the same if they are to communicate with each other
via OSPF. Use the ip ospf authentication-key interface command to specify this password.
If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf message-digest-key interface command.
example:
interface ethernet 0
ip address 192.168.251.201 255.255.255.0
ip ospf authentication-key adcdefgh
!
interface ethernet 1
ip address 10.56.0.201 255.255.0.0
ip ospf authentication-key ijklmnop
!
router ospf 201
network 10.0.0.0 0.255.255.255 area 10.0.0.0
network 192.168.0.0 0.0.255.255 area 0
area 10.0.0.0 authentication
area 0 authentication
HTH,
regards,
shri :)
01-23-2008 02:00 AM
Thanks...One more thing..
I have a router with one WAN and a LAN interface connected to my switch (3750).I have enabled MD5 auth for the WAN interface because this router's WAN is connected to my HO router which is using MD5. Furthermore i have also enabled auth on area level.
Now, the thing confusing me is that should i enable auth on the LAN interface also. I am not using OSPF on my 3750 switch.since i am advertising the LAN network on that switch (3750) so i am assuming to enable auth on that routers LAN interface and the interface of the switch also...
Help required ...
01-23-2008 02:13 AM
hi,
As per your statement you are not running OSPF on 3750.Hence altthough you are advertising that network on to the wan its not neccessary to do authentication on LAN interface.Authentication is neccessary between two ospf neighbours to communicate and transfer information.
In your case 3750 is not an OSPF peer so no need to configure authentication there.Configure authentication on each router particiapting in ospf process under same authenticated area.
HTH,
regards,
shri :)
**EDIT: here i am assuming that there is no other L3 device (ospf speaking) beyond the 3750 in the same area.
01-23-2008 05:55 AM
Hi,
Sorry i needed time to access a rack to verify my point, i can now confirm that if you enabled authentication (both type1(plain text) or type2 (MD5)) and didn't define the key, a null password will be used by default (Key 0).
CE-6#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
150.1.4.4 1 FULL/DR 00:00:36 192.168.1.4 FastEthernet0/0
CE-6#sh run int f0/0
Building configuration...
Current configuration : 135 bytes
!
interface FastEthernet0/0
ip address 192.168.1.6 255.255.255.0
ip ospf authentication message-digest
duplex auto
speed auto
end
As for the 1 in the command, it is called the Key ID, it allows the router to reference multiple passwords, making password migration easier and more secure, and it can be from 1 to 255.
BR,
Mohammed Mahmoud.
01-23-2008 07:44 PM
hi,
nice explanation by mohammed. :)
I will like to add one more poit here:
The passwords (or keys) do not need to be same throghout the authenticated area but both the key id & passwd must be same between neighbours.
Plus AFAIK ospf does not support key-chain confg as it is supported in rip v2 and eigrp.
HTH,
reagrds,
shri :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide