Configuring and Verifying OSPF Authentication

Configuring and
Verifying OSPF
Authentication
Implementing a Scalable Multiarea Network OSPFBased Solution
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-1
OSPF Authentication Types
 OSPF supports two types of authentication:
– Simple password (or plaintext) authentication
– MD5 authentication
 The router generates and checks every OSPF packet.
 The source of each routing update packet received is
authenticated.
 Each participating neighbor must have the same key (password)
configured.
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-2
Configure Simple Password
Authentication for OSPF
R1(config-if)#ip ospf authentication-key mykey
 This command defines a password to be used with a neighboring
router.
 The neighboring router must have the same password configured.
R1(config-if)#ip ospf authentication
OR
R1(config-router)#area 0 authentication
 Specifies the authentication type for an interface or the
authentication type for an area.
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-3
Simple Password Authentication
Configuration Example
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-4
Simple Password Authentication
Configuration for Virtual Links
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-5
Verifying Simple Password
Authentication
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-6
Configure OSPF MD5 Authentication
R1(config-if)#ip ospf message-digest-key 1 md5 mysecretkey
 Defines a key ID and key to be used with a neighboring router.
 Neighboring router must have the same combination of key ID
and key configured.
R1(config-if)#ip ospf authentication message-digest
OR
R1(config-router)#area 0 authentication message-digest
 Specifies the authentication type for an interface or the
authentication type for an area.
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-7
OSPF MD5 Authentication Configuration
Example
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-8
Verifying MD5 Authentication
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-9
Authentication Verification
Problems include the following:
 Authentication problems:
– Authentication is not configured on both sides.
– A different authentication type is configured on either side.
 Different passwords are configured on either side.
R1#
debug ip ospf adj
 This command displays the OSPF adjacency-related events.
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-10
Successful Simple Password
Authentication Verification
 Authentication is configured correctly
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-11
Troubleshooting Simple Password
Authentication Problems
 Simple authentication is not configured on router R2
 Different keys on routers R1 and R2
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-12
Successful MD5 Authentication
Verification
 Authentication is configured correctly
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-13
Troubleshooting MD5 Authentication
Problems
 MD5 authentication configured on both routers
 Router R1 has key 1 and router R2 has key 2, both with the same
passwords:
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-14
Summary
 When authentication is configured, the router generates and
checks every OSPF packet and authenticates the source of each
routing update packet that it receives. OSPF supports two types
of authentication:
– Simple password (or plaintext) authentication: The router
sends an OSPF packet and key.
– MD5 authentication: The router generates a message digest,
or hash, of the key, key ID, and message. The message digest
is sent with the packet; the key is not sent.
 To configure simple password authentication, use the ip ospf
authentication-key password command and the ip ospf
authentication command.
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-15
Summary (Cont.)
 To configure MD5 authentication, use the ip ospf messagedigest-key key-id md5 key command and the ip ospf
authentication message-digest command.
 Use the show ip ospf neighbor, show ip route, ping, and
debug ip ospf adj commands to verify and troubleshoot both
types of authentication. With MD5 authentication, the debug ip
ospf adj command output indicates the key ID sent.
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-16
© 2009 Cisco Systems, Inc. All rights reserved.
ROUTE v1.0—3-17