OSPF Authentication Configuration

Posted on by Loopy

This will be brief, as there is not a whole lot to OSPF Authentication, just a few good to know debug / verification commands and a few commands to configure the authentication itself.

***One thing to note before going into the commands to configure the authentication itself, it will always require two commands, one to ENABLE authentication for OSPF interfaces (can be done in two different places) and one to set the authentication key / passphrase which will always be done directly on the interface level***

Firstly, you must enable OSPF Authentication on the OSPF Interface(s) on the local router, which can be done either per interface directly on the interface, or globally in router configuration mode for all OSPF enabled interfaces in a particular Area:

“ip ospf authentication [message-digest]” interface configuration mode to ‘enable’ authentication on the interface in either clear text or using md5 hash.

“area 0 authentication [message-digest]” router configuration mode, equivalent to ip ospf authentication for all interfaces in the specified area, “message-digest” optional to add onto the command if configuring md5 hashed key authentication on interfaces.

The above commands must be issued first to start or enable the authentication, it just depends on if you need a single interface configured for authentication, or if you want every interface for an Area on the local router to require authentication. That being said, the following two commands are how to configure authentication keys on the interface:

“ip ospf authentication-key CCNP” configured on the interface, sets a clear-text key / passphrase to be used for authentication (CCNP in this example)

“ip ospf message-digest-key 1 md5 CCNP” configured on the interface, defines key # 1 as CCNP using MD5 to create a hashed key / passphrase for authentication, requires OSPF authentication be configured in router configuration mode with message-digest syntax

  • Enabling authentication on a single router will not immediately drop adjacencies to other routers in the Area, but the Dead timer will count down until it drops if you do not configure authentication on the neighbor before the dead timer expires

“debug ip ospf adj” is a good command to verify authentication, will show if / why an interface is not authenticating, and shows 3 OSPF Authentication types in its output:

  • OSPF Auth Type 0 = No authentication set
  • OSPF Auth Type 1 = Clear-text authentication set
  • OSPF Auth Type 2 = Hashed authentication set

So if you have Hashed authentication set on the local router, and the debug shows the neighbor is configured with Type 1, you have an authentication mismatch.

“show ip ospf” will show if authentication is set down in the ‘Areas’ segments

“show ip ospf int s0/1” will show if authentication is set for the particular interface

I have not added authentication to the lab yet, so I will need update with any findings during the lab session (if any), or if I find any sort of output I believe will be beneficial for clarity of this topic though I think authentication at this point is pretty straight forward.

  • One final oddity, “debug ip ospf adjacency” is NOT  a valid command, you must type in “debug ip ospf adj” – Again, this command gives almost any output you could want to find an issue between OSPF traffic or neighbors!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s