You are here: Home » Cisco » CCIE Routing & Switching

How to configure EIGRP Authentication

Routing protocols can be configured to prevent receiving false routing updates and EIGRP is no exception. If you don’t use authentication and you are running EIGRP someone could try to form an EIGRP neighbor adjacency with one of your routers and try to mess with your network…we don’t want that to happen right?

EIGRP only offers MD5 authentication, there’s no plaintext authentication.

Since IOS 15.x, EIGRP also supports SHA authentication.

What does authentication offer us?

Your router will authenticate the source of each routing update packet that it will receive.
Prevents false routing updates from sources that are not approved.
Ignore malicious routing updates.

A potential hacker could be sitting on your network with a laptop running GNS3 / Dynamips, boot up a Cisco router and try the following things:

Try to establish a neighbor adjacency with one of your routers and advertise junk routes.
Send malicious packets and see if you can drop the neighbor adjacency of one of your authorized routers.

In order to configure EIGRP authentication we need to do the following:

Configure a key-chain
- Configure a key ID under the key-chain.
  - Specify a password for the key ID.
  - Optional: specify accept and expire lifetime for the key.

Let’s use two routers and see if we can configure EIGRP MD5 authentication:

The configuration for both routers is very basic:

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0

R1(config)#router eigrp 12
R1(config-router)#network 192.168.12.0

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0

R2(config)#router eigrp 12
R2(config-router)#network 192.168.12.0

The first thing we need to configure is a key-chain:

I called mine “MY_KEY_CHAIN” but it can be different on both routers, it doesn’t matter. The Key ID is a value that has to match on both routers and the key-string is the password which has to match of course.

R1(config)#key chain MY_KEY_CHAIN
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string MY_KEY_STRING

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip authentication mode eigrp 12 md5 
R1(config-if)#ip authentication key-chain eigrp 12 MY_KEY_CHAIN

First you have to create the keychain and then you need to activate it on the interface. The “12” is the AS number of EIGRP. The configuration on R2 is exactly the same.

R2#debug eigrp packets 
EIGRP Packets debugging is on
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)

R2# EIGRP: FastEthernet0/0: ignored packet from 192.168.12.1, opcode = 5 (authentication off or key-chain missing)

You can check if your configuration is correct by using debug eigrp packets. You can see that we received a packet with MD5 authentication but I didn’t enable MD5 authentication yet on R2.

Let’s fix it:

R2(config)#key chain MY_KEY_CHAIN
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string MY_KEY_STRING

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip authentication mode eigrp 12 md5
R2(config-if)#ip authentication key-chain eigrp 12 MY_KEY_CHAIN

Right away I can see that the EIGRP neighbor adjacency is working:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
Full Access to our 644 Lessons. More Lessons Added Every Week!
Content created by Rene Molenaar (CCIE #41726)

Give Membership a try - it's just $1 ►

463 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Previous Lesson
EIGRP Static Neighbor

Next Lesson
TTL 2 of EIGRP and RIP Packets Explained

Tags: Authentication

Forum Replies

shaunasromamad says:

hi rene if I was trouble shooting a failed eigrp neighbour is there a show command to see if the key chains are configured ok or do I just have to look at the debug output for this thanks keep up the good work as i’m almost ready to sit my ccnp route exam because of you easy to understand site
dmi says:

Hi

Is there any way to hide or restrict users from viewing the KEY (other than by assigning views or privilege levels) ?

Cheers!

D.M.I.
hussien.samer says:

Hi again Rene,

Why cisco decided to use this “ip authentication mode eigrp AS_NUM md5” command for enabling eigrp authentication instead of using “ip eigrp AS_NUM authentication mode md5” ??

In the other word what is the wisdom of using “ip authentication mode eigrp AS_NUM md5” command instead of the “ip authentication eigrp AS_NUM mode md5” command where it seems more clearly ??
lagapides says:

Hello Hussein

Cisco commands are implemented using a specific hierarchy. When you type the command ip eigrp ?, the resulting commands all have to do with EIGRP and its functionality. They are limited to routing EIGRP and nothing else. However, authentication is a different entity and must be placed within a different category. This is why the commands fall under the ip authentication keywords even though the authentication is being configured for EIGRP. Anything under the ip authentication ? will belong to the authentication functionality of the router.

So
... Continue reading in our forum
marcel.hofheinz says:

Hi @shaunasromamad,

https://cdn-forum.networklessons.com/letter_avatar_proxy/v3/letter/s/258eb7/40.png
shaunasromamad:

is there a show command

I’m a bit late but I want to add this for the future.
If you use show running-config you won’t see if you inadvertently typed a space in the password.
show key chain on the other hand will show the configured key-string in quotation marks ("MY_Key_String ") so on a misconfiguration you will see "MY_Key_String " for example.

Best regards,
Marcel