Notable Replies

  1. Hi Jason,

    If you enable those two commands on the interface then MD5 authentication will be used, but only if the interface is running OSPF. You need to make sure you have a network command that covers the subnet of the interface. Otherwise…the interface won’t run OSPF so we also won’t have any authentication :slight_smile:


  2. Hi Shanmugasiva,

    Authentication methods change often throughout the years. Plain text isn’t very secure since (as the name implies) everything is clear text. If you use a sniffer like wireshark then you can see the password in the packet capture. MD5 is a bit more secure since it uses hashing.

    On IOS XE, OSPF also supports SHA256 for authentication which is even more secure than MD5.

    You can find the output of the running configuration at the bottom of each lesson:

    How to configure OSPF MD5 Authentication

    OSPF Plain Text Authentication
    OSPF MD5 Authentication


  3. Hello Stephane Carlos

    You can either enable MD5 authentication globally in an area, or individually on specific interfaces. So you either enter the command area X authentication message-digest under the OSPF configuration or the ip ospf authentication message-digest command under each interface you want to enable it for.

    It’s not quite clear in Rene’s lesson. I’ll let him know to clarify that.



  4. Hello Aniket

    There are essentially two parts to the configuration of MD5 authentication for OSPF. One is the configuration of the parameters themselves such as key number and password. This is performed on the interface in question with the command ip ospf message-digest-key X md5 password.

    The second part to the configuration has to do with the actual activation of the functionality. This can be done in two ways:

    One is to activate the authentication functionality on a per interface basis. This involves implementing the ip ospf authentication message-digest command on every interface where you configure OSPF authentication.

    The other option is to activate the authentication functionality on a per area basis, so all interfaces in the area are activated with authentication. This can be done with the command area X authentication message-digest where X is the area for which you want to activate it.

    I hope this has been helpful!


  5. In regards to what Rene was saying if you use GNS3 it has that built in wireshark which is very nice. to check out see pic below where you can see clear text password with wireshark in the OSPF header.


    Also you have to understand I am no wireshark expert I am just starting to learn and play around with it more since starting my network studies. So if a novice could find it just think what pros could do and find!

Continue the discussion forum.networklessons.com

10 more replies!