In a previous lesson, I demonstrated how to configure plain text authentication for OSPF. This time we’ll look at MD5 authentication. The idea is the same, but some of the commands are different. Anyway, here is the topology that we will use:
Just two routers in the same area, nothing special. Here is the configuration to enable MD5 authentication:
R1(config)#interface fastEthernet 0/0R1(config-if)#ip ospf message-digest-key 1 md5 MYPASSR1(config-if)#ip ospf authentication message-digest
R2(config)#interface fastEthernet 0/0R2(config-if)#ip ospf message-digest-key 1 md5 MYPASSR2(config-if)#ip ospf authentication message-digest
For MD5 authentication, you need different commands. First, use ip ospf message-digest-key X md5
to specify the key number and password. It doesn’t matter which key number you choose, but it has to be the same on both ends. To enable OSPF authentication, you need to type in ip ospf authentication message-digest
.
It is also possible to enable authentication for the entire area. This way, you don’t have to use the ip ospf authentication message-digest
command on all of your interfaces to activate it. Here’s the command to enable MD5 authentication for the entire area:
R1(config)#router ospf 1R1(config-router)#area 0 authentication message-digest
That’s all we have to do. Let’s verify our work…
Verification
R1#show ip ospf interface fastEthernet 0/0FastEthernet0/0 is up, line protocol is up Internet Address 192.168.12.1/24, Area 0 Process ID 1, Router ID 192.168.12.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 192.168.12.2, Interface address 192.168.12.2 Backup Designated router (ID) 192.168.12.1, Interface address 192.168.12.1 Flush timer for old DR LSA due in 00:01:53 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:05 Supports Link-local Signaling (LLS) Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.12.2 (Designated Router) Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1
Using show ip ospf interface
we see MD5 authentication is enabled, and we are using key ID 1. We have a neighbor, so it seems to be working. Let’s try a debug:
R1#debug ip ospf packet OSPF packet debugging is onOSPF: rcv. v:2 t:1 l:48 rid:192.168.12.2 aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7EC653 from FastEthernet0/0
Debug shows us that MD5 authentication is enabled (aut:2), and we use key ID 1. Debug is also great for fixing authentication errors. Here’s why: