Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2297
Views
12
Helpful
6
Replies

Configuring OSPF MD5 authentication question

keeleym
Level 5
Level 5

‎08-06-2008 03:31 AM - edited ‎03-06-2019 12:38 AM

Hi All

Just want to check something with you guys.

According to some CCNP study material I have, I would use the following commands to configure OSPF MD5 authentication between routers,

R1_FRHUB#conf t

R1_FRHUB(config)#int s0

R1_FRHUB(config-if)#ip ospf authentication

R1_FRHUB(config-if)#ip ospf message-digest-key 1 md5 ccnp

However just playing around in my lab and I input the following commands,

R1_FRHUB#conf t

R1_FRHUB(config)#int s0

R1_FRHUB(config-if)#ip ospf authentication mesage-digest

R1_FRHUB(config-if)#ip ospf authentication-key 1 ccnp

This appears to have worked as my neighbor adjacancies re-established and I have full connectivity. But I am not sure whether this 2nd method is WRONG!! or whether this is just another way to configure MD5 authentication.

Was hoping some of the more knowledgeable guy's on here could explain any differences in the 2 configuration methods.

I do notice from running the "debug ip ospf packet" command that the output is slightly different depending on which method is used.

*** Dubug output when using study guide method ***

R2-FRSP1#debug ip ospf pac

OSPF packet debugging is on

R2-FRSP1#

*Mar 1 01:36:58.519: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:411C aut:1 auk: from Serial1/0

R2-FRSP1#

*Mar 1 01:37:03.463: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:411C aut:1 auk: from Serial1/0

R2-FRSP1#

*Mar 1 01:37:08.499: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:411C aut:1 auk: from Serial1/0

R2-FRSP1#u a

*Mar 1 01:37:13.487: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:411C aut:1 auk: from Serial1/0

R2-FRSP1#u all

***** End of Output *******

###### Dubug output when using other method #####

R2-FRSP1#

*Mar 1 01:33:08.495: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:0 aut:2 keyid:0 seq:0x3C7EDA13 from Serial1/0

R2-FRSP1#

*Mar 1 01:33:13.491: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:0 aut:2 keyid:0 seq:0x3C7EDA18 from Serial1/0

R2-FRSP1#

*Mar 1 01:33:18.511: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:0 aut:2 keyid:0 seq:0x3C7EDA1D from Serial1/0

R2-FRSP1#

*Mar 1 01:33:23.471: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:0 aut:2 keyid:0 seq:0x3C7EDA22 from Serial1/0

R2-FRSP1#

*Mar 1 01:33:28.503: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:0 aut:2 keyid:0 seq:0x3C7EDA27 from Serial1/0

R2-FRSP1#

*Mar 1 01:33:33.451: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:0 aut:2 keyid:0 seq:0x3C7EDA2C from Serial1/0

R2-FRSP1#

*Mar 1 01:33:38.483: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:0 aut:2 keyid:0 seq:0x3C7EDA30 from Serial1/0

###### End of Output #####

The difference comes after the "aid:0.0.0.0" in the debug output

Best Regards & TIA,

Michael

Labels:
0 Helpful
6 Replies 6

shrikar.dange
Level 1
Level 1

‎08-06-2008 04:19 AM

Hi Michael,

As per my knowledge both methods are correct!!!! the only thing is when you use message-digest-key you are doing MD5 authentication, where as when you are using simple suthentication-key clear text authentication is taking place.

Lets hear more from the experts. Correct me if i am wrong.

Regards,

shri!!! :)

0 Helpful

mazhar mahadik
Level 1
Level 1

‎08-06-2008 04:40 AM

Hi michael

In your first config you hv enabled authentication(type 1 u can verify in debug aut:1) & key which you hv provided is for MD5 authentication.

