© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Configuring OSPF Configuring OSPF Authentication
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v OSPF Authentication Types OSPF supports 2 types of authentication: –Simple password (or plain text) authentication –MD5 authentication Router generates and checks every OSPF packet. Router authenticates the source of each routing update packet that it receives. Configure a key (password); each participating neighbor must have same key configured.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Configuring OSPF Simple Password Authentication ip ospf authentication-key password Router(config-if)# Assigns a password to be used with neighboring routers Router(config-if)# ip ospf authentication [message-digest | null] Specifies the authentication type for an interface (since Cisco IOS software 12.0) Router(config-router)# area area-id authentication [message-digest] Specifies the authentication type for an area (was in Cisco IOS software before 12.0)
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example Simple Password Authentication Configuration Loopback
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v R2 Configuration for Simple Password Authentication interface Loopback0 ip address interface Serial0/0/1 ip address ip ospf authentication ip ospf authentication-key plainpas router ospf 10 log-adjacency-changes network area 0 network area 0
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Verifying Simple Password Authentication R1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/ - 00:00: Serial0/0/1 R1#show ip route Gateway of last resort is not set /8 is variably subnetted, 2 subnets, 2 masks O /32 [110/782] via , 00:01:17, Serial0/0/1 C /24 is directly connected, Loopback /27 is subnetted, 1 subnets C is directly connected, Serial0/0/1 R1#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Configuring OSPF MD5 Authentication ip ospf message-digest-key key-id md5 key Router(config-if)# Assigns a key ID and key to be used with neighboring routers Router(config-if)# ip ospf authentication [message-digest | null] Specifies the authentication type for an interface (since Cisco IOS software 12.0) Router(config-router)# area area-id authentication [message-digest] Specifies the authentication type for an area (was in Cisco IOS software before 12.0)
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example MD5 Authentication Configuration
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v R2 Configuration for MD5 Authentication interface Loopback0 ip address interface Serial0/0/1 ip address ip ospf authentication message-digest ip ospf message-digest-key 1 md5 secretpass router ospf 10 log-adjacency-changes network area 0 network area 0
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Verifying MD5 Authentication R1#sho ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/ - 00:00: Serial0/0/1 R1#show ip route Gateway of last resort is not set /8 is variably subnetted, 2 subnets, 2 masks O /32 [110/782] via , 00:00:37, Serial0/0/1 C /24 is directly connected, Loopback /27 is subnetted, 1 subnets C is directly connected, Serial0/0/1 R1#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Troubleshooting Simple Password Authentication R1#debug ip ospf adj OSPF adjacency events debugging is on R1# *Feb 17 18:42:01.250: OSPF: 2 Way Communication to on Serial0/0/1, state 2WAY *Feb 17 18:42:01.250: OSPF: Send DBD to on Serial0/0/1 seq 0x9B6 opt 0x52 flag 0x7 len 32 *Feb 17 18:42:01.262: OSPF: Rcv DBD from on Serial0/0/1 seq 0x23ED opt0x52 flag 0x7 len 32 mtu 1500 state EXSTART *Feb 17 18:42:01.262: OSPF: NBR Negotiation Done. We are the SLAVE *Feb 17 18:42:01.262: OSPF: Send DBD to on Serial0/0/1 seq 0x23ED opt 0x52 flag 0x2 len 72 R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/ - 00:00: Serial0/0/1 debug ip ospf adj Router# Displays the OSPF adjacency-related events
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Troubleshooting Simple Password Authentication Problems R1# *Feb 17 18:51:31.242: OSPF: Rcv pkt from , Serial0/0/1 : Mismatch Authentication type. Input packet specified type 0, we use type 1 R2# *Feb 17 18:50:43.046: OSPF: Rcv pkt from , Serial0/0/1 : Mismatch Authentication type. Input packet specified type 1, we use type 0 Simple authentication on R1, no authentication on R2 R1# *Feb 17 18:54:01.238: OSPF: Rcv pkt from , Serial0/0/1 : Mismatch Authentication Key - Clear Text R2# *Feb 17 18:53:13.050: OSPF: Rcv pkt from , Serial0/0/1 : Mismatch Authentication Key - Clear Text Simple authentication on R1 and R2, but different passwords
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Troubleshooting MD5 Authentication R1#debug ip ospf adj OSPF adjacency events debugging is on *Feb 17 17:14:06.530: OSPF: Send with youngest Key 1 *Feb 17 17:14:06.546: OSPF: 2 Way Communication to on Serial0/0/1, state 2WAY *Feb 17 17:14:06.546: OSPF: Send DBD to on Serial0/0/1 seq 0xB37 opt 0x52 flag 0x7 len 32 *Feb 17 17:14:06.546: OSPF: Send with youngest Key 1 *Feb 17 17:14:06.562: OSPF: Rcv DBD from on Serial0/0/1 seq 0x32F opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART *Feb 17 17:14:06.562: OSPF: NBR Negotiation Done. We are the SLAVE *Feb 17 17:14:06.562: OSPF: Send DBD to on Serial0/0/1 seq 0x32F opt 0x52 flag 0x2 len 72 *Feb 17 17:14:06.562: OSPF: Send with youngest Key 1 R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/ - 00:00: Serial0/0/1
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Troubleshooting MD5 Authentication Problems R1# *Feb 17 17:56:16.530: OSPF: Send with youngest Key 1 *Feb 17 17:56:26.502: OSPF: Rcv pkt from , Serial0/0/1 : Mismatch Authentication Key - No message digest key 2 on interface *Feb 17 17:56:26.530: OSPF: Send with youngest Key 1 R2# *Feb 17 17:55:28.226: OSPF: Send with youngest Key 2 *Feb 17 17:55:28.286: OSPF: Rcv pkt from , Serial0/0/1 : Mismatch Authentication Key - No message digest key 1 on interface *Feb 17 17:55:38.226: OSPF: Send with youngest Key 2 MD5 authentication on both R1 and R2, but R1 has key 1 and R2 has key 2, both with the same passwords:
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Summary When authentication is configured, the router generates and checks every OSPF packet and authenticates the source of each routing update packet that it receives. OSPF supports two types of authentication: –Simple password (or plain text) authentication: The router sends an OSPF packet and key. –MD5 authentication: The router generates a message digest, or hash, of the key, key ID, and message. The message digest is sent with the packet; the key is not sent. To configure simple password authentication, use the ip ospf authentication-key password command and the ip ospf authentication command.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Summary (Cont.) To configure MD5 authentication, use the ip ospf message- digest-key key-id md5 key command and the ip ospf authentication message-digest command. Use show ip ospf neighbor, show ip route, and debug ip ospf adj to verify and troubleshoot both types of authentication. With MD5 authentication, the debug ip ospf adj command output indicates the key ID sent.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v