How to Configure OSPF MD5 Authentication

In a previous lesson I demonstrated how to configure plain text authentication for OSPF. This time we’ll look at MD5 authentication. The idea is the same but some of the commands are different. Anyway here is the topology that we will use:

ospf authentication

Just two routers in the same area, nothing special. Here is the configuration to enable MD5 authentication:

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf message-digest-key 1 md5 MYPASS
R1(config-if)#ip ospf authentication message-digest
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip ospf message-digest-key 1 md5 MYPASS
R2(config-if)#ip ospf authentication message-digest

For MD5 authentication you need different commands. First use ip ospf message-digest-key X md5 to specify the key number and a password. It doesn’t matter which key number you choose but it has to be the same on both ends. To enable OSPF authentication you need to type in ip ospf authentication message-digest.

It is also possible to enable authentication for the entire area, this way you don’t have to use the ip ospf authentication message-digest command on all of your interfaces to activate it. Here’s the command to enable MD5 authentication for the entire area:

R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest

That’s all we have to do. Let’s verify our work…

Verification

R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up 
  Internet Address 192.168.12.1/24, Area 0 
  Process ID 1, Router ID 192.168.12.1, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State BDR, Priority 1 
  Designated Router (ID) 192.168.12.2, Interface address 192.168.12.2
  Backup Designated router (ID) 192.168.12.1, Interface address 192.168.12.1
  Flush timer for old DR LSA due in 00:01:53
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.12.2  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1

Using show ip ospf interface we see MD5 authentication is enabled and we are using key ID 1. We have a neighbor so it seems to be working.

R1#debug ip ospf packet 
OSPF packet debugging is on

OSPF: rcv. v:2 t:1 l:48 rid:192.168.12.2
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7EC653 from FastEthernet0/0

Debug shows us that MD5 authentication is enabled (aut:2) and we are using key ID 1. Debug is also great to fix authentication errors, here’s why:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 722 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

526 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,

    Thanks for explanations. I have questions regarding authentication.

    1. Why we have two authentication method?. Is there any security level difference between two?.
    2. Can you pls paste the running config of the plain text and md5 authentication keys, just to make sure the encryption of both.
      (The above are interview questions)

  2. Hi Shanmugasiva,

    Authentication methods change often throughout the years. Plain text isn’t very secure since (as the name implies) everything is clear text. If you use a sniffer like wireshark then you can see the password in the packet capture. MD5 is a bit more secure since it uses hashing.

    On IOS XE, OSPF also supports SHA256 for authentication which is even more secure than MD5.

    You can find the output of the running configuration at the bottom of each lesson:

    How to configure OSPF MD5 Authentication

    OSPF Plain Text Authentication
    OSPF MD5 Authentication

    Rene

  3. Hello Aniket

    There are essentially two parts to the configuration of MD5 authentication for OSPF. One is the configuration of the parameters themselves such as key number and password. This is performed on the interface in question with the command ip ospf message-digest-key X md5 password.

    The second part to the configuration has to do with the actual activation of the functionality. This can be done in two ways:

    One is to activate the authentication functionality on a per interface basis. This involves implementing the ip ospf authentication message-dige

    ... Continue reading in our forum

  4. In regards to what Rene was saying if you use GNS3 it has that built in wireshark which is very nice. to check out see pic below where you can see clear text password with wireshark in the OSPF header.

    //cdn-forum.networklessons.com/uploads/default/original/1X/f0cf377f0058bc8194765faa6e694fbfc455206f.JPG

    Also you have to understand I am no wireshark expert I am just starting to learn and play around with it more since starting my network studies. So if a novice could find it just think what pros could do and find!

  5. Hello Muhammad

    There are two ways to configure authentication. The first is to configure it on a per interface basis. In this case, you configure the commands as shown on the interfaces themsevles. This will enable authentication only between OSPF routers that are connected via interfaces that have been configured.

    The second way to configure it is for all OSPF routers in the area. By enabling it under the OSPF configuration, all participating interfaces will attempt to authenticate with their neighbors that are in the same area. In this case, you don’t co

    ... Continue reading in our forum

10 more replies! Ask a question or join the discussion by visiting our Community Forum