But

In your second config you hv enabled MD5 authentication(type 2 u can verify in debug aut:2) & key which u hv provided by cmd (ip ospf authentication-key 1 ccnp)is for clear-text authentication.u can verify this in second debug o/p keyid is 0 (Mar 1 01:33:38.483: OSPF: rcv. v:2 t:1 l:52 rid:11.11.11.11

aid:0.0.0.0 chk:0 aut:2 keyid:0 seq:0x3C7EDA30 from Serial1/0 )

keeleym
Level 5
Level 5
In response to mazhar mahadik

‎08-06-2008 05:07 AM

Hi Guys

Thank guys for the responses, but that then brings up the following question.

When configuring OSPF Authentication are there infact three options

1). Clear Text authentication (non message digest)

2). Message Digest Clear Text Authentication

3). Message Digest 5 Encrypted Authentication

The reason I ask is because (again from my study material),

To configure OSPF clear text authentication the following commands are shown

R1_FRHUB#conf t

R1_FRHUB(config)#int s0

R1_FRHUB(config-if)#ip ospf authentication-key ccnp

R1_FRHUB(config-if)#ip ospf authentication

To configure OSPF MD5 authentication, these commands are shown,

R1_FRHUB#conf t

R1_FRHUB(config)#int s0

R1_FRHUB(config-if)#ip ospf authentication

R1_FRHUB(config-if)#ip ospf message-digest-key 1 md5 ccnp

However, earlier on while experiementing with my lab I entered the following commands,

R1_FRHUB#conf t

R1_FRHUB(config)#int s0

R1_FRHUB(config-if)#ip ospf authentication message-digest

R1_FRHUB(config-if)#ip ospf authentication-key 1 ccnp

What is confusing me is the option "message-digest" in the command "ip ospf authentication message-digest"

IOS help shows the following when I run the command "ip ospf authentication ?"

R1-FRHUB(config-if)#ip ospf authentication ?

message-digest Use message-digest authentication

null Use no authentication

Where it states that the use of the "message-digest" option is to "Use message-digest authentication"

So what I do not understand is the difference between

R1_FRHUB(config-if)#ip ospf authentication

R1_FRHUB(config-if)#ip ospf message-digest-key 1 md5 ccnp

-and-

R1_FRHUB(config-if)#ip ospf authentication message-digest

R1_FRHUB(config-if)#ip ospf authentication-key 1 ccnp

Unless there is a clear text version of message digest authentication. In which case I do not understand why there would be two methods of clear text authentication available with OSPF.

Alternatively, maybe I should be using the following command syntax to configure MD5 authentication?

R1_FRHUB(config-if)#ip ospf authentication message-digest

R1_FRHUB(config-if)#ip ospf message-digest-key 1 md5 ccnp

(I wish it was possible to mark text in bold to help highlight stuff)

Best Regards & Thansk again for your responses,

Michael

0 Helpful

keeleym
Level 5
Level 5
In response to keeleym

‎08-06-2008 07:02 AM

Hi There

Just wondering if anybody else has anything to add?

Best Regards,

Michael

0 Helpful

shrikar.dange
Level 1
Level 1
In response to keeleym

‎08-06-2008 11:12 PM

Hi Michael,

This link will be helpful to understand the commands:

http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_i1gt.html#wp1108310

And this link would be good for technology:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

What my understanding is unless and until you specify the message-digest key the "ip ospf authentication message-disest" command will not take place. (It will authenticate over clear-text key provided).

So basically there are 3 methods for authentication:

1)Null (default)

2)Simple or clear text

3)Message digest (MD5)

Lets hear more from experts.

regards,

shri!!! :)

nikhil.engineer
Level 1
Level 1
In response to shrikar.dange

‎08-07-2008 02:25 AM

Hi Michael,

Shrikar is absouletly right only small correction there are only 2 types of authentication clear text and md5. OSPF supports both while eigrp supports only supports md5.Shrikar its good to see you back in business.

Please refer mazhar's post which is very useful. Mazhar you deserve rating.

HTH,

Cheers,

Nikhil E.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card