You are here: Home » OSPF

How to Configure OSPF MD5 Authentication

In a previous lesson I demonstrated how to configure plain text authentication for OSPF. This time we’ll look at MD5 authentication. The idea is the same but some of the commands are different. Anyway here is the topology that we will use:

Just two routers in the same area, nothing special. Here is the configuration to enable MD5 authentication:

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf message-digest-key 1 md5 MYPASS
R1(config-if)#ip ospf authentication message-digest

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip ospf message-digest-key 1 md5 MYPASS
R2(config-if)#ip ospf authentication message-digest

For MD5 authentication you need different commands. First use ip ospf message-digest-key X md5 to specify the key number and a password. It doesn’t matter which key number you choose but it has to be the same on both ends. To enable OSPF authentication you need to type in ip ospf authentication message-digest.

It is also possible to enable authentication for the entire area, this way you don’t have to use the ip ospf authentication message-digest command on all of your interfaces to activate it. Here’s the command to enable MD5 authentication for the entire area:

R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest

That’s all we have to do. Let’s verify our work…

Verification

R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up 
  Internet Address 192.168.12.1/24, Area 0 
  Process ID 1, Router ID 192.168.12.1, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State BDR, Priority 1 
  Designated Router (ID) 192.168.12.2, Interface address 192.168.12.2
  Backup Designated router (ID) 192.168.12.1, Interface address 192.168.12.1
  Flush timer for old DR LSA due in 00:01:53
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.12.2  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1

Using show ip ospf interface we see MD5 authentication is enabled and we are using key ID 1. We have a neighbor so it seems to be working.

R1#debug ip ospf packet 
OSPF packet debugging is on

OSPF: rcv. v:2 t:1 l:48 rid:192.168.12.2
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7EC653 from FastEthernet0/0

Debug shows us that MD5 authentication is enabled (aut:2) and we are using key ID 1. Debug is also great to fix authentication errors, here’s why:
[teaser]

R1(config)#interface fastEthernet 0/0
R1(config-if)#no ip ospf message-digest-key 1 md5 MYPASS  
R1(config-if)#ip ospf message-digest-key 1 md5 MYWRONGPASS

First we’ll enter a wrong password…

R1#debug ip ospf adj 
OSPF adjacency events debugging is on

R1#clear ip ospf process 
Reset ALL OSPF processes? [no]: yes

I’ll debug the OSPF neighbor adjacency and reset the OSPF neighbors.

R1#
OSPF: Rcv pkt from 192.168.12.2, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1

Somewhere in the debug you’ll see the message above. This means that we are using MD5 key ID 1 on both sides but that the password is incorrect.

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 ip ospf message-digest-key 1 md5 MYPASS
 ip ospf authentication message-digest
!
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
 area 0 authentication message-digest
!
end

R2

hostname R2
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 ip ospf message-digest-key 1 md5 MYPASS
 ip ospf authentication message-digest
!
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
 area 0 authentication message-digest
!
end

That’s all there is for now. I hope this was useful for you! If you have any questions please leave a comment.

Previous Lesson
OSPF Plain Text Authentication

Next Lesson
OSPF SHA-HMAC Authentication

Tags: Authentication

Notable Replies

ReneMolenaar says:

Hi Jason,

If you enable those two commands on the interface then MD5 authentication will be used, but only if the interface is running OSPF. You need to make sure you have a network command that covers the subnet of the interface. Otherwise…the interface won’t run OSPF so we also won’t have any authentication

Rene
ReneMolenaar says:

Hi Shanmugasiva,

Authentication methods change often throughout the years. Plain text isn’t very secure since (as the name implies) everything is clear text. If you use a sniffer like wireshark then you can see the password in the packet capture. MD5 is a bit more secure since it uses hashing.

On IOS XE, OSPF also supports SHA256 for authentication which is even more secure than MD5.

You can find the output of the running configuration at the bottom of each lesson:

How to configure OSPF MD5 Authentication

OSPF Plain Text Authentication
OSPF MD5 Authentication

Rene
lagapides says:

Hello Stephane Carlos

You can either enable MD5 authentication globally in an area, or individually on specific interfaces. So you either enter the command area X authentication message-digest under the OSPF configuration or the ip ospf authentication message-digest command under each interface you want to enable it for.

It’s not quite clear in Rene’s lesson. I’ll let him know to clarify that.

Thanks!

Laz
lagapides says:

Hello Aniket

There are essentially two parts to the configuration of MD5 authentication for OSPF. One is the configuration of the parameters themselves such as key number and password. This is performed on the interface in question with the command ip ospf message-digest-key X md5 password.

The second part to the configuration has to do with the actual activation of the functionality. This can be done in two ways:

One is to activate the authentication functionality on a per interface basis. This involves implementing the ip ospf authentication message-digest command on every interface where you configure OSPF authentication.

The other option is to activate the authentication functionality on a per area basis, so all interfaces in the area are activated with authentication. This can be done with the command area X authentication message-digest where X is the area for which you want to activate it.

I hope this has been helpful!

Laz
wilder7bc says:

In regards to what Rene was saying if you use GNS3 it has that built in wireshark which is very nice. to check out see pic below where you can see clear text password with wireshark in the OSPF header.

Also you have to understand I am no wireshark expert I am just starting to learn and play around with it more since starting my network studies. So if a novice could find it just think what pros could do and find!