This post is about the different OSPF authentication methods. It will be part of a series outlining OSPF commands/technologies.

We can configure OSPF to use authentication for an entire area, or just for a single interface. Today we’ll go over both. Here’s the topology:

First we’ll setup authentication for all of area 0:

R1(config)#interface FastEthernet0/0
R1(config-if)#ip ospf message-digest-key 1 md5 cisco
R1(config-if)#ip ospf 100 area 0
R1(config-if)#
R1(config-if)#router ospf 100
R1(config-router)#area 0 authentication message-digest
 
R2(config)#interface FastEthernet0/0
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R2(config-if)#ip ospf 100 area 0
R2(config-if)#
R2(config-if)#router ospf 100
R2(config-router)#area 0 authentication message-digest
 
R3(config)#interface FastEthernet0/0
R3(config-if)#ip ospf message-digest-key 1 md5 cisco
R3(config-if)#ip ospf 100 area 0
R3(config-if)#
R3(config-if)#router ospf 100
R3(config-router)#area 0 authentication message-digest

Nothing crazy here, we configure OSPF and an MD5 key under our area 0 interfaces, then we specify that all of area 0 should use MD5 authentication. Note that the commands differ slightly if we want to use clear-text, it would be “ip ospf authentication-key [key]” and “area 0 authentication” under the OSPF 100 process.

Let’s verify:

R1#sh ip ospf neigh
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:32    10.1.123.2      FastEthernet0/0
3.3.3.3           1   FULL/DROTHER    00:00:35    10.1.123.3      FastEthernet0/0
 
R1#sh ip ospf int fa0/0
...
  Message digest authentication enabled
    Youngest key id is 1

Everything is working, our neighbors are up and we see that authentication is enabled with the key we specifcied. Note, if we leave off a key, the neigbhors will still form and MD5 will still be enabled, but it will say key 0:

R1(config)#int fa0/0
R1(config-if)#no ip ospf message-digest-key 1 md5 cisco
 
R2(config)#int fa0/0
R2(config-if)#no ip ospf message-digest-key 1 md5 cisco
 
R2#sh ip ospf int fa0/0
...
  Message digest authentication enabled
      No key configured, using default key id 0

We see that no key is being used, but MD5 is still working. Not critical knowledge, but may be useful sometime.

Next we’ll configure MD5 between routers R3 and R4:

R3(config)#interface Serial0/0
R3(config-if)#ip ospf authentication message-digest
R3(config-if)#ip ospf message-digest-key 2 md5 cisco
R3(config-if)#ip ospf 100 area 34
 
R4(config)#interface Serial0/0
R4(config-if)#ip ospf authentication message-digest
R4(config-if)#ip ospf message-digest-key 2 md5 cisco
R4(config-if)#ip ospf 100 area 34

Notice that here we have not made any changes under the OSPF process, this is all at the interface level. We use the “ip ospf authentication message-digest” command to run MD5 on this interface, then we specify a key the same way as earlier.

We’ll verify this config:

R3#sh ip ospf neigh
Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           0   FULL/  -        00:00:36    10.1.34.4       Serial0/0
 
R3#sh ip ospf int s0/0
...
  Message digest authentication enabled
    Youngest key id is 2

As expected, everything is working.

That’s OSPF authentication. Both ways could be asked on the CCIE Lab, so this is good stuff to know.

Colby

Colby Glass has been in IT since 2002. He is currently a Systems Engineer (presales) with a Cisco Gold partner and holds the CCNP R/S, CCNP DC, CCDP, CCIP, JNCIA-ER.

More Posts