cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15584
Views
21
Helpful
6
Replies

key chain ,md5 authentication in ospf

sarahr202
Level 5
Level 5

Hi every body

Can we use key chain with ospf for md5 authenticatin?

My book shows an example of using key chain with eigrp for md5 autentication. I am just wondering if the same is possible for ospf.

thanks

2 Accepted Solutions

Accepted Solutions

Jerry Ye
Cisco Employee
Cisco Employee

Hi Sarah,

OSPF is not using key chain, it is using authentication key you configured in the OSPF process or interface level.

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ospf_cfg_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1054174

HTH,

jerry

View solution in original post

Lucien Avramov
Level 10
Level 10

That is correct

Here is an example how you do it:

Interface level:

R5(config-if)#ip ospf authentication message-digest

R5(config-if)#ip ospf authentication-key MYKEY

Or

Process-level:

R5(config-router)#area 0 authentication message-digest

R5(config-if)#ip ospf authentication-key MYKEY

The authentication-key is typed at the interface level.

Key chain is for EIGRP or RIP

View solution in original post

6 Replies 6

Jerry Ye
Cisco Employee
Cisco Employee

Hi Sarah,

OSPF is not using key chain, it is using authentication key you configured in the OSPF process or interface level.

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ospf_cfg_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1054174

HTH,

jerry

in case someone else find this post, currently IOS-XE (and may be XR) does support key chain,
have a look here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iro-ospfv2-crypto-authen-xe.html

Lucien Avramov
Level 10
Level 10

That is correct

Here is an example how you do it:

Interface level:

R5(config-if)#ip ospf authentication message-digest

R5(config-if)#ip ospf authentication-key MYKEY

Or

Process-level:

R5(config-router)#area 0 authentication message-digest

R5(config-if)#ip ospf authentication-key MYKEY

The authentication-key is typed at the interface level.

Key chain is for EIGRP or RIP

Hi,

Key chain is for EIGRP or RIP

... or for IS-IS with the new-style authentication :)

Best regards,

Peter

I know I'm posting on a very old thread but I feel it necessary to point out that this is incorrect just in case someone stumbles across this post as I have.

R5(config-if)#ip ospf authentication message-digest

R5(config-if)#ip ospf authentication-key MYKEY (This is the command used for a plain text authentication key. This in combination with the above command would cause authentication not to be used at all.)

The correct configuration would be as follows:

R5(config-if)#ip ospf authentication message-digest

R5(config-if)#ip ospf message-digest-key 1 md5 MYKEY

The same applies for process level configuration.

OSPF now supports key-chain authentication starting IOS 15.4(1)T , specification RFC 5709- it now also supports HMAC-SHA  encryption, not only MD5

 

More important, from previous example when ip ospf authentication message-digest (!!!) command allowing to use MD5 hashed password

is NOT <ip ospf authentication-key  YOUR_PASS >

CORRECT command is < ip ospf message-digest-key 1 md5  YOUR_PASS >

 

!!!!

if you use the first command and run packet capture, you will read the password sent in clear text !!!!!

 

service password-encryption

 

interface g0/0

ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 046B2A353C  << hashed "PASS"

 

 KEY-CHAIN example:

Device# configure terminal

Device(config)# key chain sample1

Device(config-keychain)# key 1

Device(config-keychain-key)# key-string ThisIsASampleKey12345

Device(config-keychain-key)# cryptographic-algorithm hmac-sha-256

Device(config-keychain-key)# send-lifetime local 10:00:00 5 July 2013 infinite

Device(config-keychain-key)# end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco