Routing protocols are used to exchange reachability information between routers. Routing information learned from peers is used to determine the next hop towards the destination. To route traffic correctly, it is necessary to prevent malicious or incorrect routing information from getting introduced into the routing table. This can be done by authenticating the routing updates exchanged between routers. Open Shortest Path First (OSPF) supports plain text authentication and Message Digest 5 (MD5) authentications.
Only three key point need to be remember while configuring authentication in OSPF
A) Types of Authentication:
There are three different types of authentication available for OSPF version 2: 1) Null authentication: Null authentication means that there is no authentication, which is the default on Cisco routers. 2) Clear text authentication: In this method of authentication, passwords are exchanged in clear text on the network 3) Cryptographic authentication: The cryptographic method uses the open standard MD5 (Message Digest type 5) encryption.
B) Enabling OSPF Authentication:
OSPF authentication can be enabling in two ways: 1) Per interface: Authentication is enabling per interface using the "ip ospf athentication" command. 2) Area authentication: Authentication for area can enable using "area authentication" command.
C) Configuring Authentication Key:
In either case password must be configure at interface using "ip ospf authentication-key" or "ip ospf message-digest-key" command
A)Area based authentication Example:
To enable OSPF MD5 authentication: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fa0/0 Router(config-if)#ip ospf message-digest-key 1 md5 cisco@123 Router(config-if)#exit Router(config)#router ospf 100 Router(config-router)#area 2 authentication message-digest Router(config-router)#exit
To enable clear text authentication Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface f0/0 Router(config-if)#ip ospf authentication-key cisco@123 Router(config-if)#exit Router(config)#router ospf 100 Router(config-router)#area 2 authentication Router(config-router)#exit
To enable clear text authentication Router(config)#int fa0/0 Router(config-if)#ip ospf authentication Router(config-if)#ip ospf authentication-key cisco Router(config-if)#exit Router(config)#
OSPF commands for each authentication types:
ip ospf authentication null
area number authentication
ip ospf authentication
ip ospf authentication-key Key-value
area number authentication message-digest
ip ospf authentication message-digest
ip ospf message-digest-key key-num md5 Key-value
OSPF virtual link authentication:
Virual link is a interface in area 0.This mean if you enable authentication on Area 0 it will automatically turn authentication on virtual link but as discussed above password(Key) must need to enable on interface.As we know Virtual link doesnt have any interface on which you can configure authentication,authentication on virtual link can be configure using"area virtual-link" command under OSPF process.
Authentication failures can occur for two reasons: 1) Authentication type mismatch between neighbors 2) Authentication Key mismatch between neighbors
The below “debug ip ospf adj" output indicate mismatch in authentication type. Router#debug ip ospf adj OSPF adjacency events debugging is on *Mar 1 00:02:30.279: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
*Mar 1 00:02:39.603: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
Router#sh ip ospf int fa0/0 FastEthernet0/0 is up, line protocol is up Internet Address 10.1.1.2/24, Area 0 Process ID 100, Router ID 10.1.1.2, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.1.2, Interface address 10.1.1.2 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:06 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1
Hi Everyone, We have just purchased 4 Devices with DNA Advantage 3 yr License and I have been told to activate its license to each device. But upon looking with instructions on the internet I always end up wondering how it is really setup. Could you ...
Hello everyone, I have a very strange behavior on a router with NAT from a VRF process in the global process. I have the structure and configuration of the router which is in the appendix. Part:There is a network A with the subnet 192.168.1...
Dear Team , I created wlan wireless_guest web authentication using local authentication , everything works well i have only one problem ,after web authentication ( username and password) click to submit user get access to entire corp...
Hello all, I need was asked to prepare a path for upgrading NX-OS from 5.1(3)N2(1) to the new 7.3(7)N1(1). From cisco sites, I was able to prepare the path like below.... However, could anyone confirm I'm not missing anything? For me,...
Bonjour, Un de nos clients souhaite faire la mise à jour de son ASR 1006-X en 16.9.5. Il est actuellement en version IOS-XE 16.3.4. ROMMON 16.3(2r) : Slot CPLD Version Firmware Version 0 14011701 16.3(2r) 1 14011701 16.3(2r) R0 14111801 16.3(2r) R1 141118...