08-15-2009 09:49 AM - edited 03-06-2019 07:16 AM
Hi everybody.
We have following command configured on a router which one will take precedence?
area 1 authentication
int f0
ip ospf authentication message-digest
will router use md5 on f0 or simple plain text authentication ?
Thanks a lot and have a nice weekend.
Solved! Go to Solution.
08-15-2009 09:56 AM
Message digest authentication enabled
When both are enabled the message digest seem to dominate:
R5#show ip ospf int f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 2.2.2.5/24, Area 0
Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 136.1.124.4, Interface address 2.2.2.4
Backup Designated router (ID) 2.2.2.5, Interface address 2.2.2.5
Flush timer for old DR LSA due in 00:00:40
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 136.1.124.4 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
No key configured, using default key id 0
R5#
08-15-2009 10:14 AM
Hello,
The command "ip ospf authentication" is always preferred to the area-wide authentication type. In your example, the Fa0 would use the MD5 authentication type. In other words, you can always override the area-wide authentication type directly on a particular interface.
Best regards,
Peter
08-15-2009 10:16 AM
No it will be the clear text as its the interface configuration again that is used first.
R5#show ip ospf int f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 2.2.2.5/24, Area 0
Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 2.2.2.5, Interface address 2.2.2.5
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
08-15-2009 12:14 PM
Hello,
In this case, neither of these routers will display the another one as neighbor - so not even in INIT state. To consider somebody a neighbor, there are several parameters in the Hello packet that must match with the local configuration and one of these parameters is the authentication. A neighbor whose data in the Hello packet does not match ours is not considered a valid neighbor and all his OSPF packets are dropped.
Best regards,
Peter
08-15-2009 12:21 PM
There will be a mismatch message on R1, and it will not even go to init as it will not exchange LSAs.
*Aug 15 20:18:08.197: OSPF: Rcv pkt from 2.2.2.5, FastEthernet0/1 : Mismatch Authentication Key - Clear Text
08-15-2009 02:15 PM
Hello,
These numerical types are used within OSPF packets to identify the type of authentication mechanism that was used to protect the given OSPF packet. You do not use these numbers directly in OSPF configuration but if you eventually configure a particular type of authentication, the corresponding number will be used as a value in a particular field of the authentication section in an OSPF packet to identify the authentication method.
You may want to read the entire Appendix D of the RFC 2328 where the OSPFv2 is defined:
http://tools.ietf.org/html/rfc2328#appendix-D
Best regards,
Peter
08-15-2009 02:16 PM
This is a convention. The numerical value is set in the packet.
The router use those numerical values instead of the name of the authentication.
You dont use those values to configure the router, the router uses them to communicate the authentication type.
On the router you configure with words those values as in the examples pointed out earlier.
from the ospf debug, you see for the packets:
*Aug 15 22:17:59.220: OSPF: rcv. v:2 t:4 l:60 rid:136.1.124.4
aid:0.0.0.0 chk:931E aut:0 auk: from FastEthernet0/1
aut:0 = null
Another example, with clear text:
*Aug 15 22:15:55.420: OSPF: rcv. v:2 t:1 l:48 rid:136.1.124.4
aid:0.0.0.0 chk:DC7F aut:1 auk: from FastEthernet0/1
here aut=1
On this topic, read the following doc as well:
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml
08-15-2009 09:56 AM
Message digest authentication enabled
When both are enabled the message digest seem to dominate:
R5#show ip ospf int f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 2.2.2.5/24, Area 0
Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 136.1.124.4, Interface address 2.2.2.4
Backup Designated router (ID) 2.2.2.5, Interface address 2.2.2.5
Flush timer for old DR LSA due in 00:00:40
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 136.1.124.4 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
No key configured, using default key id 0
R5#
08-15-2009 10:12 AM
Thanks Lavramov.
How about if we configured
area 1 authentication message-digest
int f0
ip ospf authentication
Will message digest still dominate ?
thanks
08-15-2009 10:16 AM
No it will be the clear text as its the interface configuration again that is used first.
R5#show ip ospf int f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 2.2.2.5/24, Area 0
Process ID 2, Router ID 2.2.2.5, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 2.2.2.5, Interface address 2.2.2.5
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
08-15-2009 10:14 AM
Hello,
The command "ip ospf authentication" is always preferred to the area-wide authentication type. In your example, the Fa0 would use the MD5 authentication type. In other words, you can always override the area-wide authentication type directly on a particular interface.
Best regards,
Peter
08-15-2009 11:39 AM
Thank Peter.
How about if we have two roouters, R1 and R2
R1 is congigured with plain text while R2 is not using any authentication
R1-------R2
R1 receives a hello from R2, If i use the command show ip ospf neighbors on R1, will it show neighbor(R2) state as "init"?
Thanks a lot and have a nice weekend.
08-15-2009 12:14 PM
Hello,
In this case, neither of these routers will display the another one as neighbor - so not even in INIT state. To consider somebody a neighbor, there are several parameters in the Hello packet that must match with the local configuration and one of these parameters is the authentication. A neighbor whose data in the Hello packet does not match ours is not considered a valid neighbor and all his OSPF packets are dropped.
Best regards,
Peter
08-15-2009 12:21 PM
There will be a mismatch message on R1, and it will not even go to init as it will not exchange LSAs.
*Aug 15 20:18:08.197: OSPF: Rcv pkt from 2.2.2.5, FastEthernet0/1 : Mismatch Authentication Key - Clear Text
08-15-2009 02:05 PM
Thanks Lavramov
One more quick question if you don't mind.
My book also shows type by number for authentication in ospf. For example
type
0 means null authentication
1 means clear text
2 means md5
What is the use of these types values? I did not see any usage of them while configuring clear text or md5 authentication in ospf.
Thanks
08-15-2009 02:15 PM
Hello,
These numerical types are used within OSPF packets to identify the type of authentication mechanism that was used to protect the given OSPF packet. You do not use these numbers directly in OSPF configuration but if you eventually configure a particular type of authentication, the corresponding number will be used as a value in a particular field of the authentication section in an OSPF packet to identify the authentication method.
You may want to read the entire Appendix D of the RFC 2328 where the OSPFv2 is defined:
http://tools.ietf.org/html/rfc2328#appendix-D
Best regards,
Peter
08-15-2009 02:16 PM
This is a convention. The numerical value is set in the packet.
The router use those numerical values instead of the name of the authentication.
You dont use those values to configure the router, the router uses them to communicate the authentication type.
On the router you configure with words those values as in the examples pointed out earlier.
from the ospf debug, you see for the packets:
*Aug 15 22:17:59.220: OSPF: rcv. v:2 t:4 l:60 rid:136.1.124.4
aid:0.0.0.0 chk:931E aut:0 auk: from FastEthernet0/1
aut:0 = null
Another example, with clear text:
*Aug 15 22:15:55.420: OSPF: rcv. v:2 t:1 l:48 rid:136.1.124.4
aid:0.0.0.0 chk:DC7F aut:1 auk: from FastEthernet0/1
here aut=1
On this topic, read the following doc as well:
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide