Overblog
Edit post Follow this blog Administration + Create my blog
Cisco & Cisco Network Hardware News and Technology

Configuring Authentication in OSPF

August 12 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Networking

Routing protocols are used to exchange reachability information between routers. Routing information learned from peers is used to determine the next hop towards the destination. To route traffic correctly, it is necessary to prevent malicious or incorrect routing information from getting introduced into the routing table. This can be done by authenticating the routing updates exchanged between routers. Open Shortest Path First (OSPF) supports plain text authentication and Message Digest 5 (MD5) authentications.

Configuration overview:

Only three key point need to be remembered while configuring authentication in OSPF

A) Types of Authentication:

There are three different types of authentication available for OSPF version 2:
1) Null authentication: Null authentication means that there is no authentication, which is the default on Cisco routers.
2) Clear text authentication: In this method of authentication, passwords are exchanged in clear text on the network
3) Cryptographic authentication: The cryptographic method uses the open standard MD5 (Message Digest type 5) encryption.

B) Enabling OSPF Authentication:

OSPF authentication can be enabling in two ways:
1) Per interface: Authentication is enabling per interface using the "ip ospf athentication" command.
2) Area authentication: Authentication for area can enable using "area authentication" command.

C) Configuring Authentication Key:

In either case password must be configure at interface using "ip ospf authentication-key" or "ip ospf message-digest-key" command

 

Configuration Example:

A) Area based authentication Example:

To enable OSPF MD5 authentication:
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fa0/0
Router(config-if)#ip ospf message-digest-key 1 md5 cisco@123
Router(config-if)#exit
Router(config)#router ospf 100
Router(config-router)#area 2 authentication message-digest
Router(config-router)#exit

To enable clear text authentication
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface f0/0
Router(config-if)#ip ospf authentication-key cisco@123
Router(config-if)#exit
Router(config)#router ospf 100
Router(config-router)#area 2 authentication
Router(config-router)#exit


Interface based authentication Example:
To enable OSPF MD5 authentication:
Router(config)#int fa0/0
Router(config-if)#ip ospf authentication message-digest
Router(config-if)#ip ospf message-digest-key 1 md5 cisco
Router(config-if)#exit
Router(config)#

 
To enable clear text authentication
Router(config)#int fa0/0
Router(config-if)#ip ospf authentication
Router(config-if)#ip ospf authentication-key cisco
Router(config-if)#exit
Router(config)#

 

OSPF commands for each authentication types:

Types of

Authentication

Area authentication

Command

Interface

Authentication

Command

Interface

Authentication

Key command

0-Null

<no command>

ip ospf authentication null

<no command>

1-Clear Text

area number authentication

ip ospf authentication

ip ospf authentication-key Key-value

2-MD5

area number authentication message-digest

ip ospf authentication message-digest

ip ospf message-digest-key key-num md5 Key-value

 

OSPF Virtual Link Authentication:

Virual link is an interface in area 0.This mean if you enable authentication on Area 0 it will automatically turn authentication on virtual link but as discussed above password(Key) must need to enable on interface.As we know Virtual link doesnt have any interface on which you can configure authentication,authentication on virtual link can be configure using"area virtual-link" command under OSPF process.

 

Verification Commands

Authentication failures can occur for two reasons:
1) Authentication type mismatch between neighbors
2) Authentication Key mismatch between neighbors
 

The below “debug ip ospf adj" output indicate mismatch in authentication type.
Router#debug ip ospf adj
OSPF adjacency events debugging is on
*Mar 1 00:02:30.279: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0

*Mar 1 00:02:39.603: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0

Router#sh ip ospf int fa0/0
FastEthernet0/0 is up, line protocol is up
  Internet Address 10.1.1.2/24, Area 0
  Process ID 100, Router ID 10.1.1.2, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 10.1.1.2, Interface address 10.1.1.2
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:06
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0
  Suppress hello for 0 neighbor(s)
Message digest authentication enabled
    Youngest key id is 1

 

Related Information:

Sample Configuration for Authentication in OSPF

Configuring OSPF Authentication on a Virtual Link

---Resources from https://supportforums.cisco.com/docs/DOC-4449

More Related:

Conditional Route Origination in OSPF Domain

How to Use OSPF Point-to-Multi-Point on Ethernet?

Basic HSRP Configuration Example On Cisco IOS XR

Conditional Route Origination in OSPF Domain

How to Configure Cisco Routers as Frame Relay Switch (FRS)?

Share this post
Repost0
To be informed of the latest articles, subscribe:
Comment on this post
O
Kondiloma akuminata atau yang sering disebut sebagai kutil kelamin, merupakan salah satu penyakit seksual menular (PMS) yang disebabkan oleh virus yang bernama Humanpapilloma virus (HPV). Terdapat lebih dari 40 jenis HPV yang dapat menginfeksi daerah kelamin laki-laki dan perempuan. Jenis HPV ini juga dapat menginfeksi mulut dan tenggorokan. Kebanyakan orang yang terinfeksi dengan HPV bahkan tidak tahu mereka memilikinya. HPV tidak sama dengan herpes atau HIV (AIDS).
Reply