EIGRP SHA Authentication

EIGRP originally only supported MD5 authentication but since IOS 15.1(2)S and 15.2(1)T we can also use SHA-256 authentication. Nowadays, this form of authentication is far more secure than MD5.

MD5 authentication can be configured in classic mode or named mode, SHA authentication can only be configured in named mode. When you configure SHA authentication, you can choose if you want to use an interface password only or if you want to include a key chain. The advantage of using a password only is that it’s simpler to configure (there’s only one command). The disadvantage, however, is that when you want to change the password, your neighbor adjacency will drop as soon as you change the password on one of your routers.

When you use a key chain, you can use rotating keys which allows us to switch passwords without dropping the neighbor adjacency. In this lesson, I’ll show you how to configure both options.

Configuration

Here’s the topology we will use:

R1 R2 Gigabit Links

We only need two routers for this example.




Password Authentication

Let’s start with the single password option. We have to configure EIGRP named mode and look under the address-family interface configuration:

R1(config)#router eigrp R1_R2
R1(config-router)#address-family ipv4 unicast autonomous-system 12
R1(config-router-af)#network 192.168.12.0
R1(config-router-af)#af-interface GigabitEthernet 0/1

R1(config-router-af-interface)#authentication mode ?
  hmac-sha-256  HMAC-SHA-256 Authentication
  md5           Keyed message digest

Above you can see that we can choose the authentication mode. Let’s pick hmac-sha-256 and set a password:

R1(config-router-af-interface)#authentication mode hmac-sha-256 SECRET_KEY

That’s all there is to it. SHA authentication is now enabled on the GigabitEthernet0/1 interface of R1 with password “SECRET_KEY”.

Let’s configure R2 as well:

R2(config)#router eigrp R1_R2
R2(config-router)#address-family ipv4 unicast autonomous-system 12
R2(config-router-af)#network 192.168.12.0
R2(config-router-af)#af-interface GigabitEthernet 0/1
R2(config-router-af-interface)#authentication mode hmac-sha-256 SECRET_KEY

That’s all we have to do. Let’s verify our work:

R1#show eigrp address-family ipv4 neighbors 
EIGRP-IPv4 VR(R1_R2) Address-Family Neighbors for AS(12)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.12.2            Gi0/1                    14 00:03:19    9   100  0  4
R2#show eigrp address-family ipv4 neighbors 
EIGRP-IPv4 VR(R1_R2) Address-Family Neighbors for AS(12)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.12.1            Gi0/1                    11 00:03:32    8   150  0  4

It seems we have a neighbor adjacency. Is authentication enabled? Let’s find out:

R1#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is not set
R2#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is not set

This confirms that authentication is enabled.

EIGRP SHA Authentication

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

R1

hostname R1
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

R2

hostname R2
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

Key Chain Authentication

Besides the password, we will also add a key chain with a single key ID and key string. Let’s start with the key chain:

R1 & R2
(config)#key chain R1_R2_CHAIN
(config-keychain)#key 1
(config-keychain-key)#key-string OUR_SECRET
(config-keychain-key)#exit

Note that the key string (OUR_SECRET) is different than the password I previously used (SECRET_KEY).

Let’s configure EIGRP to use this key-chain:

R1(config)#router eigrp R1_R2
R1(config-router)#address-family ipv4 unicast autonomous-system 12
R1(config-router-af)#af-interface GigabitEthernet 0/1
R1(config-router-af-interface)#authentication key-chain R1_R2_CHAIN
R2(config)#router eigrp R1_R2
R2(config-router)#address-family ipv4 unicast autonomous-system 12
R2(config-router-af)#af-interface GigabitEthernet 0/1
R2(config-router-af-interface)#authentication key-chain R1_R2_CHAIN

EIGRP will now use the key chain for authentication. We can verify this with the following command:

R1#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is "R1_R2_CHAIN"
R2#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is "R1_R2_CHAIN"

Above you can see that we are using the key chain. That’s all there is to it.

In the examples above I configured everything on the Gigabit interface. It’s also possible to configure SHA authentication globally by using the default interface (af-interface default).

EIGRP SHA Key Chain Authentication

Configurations

Want to take a look for yourself? Here you will find the final configuration of each device.

R1

hostname R1
!
ip cef
!
key chain R1_R2_CHAIN
 key 1
  key-string OUR_SECRET
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
   authentication key-chain R1_R2_CHAIN
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

R2

hostname R2
!
ip cef
!
key chain R1_R2_CHAIN
 key 1
  key-string OUR_SECRET
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
   authentication key-chain R1_R2_CHAIN
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

Conclusion

  • EIGRP supports SHA authentication since IOS 15.1(2)S and 15.2(1)T.
  • SHA authentication is more secure than MD5 so if possible, use this.
  • MD5 authentication can be configured in classic or named mode. SHA authentication is only available in named mode.
  • You can choose if you want to use a single password or include a key chain.
  • The advantage of the key chain is that you can change passwords without resetting the neighbor adjacency.

Tags:


Forum Replies

  1. @ReneMolenaar @lagapidis

    Do any of you guys know why you to have to specify a SHA-256 password as well when using the key chain for the key chain method to work?

    I understand you have two elements to this:
    The authentication mode: MD5/SHA 256
    The authentication method: key-chain/password

    But the key chain method wont work until the mode is specified and the only way you can specify the sha256 mode is by using a password as well, this makes no sense to me as when you view the authentication being used with the show commands it even states the keychain is being u

    ... Continue reading in our forum

  2. Hello Matthew

    What you state is very logical, it seems redundant to need to specify a password for the SHA-256 and then to need to specify a keychain password as well. However, this is the methodology used to configure SHA-256.

    In order to specify a key-chain, you must first specify the authentication mode. And in order to specify the hmac-sha-256 mode, you must specify a password. (If you choose the MD5 method, you don’t specify a password, but you must employ the key-chain). If you choose to use the key-chain method, then once that is configured, the key-

    ... Continue reading in our forum

  3. Hello Joseph

    When configuring the address family of the named EIGRP configuration, the unicast keyword is actually optional. If it is not specified, the unicast address family is used by default. So in the configuration, whether you use the keyword or not, the resulting configuration remains the same.

    For consistency, I will ask Rene to take a look and change the configs for the lesson.

    I hope this has been helpful!

    Laz

  4. That’s all good Laz, thank you. I’m glad it was there so that I could ask you about it, and now know that it is the default.

2 more replies! Ask a question or join the discussion by visiting our Community Forum