Solved: OSPF authentication still works without matching key?

vincehgov · ‎06-17-2011

Hi. I have two routers setup - R2 and R8. I have message-digest configured on both routers' ospf processes. On R2, I have the message-digest-key statement with the key 'hello'. On R8, I only have the 'ip ospf authentication' statement.

Theoretically, these two routers should not be adjacent right? However, it looks like its still forming adjacencies and exchanging routes.

How is this possible?

R8#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

10.40.1.2 1 FULL/BDR 00:00:39 192.168.2.1 FastEthernet1/0

R8#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets

O 10.40.1.0 [110/2] via 192.168.2.1, 00:17:11, FastEthernet1/0

C 192.168.2.0/24 is directly connected, FastEthernet1/0

R8#

R2:

interface FastEthernet0/0

ip address 192.168.2.1 255.255.255.0

ip ospf authentication

ip ospf message-digest-key 1 md5 7 011B03085704

!

router ospf 1

log-adjacency-changes

area 0 authentication message-digest

network 192.168.2.0 0.0.0.255 area 0

!

R8:

interface FastEthernet1/0

ip address 192.168.2.2 255.255.255.0

ip ospf authentication

!

router ospf 1

log-adjacency-changes

area 0.0.0.0 authentication message-digest

network 192.168.2.0 0.0.0.255 area 0.0.0.0

!

Edison Ortiz · ‎06-17-2011

If you remove 'ip ospf authentication' from R2, it will use the message-digest key and the adjacency will break.

At the moment, it's using simple password with a null password (type 0)

You can verify the current authentication method with the command 'show ip ospf interface'

Regards,

Edison

View solution in original post

Edison Ortiz · ‎06-17-2011

If you remove 'ip ospf authentication' from R2, it will use the message-digest key and the adjacency will break.

At the moment, it's using simple password with a null password (type 0)

You can verify the current authentication method with the command 'show ip ospf interface'

Regards,

Edison

vincehgov · ‎06-20-2011

ahh.. so the ip ospf authentication takes precedence and a null password is used by default if not specified.

Got it.

Thanks!

Vince

cadet alain · ‎06-20-2011

Hi,

The OSP authentication type can be configured at the area level or at the interface level and then it takes precedence over the area authentication.

So here area wise you ask authentication type 2 but at the interface level you ask for type 1 and as you ask for same type on each router then the adjacency comes up. On R2 you entered the md5 key but as you have type 1 authentication it is taken into effect.

So I think you are using type 1: simple text authentication and not null( type 0) which means no authentication.

Regards.

Alain.

Don't forget to rate helpful posts.