OSPF Authentication

What is Authentication:

Authentication is the mechanism of recognizing the identity of a user. Associating an incoming request with a set of identifying credentials is called Authentication.   

The credentials provided are compared to those in the database of the authorized user’s information register on a local operating system or somewhere remote. If the user is on white-list then he/she is allowed the access, otherwise the access is rejected simply.

 

 

Types of OSPF Authentication

OSPF supports two types of authentication i.e. Plain Text authentication and Message Digest 5 (MD5) authentication. As a message/packet required authentication for both destinations.

 

1. Null Authentication (no Authentication at all): Known as Type0 which includes no authentication information in the packet header. It is the default behaviour.

2. Plain Text Authentication: This is Type1 and it represents simple clear-text passwords.

3. MD5 Authentication: This is called Type2 and it uses MD5 cryptographic complex passwords.

 

 

Authentication commands

 

 

Configuration of OSPF Plain Text authentication

OSPF authentication can be enabled in two ways:

1. Per interface: Authentication is enabled per interface using the “#ip ospf athentication” command

2. Area authentication: Authentication for area is enabled using the “#area authentication” command

In either case, password must be configured at interface using “#ip ospf authentication-key” or “#ip ospf message-digest-key” command.

Example of Plain text Auth configuration:

Consider a simple topology of two routers as in below:

Both routers are running OSPF. On R1, we need to enter the following commands:

Atech_R1(config)#int fa0/0
Atech_R1(config-if)#ip ospf authentication-key secret
Atech_R1(config-if)#ip ospf authentication

 

Atech_R2(config)#int fa0/0
Atech_R2(config-if)#ip ospf authentication-key secret
Atech_R2(config-if)#ip ospf authentication

 

Now verify that clear-text authentication is indeed turned on, use show ip ospf interface INTERFACE_NUMBER/INTERFACE_TYPE command on either router:

 

 

 

Configuration of OSPF MD5 authentication

For configuring MD5 authentication, first we need to configure the MD5 value on an interface by using the #ip ospf message-digest-key 1 md5 interface command.

In the next step, we need to configure the interface to use MD5 authentication by using the #ip ospf authentication message-digest interface command

 

Example of MD5 Auth configuration:

Consider the same topology again:

Atech_R1(config)#int fa0/0
Atech_R1(config-if)#ip ospf message-digest-key 1 md5 secret
Atech_R1(config-if)# ip ospf authentication message-digest

 

Atech_R2(config)#int fa0/0
Atech_R2(config-if)#ip ospf message-digest-key 1 md5 secret
Atech_R2(config-if)# ip ospf authentication message-digest

 

To verify, use the #show ip ospf INTERFACE/INTERFACE_TYPE command. R1 will show OSPF MD5 authentication as in below:

 

Written by 

Waqas Karim is a seasoned Network Expert … Geek. He is the founder of ATech. ATech was started for learning & sharing. Over time the platform has grown to include other resources which continue to attract fellow networkers. Today it sees upward trend of a hundred thousand visitors per month, scattered all over the globe. His specialty is networking, but his interest & expertise spans from traditional IT to Network Security including Programming, Virtualization, Service Provider & so on... no matter the badge on the box. He is CCIE Certified (CCIE#56732) in addition to below badges: Telecom Engineer (BE) + CCIE-RS (CCIE#56732) + Huawei Certified (HW#706632) + MBA Microsoft Certified MCITP, MCSE#109*26, CCNP-Sec, CCNP-SP, CCNA-DC, CompTIA Security+, Nokia NRS-I, JNCIA, ITIL Certified (ITIL#*6373), CEH (Certified Ethical Hacker).

Visit Website
avatar
4 Comment threads
4 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
Charlie RyanJacob CooperWaqas KarimWaqas KarimXRoger Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Charlie Ryan
Guest
Charlie Ryan

I’m facing a problem related to Auth:
If I enable OSPF MD5 authentication before the adjacency, it doesn’t form the adjacency.
If I remove all the authentication & then re-create it then it works fine. Any thoughts?

Vote Up0Vote Down  Reply
Waqas Karim
Author
Waqas Karim

Can you please run the debug & send me the logs at waqas@aurumme.com #debug ip ospf adj

Vote Up0Vote Down  Reply
Charlie Ryan
Guest
Charlie Ryan

Thanks for all the help Waqas. I must thank you for all the support for last few days.
Thanks again!!!!

Vote Up0Vote Down  Reply
Jacob Cooper
Guest
Jacob Cooper

Nice Post

Vote Up0Vote Down  Reply
XRoger
Guest
XRoger

Are all OSPF routing protocol exchanges authenticated by default?

Vote Up0Vote Down  Reply
Waqas Karim
Author
Waqas Karim

No, the default behaviour is ‘No-Authentication’.
But OSPF can authenticate all packets exchanged between two routers. Authentication may be through simple passwords or through MD5 cryptographic checksums.

Vote Up0Vote Down  Reply
Rich
Guest
Rich

Thanks! That really requires to be attentive!

Vote Up0Vote Down  Reply
Waqas Karim
Author
Waqas Karim

Thanks

Vote Up0Vote Down  Reply