EIGRP SHA Authentication

EIGRP originally only supported MD5 authentication but since IOS 15.1(2)S and 15.2(1)T we can also use SHA-256 authentication. Nowadays, this form of authentication is far more secure than MD5.

MD5 authentication can be configured in classic mode or named mode, SHA authentication can only be configured in named mode. When you configure SHA authentication, you can choose if you want to use an interface password only or if you want to include a key chain. The advantage of using a password only is that it’s simpler to configure (there’s only one command). The disadvantage, however, is that when you want to change the password, your neighbor adjacency will drop as soon as you change the password on one of your routers.

When you use a key chain, you can use rotating keys which allows us to switch passwords without dropping the neighbor adjacency. In this lesson, I’ll show you how to configure both options.

Configuration

Here’s the topology we will use:

R1 R2 Gigabit Links

We only need two routers for this example.

EIGRP originally only supported MD5 authentication but since IOS 15.1(2)S and 15.2(1)T we can also use SHA-256 authentication. Nowadays, this form of authentication is far more secure than MD5. MD5 authentication can be configured in classic mode or named mode, SHA authentication can only be configu


Password Authentication

Let’s start with the single password option. We have to configure EIGRP named mode and look under the address-family interface configuration:

R1(config)#router eigrp R1_R2
R1(config-router)#address-family ipv4 unicast autonomous-system 12
R1(config-router-af)#network 192.168.12.0
R1(config-router-af)#af-interface GigabitEthernet 0/1

R1(config-router-af-interface)#authentication mode ?
  hmac-sha-256  HMAC-SHA-256 Authentication
  md5           Keyed message digest

Above you can see that we can choose the authentication mode. Let’s pick hmac-sha-256 and set a password:

R1(config-router-af-interface)#authentication mode hmac-sha-256 SECRET_KEY

That’s all there is to it. SHA authentication is now enabled on the GigabitEthernet0/1 interface of R1 with password “SECRET_KEY”.

Let’s configure R2 as well:

R2(config)#router eigrp R1_R2
R2(config-router)#address-family ipv4 autonomous-system 12
R2(config-router-af)#network 192.168.12.0
R2(config-router-af)#af-interface GigabitEthernet 0/1
R2(config-router-af-interface)#authentication mode hmac-sha-256 SECRET_KEY

That’s all we have to do. Let’s verify our work:

R1#show eigrp address-family ipv4 neighbors 
EIGRP-IPv4 VR(R1_R2) Address-Family Neighbors for AS(12)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.12.2            Gi0/1                    14 00:03:19    9   100  0  4
R2#show eigrp address-family ipv4 neighbors 
EIGRP-IPv4 VR(R1_R2) Address-Family Neighbors for AS(12)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.12.1            Gi0/1                    11 00:03:32    8   150  0  4

It seems we have a neighbor adjacency. Is authentication enabled? Let’s find out:

R1#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is not set
R2#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is not set

This confirms that authentication is enabled.

EIGRP SHA Authentication

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

R2

hostname R2
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

Key Chain Authentication

Besides the password, we will also add a key chain with a single key ID and key string. Let’s start with the key chain:

R1 & R2
(config)#key chain R1_R2_CHAIN
(config-keychain)#key 1
(config-keychain-key)#key-string OUR_SECRET
(config-keychain-key)#exit

Note that the key string (OUR_SECRET) is different than the password I previously used (SECRET_KEY).

Let’s configure EIGRP to use this key-chain:

R1(config)#router eigrp R1_R2
R1(config-router)#address-family ipv4 unicast autonomous-system 12
R1(config-router-af)#af-interface GigabitEthernet 0/1
R1(config-router-af-interface)#authentication key-chain R1_R2_CHAIN
R2(config)#router eigrp R1_R2
R2(config-router)#address-family ipv4 unicast autonomous-system 12
R2(config-router-af)#af-interface GigabitEthernet 0/1
R2(config-router-af-interface)#authentication key-chain R1_R2_CHAIN

EIGRP will now use the key chain for authentication. We can verify this with the following command:

R1#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is "R1_R2_CHAIN"
R2#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is "R1_R2_CHAIN"

Above you can see that we are using the key chain. That’s all there is to it.

In the examples above I configured everything on the Gigabit interface. It’s also possible to configure SHA authentication globally by using the default interface (af-interface default).

EIGRP SHA Key Chain Authentication

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
ip cef
!
key chain R1_R2_CHAIN
 key 1
  key-string OUR_SECRET
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
   authentication key-chain R1_R2_CHAIN
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

R2

hostname R2
!
ip cef
!
key chain R1_R2_CHAIN
 key 1
  key-string OUR_SECRET
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
   authentication key-chain R1_R2_CHAIN
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

Conclusion

  • EIGRP supports SHA authentication since IOS 15.1(2)S and 15.2(1)T.
  • SHA authentication is more secure than MD5 so if possible, use this.
  • MD5 authentication can be configured in classic or named mode. SHA authentication is only available in named mode.
  • You can choose if you want to use a single password or include a key chain.
  • The advantage of the key chain is that you can change passwords without resetting the neighbor adjacency.