08-10-2007 03:30 AM - edited 03-05-2019 05:49 PM
Hi All,
Can someone explain this one to me.
Two routers in the same area configured for authentication the following way:
On both devices:
router ospf 100
area 50 authentication
!
Interface g0/1
ip ospf message-digest-key 1 md5 key xx
This works because the two routers become OSPF neighbors but I don't get how they are working as Type 1 authentication is configured at router level, which does not use MD5, yet the interface is configured for a message-digest-key which would imply that Type2 authentication should be running on it but it isn't, it will be Type 1 as defined under the router ospf process.
So how is this working, or am I missing something?
Regards
Andrew Morris
08-10-2007 04:58 AM
Hi Andrew,
You configured,
Router(config-router)# area 50 authentication
This configuration is clear text authentication in area.
You should configure,
Router(config-router)# area 50 authentication message-digest
This configuration is MD5 authentication in area.
OSPF area authentication
Ryusuke.
08-10-2007 05:20 AM
Hi Ryusuke,
Yes, I already know this. I'm trying to figure out how this is actually working :)
I know authentication is not mandatory for 2x OSPF neighbors to become neighbors but if it is configured then the method type needs be the same which in this case it is, which is Type 1 clear text authentication but the key configured is an MD5 key.
Does Cisco default to using whatever key is configured if area x authentication command is just configured at router level. I would not have thought so.
Regards
Andrew Morris
08-10-2007 01:28 PM
You only enabled plain text authentication, the md5 key information isn't doing anything in the config until you enable md5 OSPF authentication.
Currently, the routes are being authenticated with a null key (which is the default setting).
If you run a debug on OSPF packets, you will see the area is authenticated (show ip ospf also shows you that info), the key just brings you added security.
08-11-2007 07:35 PM
In OSPF there are 2 types of authentication, clear text and MD5. Each of which can be configured in 2 ways: per-interface authentication and Area authentication.
Whether you are performing per-interface or Area authentication, the authentication must be enabled and then applied.
In per-interface authentication, authentication is enabled under the interface that requires authentication and its applied using the second command to the same interface as follows:
Per-interface Clear text:
Int F0/0
Ip ospf authentication
Ip ospf authentication-key CCIE
Per-interface MD5:
Int F0/0
Ip ospf authentication message-digest
IP ospf message-digest-key 1 md5 CCIE
Note the first command enables authentication and the second command applies the authentication to the interface.
Area authentication clear text:
Router ospf 1
Area 0 authentication
Inter F0/0
Ip ospf authentication-key CCIE
Area authentication MD5
Router ospf 1
Area 0 authentication message-digest
Inter F0/0
Ip ospf message-digest-key 1 md5 CCIE
Note in Area authentication, you must enable authentication under the Router OSPF 1 process and NOT the interface. This is handy if you have let?s say 100 routers and each router has 10 interfaces that need to have authentication, if area authentication is used, then authentication in ONLY enabled once per router, whereas, if per interface is used, authentication must be enabled under each interface before its applied to the same interface. The admin needs to enter 1000 commands versus 100 commands to enable authentication.
If both clear text and MD5 is configured, then MD5 will take precedence over clear text.
I hope this helps and sorry for the lengthy message.
Narbik Kocharians
CCSI, CCIE #12410 (R&S, Security and SP)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide