Sample Configuration for Authentication in OSPF

Document ID: 44041

Contents

Introduction
Before You Begin
     Conventions
     Prerequisites
     Components Used
Configurations
     Network Diagram
     Configurations for Plain Text Authentication
     Configurations for MD5 Authentication
Verify
     Verify Configurations for Plain Text Authentication
     Verify Configurations for MD5 Authentication
Troubleshoot
     Troubleshoot Configurations for Plain Text Authentication
     Troubleshoot Configurations for MD5 Authentication
Related Information

Introduction

This document shows sample configurations for Open Shortest Path First (OSPF) authentication. OSPF supports both plain text and Message Digest 5 (MD5) authentication. When you configure authentication, you must configure an entire area with same type of authentication. Starting in Cisco IOS^® 12.0.8, authentication is supported on a per interface basis, as mentioned in RFC 2328, Appendix D . This feature was added in bug CSCdk33792 ( registered customers only) .

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

Before attempting this configuration, please ensure that you meet the following prerequisites:

• Familiarity with OSPF and plain text and MD5 authentication

Components Used

The information in this document is based on the software and hardware versions below.

• Cisco IOS 12.0.8 and later

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Configurations

This section describes configurations for OSPF plain text authentication and MD5 authentication.

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Network Diagram

This document uses the network setup shown in the diagram below.

Configurations for Plain Text Authentication

Plain text authentication is useful in performing OSPF reconfiguration, rather than for security. Plain text authentication passwords do not have to be the same throughout an area, but they must be the same between neighbors.

interface Loopback0
  ip address 70.70.70.70 255.255.255.255
 !
 interface Serial2
  ip address 192.16.64.2 255.255.255.0
  ip ospf authentication-key kal
  !
 router ospf 10
  network 192.16.64.0 0.0.0.255 area 0
  network 70.0.0.0 0.255.255.255 area 0
  area 0 authentication

R1-7010
interface Loopback0 ip address 172.16.10.36 255.255.255.240 ! interface Serial1/0 ip address 192.16.64.1 255.255.255.0 ip ospf authentication-key kal ! router ospf 10 network 172.16.0.0 0.0.255.255 area 0 network 192.16.64.0 0.0.0.255 area 0 area 0 authentication

Configurations for MD5 Authentication

MD5 authentication provides higher security than plain text authentication. Like plain text authentication, passwords don't have to be the same throughout an area, but they do need to be same between neighbors. MD5 authentication uses a key ID that allows the router to reference multiple passwords, making password migration easier and more secure. For example, to migrate from one password to another, configure a password under a different key ID and then remove the first key.

interface Loopback0
  ip address 70.70.70.70 255.255.255.255
 !
 interface Serial2
  ip address 192.16.64.2 255.255.255.0
  ip ospf message-digest-key 1 md5 kal
 !
 router ospf 10
  network 192.16.64.0 0.0.0.255 area 0
  network 70.0.0.0 0.255.255.255 area 0
 area 0 authentication message-digest

R1-7010
interface Loopback0 ip address 172.16.10.36 255.255.255.240 ! interface Serial1/0 ip address 192.16.64.1 255.255.255.0 ip ospf message-digest-key 1 md5 kal ! router ospf 10 network 172.16.0.0 0.0.255.255 area 0 network 192.16.64.0 0.0.0.255 area 0 area 0 authentication message-digest

Verify

This section describes verifications for OSPF plain text authentication and MD5 authentication.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Verify Configurations for Plain Text Authentication

• show ip ospf neighbor

  R1-7010# show ip ospf neighbor
  
       Neighbor ID     Pri   State           Dead Time   Address         Interface
       70.70.70.70       1   FULL/  -        00:00:36     192.16.64.2     Serial1/0
  
  

• show ip route

  R1-7010# show ip route  
  
       O    70.70.70.70 [110/65] via 192.16.64.2, 00:01:27, Serial1/0
       C    192.16.64.0/24 is directly connected, Serial1/0

Verify Configurations for MD5 Authentication

• show ip ospf neighbor

  R1-7010# show ip ospf neighbor
       Neighbor ID     Pri   State           Dead Time   Address         Interface
       70.70.70.70       1   FULL/  -        00:00:38     192.16.64.2     Serial1/0

• show ip route

  R1-7010# show ip route
       O       70.70.70.70 [110/65] via 192.16.64.2, 00:00:59, Serial1/0
       C    192.16.64.0/24 is directly connected, Serial1/0

Troubleshoot

This section describes troubleshooting commands for OSPF plain text authentication and MD5 authentication.

Troubleshoot Configurations for Plain Text Authentication

R1-7010# debug ip ospf adj

     OSPF: Receive dbd from 70.70.70.70 seq 0x14B
     OSPF: 2 Way Communication to neighbor 70.70.70.70
     OSPF: send DBD packet to 192.16.64.2 seq 0x1797
     OSPF: Receive dbd from 70.70.70.70 seq 0x1797
     OSPF: NBR Negotiation Done  We are the MASTER
     OSPF: send DBD packet to 192.16.64.2 seq 0x1798
     OSPF: Database request to 70.70.70.70 
     OSPF: sent LS REQ packet to 192.16.64.2, length 12
     OSPF: Receive dbd from 70.70.70.70 seq 0x1798
     OSPF: send DBD packet to 192.16.64.2 seq 0x1799
     OSPF: Receive dbd from 70.70.70.70 seq 0x1799
     OSPF: Exchange Done with neighbor 70.70.70.70
     OSPF: Synchronized with neighbor 70.70.70.70, state:FULL
     OSPF: Build router LSA, router ID 172.16.13.1

Troubleshoot Configurations for MD5 Authentication

R1-7010# debug ip ospf adj

     OSPF: Send with youngest Key 1
     OSPF: Receive dbd from 70.70.70.70 seq 0xEDC
     OSPF: 2 Way Communication to neighbor 70.70.70.70
     OSPF: send DBD packet to 192.16.64.2 seq 0x9A3
     OSPF: Send with youngest Key 1
     OSPF: Receive dbd from 70.70.70.70 seq 0x9A3
     OSPF: NBR Negotiation Done  We are the MASTER
     OSPF: send DBD packet to 192.16.64.2 seq 0x9A4
     OSPF: Send with youngest Key 1
     OSPF: Send with youngest Key 1
     OSPF: Database request to 70.70.70.70 
     OSPF: sent LS REQ packet to 192.16.64.2, length 12
     OSPF: Receive dbd from 70.70.70.70 seq 0x9A4
     OSPF: send DBD packet to 192.16.64.2 seq 0x9A5
     OSPF: Send with youngest Key 1
     OSPF: Send with youngest Key 1
     OSPF: Receive dbd from 70.70.70.70 seq 0x9A5
     OSPF: Exchange Done with neighbor 70.70.70.70
     OSPF: Synchronized with neighbor 70.70.70.70, state:FULL
     OSPF: Build router LSA, router ID 172.16.13.1

Related Information

• OSPF Support Page
• IP Routed Protocols Support Page
• IP Routing Support Page
• Technical Support - Cisco Systems

All contents are Copyright © 1992-2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.