Re: what does cryptographic-algorithm under key chain do in IOS ?

shlomim · ‎07-13-2025

Hi,

looking into key chain commands over IOS/IOS XE I see that under the key, for example key 1 I can config the cryptographic-algorithm.

yet - I don't fully understand where does it take place.

to run a test I used the following configuration on all routers:

key chain EIGRP_MD5
key 1
key-string C1sc0
cryptographic-algorithm hmac-sha-256
router eigrp EIGRP
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
authentication mode md5
authentication key-chain EIGRP_MD5
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family

the routers do form neighbor adjacency with md5 despite that the key chain was meant for sha256.

so what am I missing ?

MHM Cisco World · ‎07-13-2025

Md5 you config under eigrp is override the key algorithm'

So to make router use sha256 you need to change authc under eigrp to use also sha256

MHM

shlomim · ‎07-13-2025

thank you for your help and prompt response.

I understand that the configuration over EIGRP under the interface is the one that makes the decision.

what I don't understand is where does the command "cryptographic-algorithm hmac-sha-256" takes place ?

does it even takes place under eigrp ?

can I use eigrp without the command "authentication mode <md5/sha>" ? and it will use the key chain configuration ?

maybe this option is relevant for other things ? if so to what ?

MHM Cisco World · ‎07-13-2025

this IOS XR router ?

shlomim · ‎07-13-2025

this is IOS 15.7

MHM Cisco World · ‎07-13-2025

In order let simplify

What eigrp need

Authentication mode (mandatory)

Authentication Key-chain (op)

If authentication mode use different than key-chain cryptography then eigrp will drop

Here come Q?

If authentication mode (mandatory) can I use it for sha256 without use cryptography sha256?

No you can not' both must be same algorithm.

So correct must be

key chain EIGRP_MD5
key 1
key-string C1sc0
cryptographic-algorithm hmac-sha-256
router eigrp EIGRP
!
address-family ipv4 unicast autonomous-system 100
!
af-interface default
authentication mode md5 <<- this need to change to sha256
authentication key-chain EIGRP_MD5
exit-af-interface

Jens Albrecht · ‎07-13-2025

@shlomim wrote:

can I use eigrp without the command "authentication mode <md5/sha>" ? and it will use the key chain configuration ?

No! Without this command the router will not do any authentication even if you configure the key-chain.

The 'authentication mode' command is the main switch to enable authentication and must be set.

paul driver · ‎07-13-2025

Hello
at present the authentication mode MD5 is set to all interfaces enabled for named eigrp using the key-chain you can however change the authentication mode to sha on all interfaces (af-default) or specific interfaces which will be more secure than the older MD5 - doing so will mean you will not require any key chain - in fact it isnt supported tbh when using sha

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

shlomim · ‎07-13-2025

Paul, thanks for your help

can you please clarify in which cases, I guess not EIGRP, do I need to use "cryptographic-algorithm hmac-sha-256/md5" under the key chain ?

paul driver · ‎07-13-2025

Helllo
if you want to use SHA as a key-chain authentication then yes but why ?
SHA is a lot more secure so why create unnecessary cfg for your self - just enable sha at all interface level or specific interface level and do away with keychain all together as it’s not necessary and not supported

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jens Albrecht · ‎07-13-2025

Hello @shlomim,

you need to specify the use of SHA256 for authentication to make it work.

Just tested and based on your example a working config looks as follows:

router eigrp EIGRP
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   authentication mode hmac-sha-256 C1sco12345!
   authentication key-chain EIGRP_SHA256
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 0.0.0.0
 exit-address-family

This can be verified with the command 'show eigrp address-family ipv4 interfaces detail' which will include the line:

Authentication mode is HMAC-SHA-256, key-chain is "EIGRP_SHA256"

So indeed the key-chain is used for SHA256 authentication.

HTH!

Jens Albrecht · ‎07-13-2025

Just a quick additional note in case you are wondering why you have to configure a key with the 'authentication mode hmac-sha-256 C1sco12345!' command.

HMAC-SHA-256 is a cryptographic technique that combines a hash function (in this case, SHA-256) with a secret key to provide both data integrity and authentication. So both sides must use the same key and the same key-chain in order to establish the neighborship.