08-18-2009 09:19 AM - edited 03-06-2019 07:18 AM
Hi every body
Can we use key chain with ospf for md5 authenticatin?
My book shows an example of using key chain with eigrp for md5 autentication. I am just wondering if the same is possible for ospf.
thanks
Solved! Go to Solution.
08-18-2009 09:27 AM
Hi Sarah,
OSPF is not using key chain, it is using authentication key you configured in the OSPF process or interface level.
HTH,
jerry
08-18-2009 09:32 AM
That is correct
Here is an example how you do it:
Interface level:
R5(config-if)#ip ospf authentication message-digest
R5(config-if)#ip ospf authentication-key MYKEY
Or
Process-level:
R5(config-router)#area 0 authentication message-digest
R5(config-if)#ip ospf authentication-key MYKEY
The authentication-key is typed at the interface level.
Key chain is for EIGRP or RIP
08-18-2009 09:27 AM
Hi Sarah,
OSPF is not using key chain, it is using authentication key you configured in the OSPF process or interface level.
HTH,
jerry
03-18-2015 09:12 PM
in case someone else find this post, currently IOS-XE (and may be XR) does support key chain,
have a look here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iro-ospfv2-crypto-authen-xe.html
08-18-2009 09:32 AM
That is correct
Here is an example how you do it:
Interface level:
R5(config-if)#ip ospf authentication message-digest
R5(config-if)#ip ospf authentication-key MYKEY
Or
Process-level:
R5(config-router)#area 0 authentication message-digest
R5(config-if)#ip ospf authentication-key MYKEY
The authentication-key is typed at the interface level.
Key chain is for EIGRP or RIP
08-18-2009 11:15 AM
Hi,
Key chain is for EIGRP or RIP
... or for IS-IS with the new-style authentication :)
Best regards,
Peter
03-17-2016 04:54 AM
I know I'm posting on a very old thread but I feel it necessary to point out that this is incorrect just in case someone stumbles across this post as I have.
R5(config-if)#ip ospf authentication message-digest
R5(config-if)#ip ospf authentication-key MYKEY (This is the command used for a plain text authentication key. This in combination with the above command would cause authentication not to be used at all.)
The correct configuration would be as follows:
R5(config-if)#ip ospf authentication message-digest
R5(config-if)#ip ospf message-digest-key 1 md5 MYKEY
The same applies for process level configuration.
03-30-2018 01:34 AM - edited 03-30-2018 01:40 AM
OSPF now supports key-chain authentication starting IOS 15.4(1)T , specification RFC 5709- it now also supports HMAC-SHA encryption, not only MD5
More important, from previous example when ip ospf authentication message-digest (!!!) command allowing to use MD5 hashed password
is NOT <ip ospf authentication-key YOUR_PASS >
CORRECT command is < ip ospf message-digest-key 1 md5 YOUR_PASS >
!!!!
if you use the first command and run packet capture, you will read the password sent in clear text !!!!!
service password-encryption
interface g0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 046B2A353C << hashed "PASS"
KEY-CHAIN example:
Device# configure terminal
Device(config)# key chain sample1
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string ThisIsASampleKey12345
Device(config-keychain-key)# cryptographic-algorithm hmac-sha-256
Device(config-keychain-key)# send-lifetime local 10:00:00 5 July 2013 infinite
Device(config-keychain-key)# end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide