EIGRP and MD5 authentication

barryanns · ‎10-24-2007

Hi,

I'm trying to find something out. I want to know if you need to have the same key ID with EIGRP between two interfaces that are authenticating with each other.

E.g. - you use MD5 authentication to secure EIGRP. You then choose an MD5 pre-shared key and this is associated with a key ID that you have to choose, i.e. 1. It is not clear within Cisco documentation as to whether this key ID has to be the same at both ends.

With OSPF, the key ID definitely has to be the same at both ends - http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3ospf.html -

"message-digest-key key-id md5 [encryption-type] key

Example:

RP/0/RP0/CPU0:router(config-router)#

message-digest-key 4 md5 0 yourkey

Specifies the MD5 authentication key for the OSPF process.

â€¢Your neighbor router must have the same key identifier."

I'd appreciate confirmation, preferably with a source to confirm this for me.

Thanks.

Edison Ortiz · ‎10-24-2007

EIGRP employs key-chain instead of key-id as OSPF.

Here is a sample config for EIGRP MD5

First, you create the key-chain

_____________

key chain EIGRP

key 1

key-string CISCO

_______________

Second, you apply the key-chain to the interface

________________

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 EIGRP

________________

The '1' on the example above is not the key-id but the EIGRP AS number.

HTH,

royalblues · ‎10-24-2007

Edsion,

I just tested and i receive an error if the key-ids are not same.

Also i doubt that the key id references the EIGRP AS.

this is what i tested

R1

key chain test1

key 2

key-string cisco

interface Serial2/0

ip address 10.10.10.1 255.255.255.0

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 test1

On R2

key chain test

key 1

key-string cisco

interface Serial2/0

ip address 10.10.10.2 255.255.255.0

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 test

see the debug output.. now if i change the keyid to 1 on R1 the adjacency comes up (the number used is not the EIGRP AS)

*Mar 1 00:05:38.111: EIGRP: Sending HELLO on Serial2/0

*Mar 1 00:05:38.111: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:05:39.451: EIGRP: pkt authentication key id = 2, key not defined or n

ot live

*Mar 1 00:05:39.451: EIGRP: Serial2/0: ignored packet from 10.10.10.1, opcode =

5 (invalid authentication)

*Mar 1 00:05:42.775: EIGRP: Sending HELLO on Serial2/0

*Mar 1 00:05:42.775: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:05:44.215: EIGRP: pkt authentication key id = 2, key not defined or n

R1(config)#key chain test1

R1(config-keychain)#key

R1(config-keychain)#key 1

R1(config-keychain-key)#key

R1(config-keychain-key)#key-string cisco

R1(config-keychain-key)#^Z

R1#

*Mar 1 00:13:00.703: %SYS-5-CONFIG_I: Configured from console by console

*Mar 1 00:13:01.379: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.10.10.2 (S

erial2/0) is up: new adjacency

R1#

Am i missing something

Narayan

Edison Ortiz · ‎10-24-2007

Narayan,

You are correct. I was referring as to how OSPF implements key-id vs EIGRP's.

EIGRP uses 'key chain' for routing authentication and OSPF uses the key-id right on the interface.

barryanns · ‎10-25-2007

Thanks for your help in clearing this up for me.