07-12-2006 04:23 AM - edited 03-03-2019 01:19 PM
OSPF authentication is defined per area, and can be overrriden in interface mode using commands such as
Router(config-if)#ip ospf authentication
+
Router(config-if)#ip ospf authentication-key PASSWORD
(to config/force clear text authentication)
or
Router(config-if)#ip ospf message-digest-key 1 md6 PASSWORD
(to config/force md5 authentication)
But...what's the command:
Router(config-if)#ip ospf authentication message-digest
doing exactly?
The online help says "Use message-digest authentication", but isn't this the function of the message-digest-key command already?
Thanks!
07-12-2006 04:52 AM
hi...
when you use the command ip ospf authentication message-digest" then both router will send their username and password in the "hash" form or you can say router encript the password...its same as the comand you enter md5... its one kind of encryption form...
you can have same things in RIP also...
hope this will clear your idea
rate this post if it helps
regards
Devang
07-12-2006 05:32 AM
Thanks for the answer, but that not what I'm asking...
I'd just like to know why would I ever use the command
"ip ospf authentication message-digest"
(and actually what does it do exactly?)
where:
1) ip ospf authentication -> Is used for cleartext authentication
2) ip ospf message-digest -> Is used for md5 authentication
Regards
07-12-2006 05:50 AM
you configure such kind of command just bcoz of to prevent the unauthenticated packet infomation... which cause the bad routing information...
ip ospf authentication:
this command is used to configure the password to the ospf interface for the authentication.
ip ospf message-digest:
you can say its type 2 authentication...which calculate the hash value from the ospf packet content and password and this hash value is transmitted in packet with the key so you can have secure information in your ospf network
If message digest authentication is enabled in Area then all interfaces in the area need to be configured with the same authentication type. This command is used to configure message digest authentication on an OSPF interface. In Cisco IOS Software Release 12.0 and later, interface authentication can be configured independent of the authentication applied to an area.
hope this will be your answer...
rate all the post if it helps
regards
Devang
07-12-2006 06:14 AM
The command
ip ospf authentication message-digest
is what actually activates the use of the key you defined in the previous statement. If you were to define both keys on the interface and only put
in
ip ospf authentication
it would attempt to use the clear text key and ignore the md5 key. When you enter this command with the message-digest option it will begin using the md5 key and ignore the clear text key.
Many people are confused by this since you can define the keys on the interface but choose the type of key to use in the glocal OSPF configuration.
07-12-2006 06:37 AM
"ip ospf authentication message-digest
is what actually activates the use of the key you defined in the previous statement"
Correct me if I'm wrong, but I wouldn't use the word activate in this case, as, if I leave the ip ospf authentication out of my config (with or without message-digest) it just uses what it is configured in router-config.
Apart from this, thanks for the clarification!
Now everything makes more sense to me :-)
07-12-2006 06:27 AM
Devang, I agree with you on the hashing, and the area authentication, and this is very clear to me; but what is not clear instead is the "ip ospf authentication message-digest" command.
As discussed above, after having set authentication for the area
Router(config-router)#area 0 authentication -->enable clear text password
or
Router(config-router)#area 0 authentication message-digest -->enable md5 password
I need to authenticate in interface mode using
"ip ospf authentication-key PASSWORD" --> cleartext
or
"ip ospf message-digest 1 md5 PASSWORD" --> MD5
The additional interface command
"ip ospf authentication"
is used to enable clear text password in case you want to overwrite the area password (if set to md5 e.g.).
Now, the command:
"ip ospf authentication message-digest"
seems to me just the same as above, but with an additional parameter.
This parameter (message-digest) let me intend that this is some how related to the password hashing instead.
So why would I ever use a command to force simple password authentication with the parameter message-digest?
If I want to do message-digest I just use directly the "ip ospf message-digest 1 md5 PASSWORD" command.
I can't find precise documentation on this on the Doc CD.
My only theory on this (but I'm not 100% sure)
is that, if I set
"ip ospf authentication" It will force the interface to authenticate in cleartext indifferently on what it is set on router-config.
This must also to be coupled with the
"ip ospf authentication-key PASSWORD"
instead
"ip ospf authentication message-digest" forces the authentication md5 in interface config mode.
Thsi must to be coupled with the
"ip ospf message-digest 1 md5 PASSWORD"
to work properly
Anybody agree/disagree on my theory?
Any comment?
Thanks for the interest!!
07-12-2006 06:32 AM
yes i am agree with you...
regards
Devang
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: