Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

OSPF Authentication

 

Introduction

Routing protocols are used to exchange reachability information between routers. Routing information learned from peers is used to determine the next hop towards the destination. To route traffic correctly, it is necessary to prevent malicious or incorrect routing information from getting introduced into the routing table. This can be done by authenticating the routing updates exchanged between routers. Open Shortest Path First (OSPF) supports plain text authentication and Message Digest 5 (MD5) authentications.

 

Configuration overview:

Only three key point need to be remember while configuring authentication in OSPF

A) Types of Authentication:

There are three different types of authentication available for OSPF version 2:
1) Null authentication: Null authentication means that there is no authentication, which is the default on Cisco routers.
2) Clear text authentication: In this method of authentication, passwords are exchanged in clear text on the network
3) Cryptographic authentication: The cryptographic method uses the open standard MD5 (Message Digest type 5) encryption.

B) Enabling OSPF Authentication:

OSPF authentication can be enabling in two ways:
1) Per interface: Authentication is enabling per interface using the "ip ospf athentication" command.
2) Area authentication: Authentication for area can enable using "area authentication" command.

C) Configuring Authentication Key:

In either case password must be configure at interface using "ip ospf authentication-key" or "ip ospf message-digest-key" command

Configuration Example:

A)Area based authentication Example:

 

To enable OSPF MD5 authentication:
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fa0/0
Router(config-if)#ip ospf message-digest-key 1 md5 cisco@123
Router(config-if)#exit
Router(config)#router ospf 100
Router(config-router)#area 2 authentication message-digest
Router(config-router)#exit

To enable clear text authentication
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface f0/0
Router(config-if)#ip ospf authentication-key cisco@123
Router(config-if)#exit
Router(config)#router ospf 100
Router(config-router)#area 2 authentication
Router(config-router)#exit


Interface based authentication Example:

To enable OSPF MD5 authentication:
Router(config)#int fa0/0
Router(config-if)#ip ospf authentication message-digest
Router(config-if)#ip ospf message-digest-key 1 md5 cisco
Router(config-if)#exit
Router(config)#

To enable clear text authentication
Router(config)#int fa0/0
Router(config-if)#ip ospf authentication
Router(config-if)#ip ospf authentication-key cisco
Router(config-if)#exit
Router(config)#

 

OSPF commands for each authentication types:

 

Types of

Authentication

Area authentication

Command

Interface

Authentication

Command

Interface

Authentication

Key command

0-Null<no command>ip ospf authentication null<no command>
1-Clear Textarea number authenticationip ospf authentication ip ospf authentication-key Key-value
2-MD5area number authentication message-digestip ospf authentication message-digestip ospf message-digest-key key-num md5 Key-value

 

OSPF virtual link authentication:

Virual link is a interface in area 0.This mean if you enable authentication on Area 0 it will automatically turn authentication on virtual link but as discussed above password(Key) must need to enable on interface.As we know Virtual link doesnt have any interface on which you can configure authentication,authentication on virtual link can be configure using"area virtual-link" command under OSPF process.

Verification commands

Authentication failures can occur for two reasons:
1) Authentication type mismatch between neighbors
2) Authentication Key mismatch between neighbors

 

The below “debug ip ospf adj" output indicate mismatch in authentication type.
Router#debug ip ospf adj
OSPF adjacency events debugging is on
*Mar  1 00:02:30.279: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0

*Mar  1 00:02:39.603: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0

Router#sh ip ospf int fa0/0
FastEthernet0/0 is up, line protocol is up
  Internet Address 10.1.1.2/24, Area 0
  Process ID 100, Router ID 10.1.1.2, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 10.1.1.2, Interface address 10.1.1.2
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:06
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0
  Suppress hello for 0 neighbor(s)
Message digest authentication enabled
    Youngest key id is 1

Related Information:

Sample Configuration for Authentication in OSPF

Configuring OSPF Authentication on a Virtual Link

 

 

                                   

Base Initial configuration:

 

 

 

Comments
Community Member

I am searching this doc only

Thanks

34383
Views
5
Helpful
1
Comments