need help in eigrp key chain

Dr.X · ‎10-25-2011

heloo brothers , this is my 1st poet here is cisco fourms

=======================================

assume that i have the scinerio as shown:

R1---------------------------R2

now i want to use key chain to perform authentication between routers

assume i created on R1

key chain ahmd

key 1

key-string 123

exit

key 2

key-string 1234

and i used the authentication mode md5 & the correct key chain name ahmd

on the other side on R2

assume i created

key chain ahmad1

key 10

key-string 123

exit

key 30

key-string 1234

and i used the authentication mode md5 & the correct key chain name ahmd1

my question is why the authentication will fail?????????

i understood that when i transmit i use the lowest key which is key 1 in R1 & key 10 in R2 , and when recive i will check all the vaild key,

in R1 the vaild keys are KEY 1 & KEY2 so when it revive the key 10 from R2 with password 123 it is the same as the key 1 and vice versa

so why the authentication faild ??????

i read from the book that the key number has not to be matched on both routers , but i could make an authentication only when the key number are matched

can any one help me where i have the miss understood??

thanks soo much bro

Eugene Khabarov · ‎10-25-2011

Hi! Maybe you have an error in your configuration? Please paste it here.

Also debug eigrp packet will be very helpful and informative to determine reason why authentication fails. Also please enable it and paste output here.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

Dr.X · ‎10-25-2011

on R1

=============================================

Current configuration : 727 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

ip cef

!

key chain cisco

key 10

key-string 123

key 20

key-string 1234

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 cisco

duplex auto

speed auto

!

router eigrp 1

network 10.0.0.0

auto-summary

!

ip http server

no ip http secure-server

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

end

==========================

on R2

=================================

Building configuration...

Current configuration : 723 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

ip cef

!

key chain ahmd

key 1

key-string 123

key 2

key-string 1234

!

interface FastEthernet0/0

ip address 10.0.0.2 255.255.255.0

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 ahmd

duplex auto

speed auto

!

router eigrp 1

network 10.0.0.0

auto-summary

!

ip http server

no ip http secure-server

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

end

=====================================

why the authentication faild??????

should i use the same key number and the same key-string on the two routers to solve the issue??

thanks bro for ur intersting

Reza Sharifi · ‎10-25-2011

Ahmed,

You need to use the same key-string on both routers.

HTH

Dr.X · ‎10-25-2011

thanks all

i ve just found that there is a typo in the book of cisco

the correction is that we must use the same key number and the same key string in the two routers

not as what was said that """ key number is not critical""

thnaks all for ur replies

Eugene Khabarov · ‎10-25-2011

Ahmed, debug shows it very clearly:

EIGRP: pkt authentication key id = 10, key not defined or not live

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."