Configuring just for Area 0 (Hub and Spoke NBMA portion of below net diagram):

Topology_OSPF_Stubs

So I had no issues with the configurations for authentication for OSPF, except when it came to entering the password on the interface, I kept typing “ip ospf authentication …” when the command is actually “ip ospf message-digest-key 1 md5 CCNP” on the interface.

One behavior I found worth mentioning, is that as soon as I type in the “area 0 authentication message-digest” on R1, the Dead timer immediately began it’s countdown to dropping adjacencies, before I even entered an md5 password on the interface for authentication – So just enabling authentication itself begins the countdown to dropping adjacencies:

R1(config-router)#area 0 authentication message-digest
*Mar  1 11:15:47.646: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
*Mar  1 11:15:52.819: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

It took the whole 3 minutes for them to drop as I bumbled around trying to remember the proper syntax from memory rather than notes, but it did drop before I even entered a password for authentication, and it did require the Dead timer to expire. Once I managed to apply the password, I went to R2 and applied the commands, and noticed it seemed to take forever for the adjacency to reform after typing in the authentication commands in correctly. It did eventually reform, I would guess about 60 seconds after entering both the authentication enable command and the password on the interface, but with both “debug ip ospf adj” and “debug ip ospf packet” running the output was a bit messy.

That being said, instead of editing my troubleshooting show commands and such out of the output on R2, I went to R3 and immediately ran “debug ip ospf adj” after entering authentication commands and waited for a clean run of the output which is as follows:

R3(config-router)#area 0 authentication message-digest
R3(config-router)#do show ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.12.23.3     YES NVRAM  administratively down down
FastEthernet0/1            172.12.34.3     YES NVRAM  up                    up
Serial0/2                  172.12.123.3    YES NVRAM  up                    up
Serial0/3                  172.12.13.3     YES NVRAM  down                  down
Loopback3                  3.3.3.3         YES NVRAM  up                    up
R3(config-router)#int s0/2
R3(config-if)#ip ospf mess
R3(config-if)#ip ospf message-digest-key 1 md5 CCNP
R3(config-if)#^Z
R3#debu
*Mar  1 12:13:17.601: %SYS-5-CONFIG_I: Configured from console by console
R3#debug ip ospf adj
OSPF adjacency events debugging is on
R3#
*Mar  1 12:13:40.354: OSPF: Send with youngest Key 1
R3#
*Mar  1 12:14:10.355: OSPF: Send with youngest Key 1
*Mar  1 12:14:10.403: OSPF: Send with youngest Key 1
*Mar  1 12:14:10.479: OSPF: Rcv DBD from 172.16.11.1 on Serial0/2 seq 0xB12 opt 0x52 flag 0x7 len 32  mtu 1500 state INIT
*Mar  1 12:14:10.479: OSPF: 2 Way Communication to 172.16.11.1 on Serial0/2, state 2WAY
*Mar  1 12:14:10.479: OSPF: Neighbor change Event on interface Serial0/2
*Mar  1 12:14:10.483: OSPF: DR/BDR election on Serial0/2
*Mar  1 12:14:10.483: OSPF: Elect BDR 0.0.0.0
*Mar  1 12:14:10.483: OSPF: Elect DR 172.16.11.1
*Mar  1 12:14:10.483:        DR: 172.16.11.1 (Id)   BDR: none
*Mar  1 12:14:10.483: OSPF: Send DBD to 172.16.11.1 on Serial0/2 seq 0x143D opt 0x52 flag 0x7 len 32
*Mar  1 12:14:10.483: OSPF: Send with youngest Key 1
*Mar  1 12:14:10.483: OSPF: NBR Negotiation Done. We are the SLAVE
*Mar  1 12:14:10.487: OSPF: Send DBD to 172.16.11.1 on Serial0/2 seq 0xB12 opt 0x52 flag 0x2 len 252
*Mar  1 12:14:10.487: OSPF: Send with youngest Key 1
*Ma
R3#r  1 12:14:10.700: OSPF: Rcv DBD from 172.16.11.1 on Serial0/2 seq 0xB13 opt 0x52 flag 0x3 len 252  mtu 1500 state EXCHANGE
*Mar  1 12:14:10.700: OSPF: Send DBD to 172.16.11.1 on Serial0/2 seq 0xB13 opt 0x52 flag 0x0 len 32
*Mar  1 12:14:10.700: OSPF: Send with youngest Key 1
*Mar  1 12:14:10.700: OSPF: Database request to 172.16.11.1
*Mar  1 12:14:10.700: OSPF: Send with youngest Key 1
*Mar  1 12:14:10.704: OSPF: sent LS REQ packet to 172.12.123.1, length 36
*Mar  1 12:14:10.708: OSPF: Send with youngest Key 1
*Mar  1 12:14:10.772: OSPF: Rcv DBD from 172.16.11.1 on Serial0/2 seq 0xB14 opt 0x52 flag 0x1 len 32  mtu 1500 state EXCHANGE
*Mar  1 12:14:10.772: OSPF: Exchange Done with 172.16.11.1 on Serial0/2
*Mar  1 12:14:10.772: OSPF: Send DBD to 172.16.11.1 on Serial0/2 seq 0xB14 opt 0x52 flag 0x0 len 32
*Mar  1 12:14:10.776: OSPF: Send with youngest Key 1
*Mar  1 12:14:10.804: OSPF: Synchronized with 172.16.11.1 on Serial0/2, state FULL
*Mar  1 12:14:10.804: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on Serial0/2 from LOADING to FULL, Loading Done
*Mar  1 12:14:10.828: OSPF: Send with youngest Key 1
*Mar  1 12:14:10.984: OSPF: Send with youngest Key 1
*Mar  1 12:14:10.984: OSPF: Build router LSA for area 0, router ID 3.3.3.3, seq 0x80000004, process 1
R3#
R3#
*Mar  1 12:14:13.308: OSPF: Send with youngest Key 1
R3#
*Mar  1 12:14:15.808: OSPF: Send with youngest Key 1

There is a lot of output there, but I wanted to get the whole chunk of it to show the time stamps of events happening on R3, give the first time stamp I would say that the key on the interface was probably entered at 12:13:10, which means that the first Authentication related message was sent roughly 30 seconds later:

*Mar  1 12:13:40.354: OSPF: Send with youngest Key 1

What’s curious to me is that it then repeats this message again 30 seconds after that, and the debug immediately spilled out the neighbor formation output and the adjacency was reformed, so after the correct Authentication commands were entered the adjacency came up exactly 60 seconds later – The exact time of the NBMA Hello time despite the fact it had sent the Key 1 after 30 seconds of it being entered on the interface.

Then as can be seen, the Key 1 is sent every 2-3 seconds once the adjacency is formed, so I just have to assume at this point that authentication sends traffic faster than Hello’s however that Hello must be sent before the adjacency will form. Very interesting behavior.

Also going through the debug output you can see the adjacency took less than an entire second to go through all the states of forming ( INIT -> 2WAY -> EXCHANGE -> FULL ), and at which points it exchanged DBD’s and ran through the DR election process, note that the BDR elected in the output is 0.0.0.0 which means nobody is the BDR in this Hub-and-Spoke network. Lots of good information in the output for “debug ip ospf adj”, not just for the Authentication piece but also a good example of the neighbor relationship forming on an NBMA spoke with Priority 0 set on the interface.