In a previous lesson I demonstrated how to configure plain text authentication for OSPF. This time we’ll look at MD5 authentication. The idea is the same but some of the commands are different. Anyway here is the topology that we will use:
Just two routers in the same area, nothing special. Here is the configuration to enable MD5 authentication:
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf message-digest-key 1 md5 MYPASS
R1(config-if)#ip ospf authentication message-digestR2(config)#interface fastEthernet 0/0
R2(config-if)#ip ospf message-digest-key 1 md5 MYPASS
R2(config-if)#ip ospf authentication message-digestFor MD5 authentication you need different commands. First use ip ospf message-digest-key X md5 to specify the key number and a password. It doesn’t matter which key number you choose but it has to be the same on both ends. To enable OSPF authentication you need to type in ip ospf authentication message-digest.
It is also possible to enable authentication for the entire area, this way you don’t have to use the ip ospf authentication message-digest command on all of your interfaces to activate it. Here’s the command to enable MD5 authentication for the entire area:
R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digestThat’s all we have to do. Let’s verify our work…
Verification
R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 0
Process ID 1, Router ID 192.168.12.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.12.2, Interface address 192.168.12.2
Backup Designated router (ID) 192.168.12.1, Interface address 192.168.12.1
Flush timer for old DR LSA due in 00:01:53
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.12.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1Using show ip ospf interface we see MD5 authentication is enabled and we are using key ID 1. We have a neighbor so it seems to be working.
R1#debug ip ospf packet
OSPF packet debugging is on
OSPF: rcv. v:2 t:1 l:48 rid:192.168.12.2
aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7EC653 from FastEthernet0/0Debug shows us that MD5 authentication is enabled (aut:2) and we are using key ID 1. Debug is also great to fix authentication errors, here’s why:
Rene… in order to configure MD5 for an entire area… do we have to (at a minimum) configure a single subnet first - interface on Router A and connecting interface on Router B – using the
Does that have to be done first? If yes – then the - Area 1 authentication message digest – command applies authentication to every other router and its interface in the entire area? … with the same key and password?
Hi Shanmugasiva,
Authentication methods change often throughout the years. Plain text isn’t very secure since (as the name implies) everything is clear text. If you use a sniffer like wireshark then you can see the password in the packet capture. MD5 is a bit more secure since it uses hashing.
On IOS XE, OSPF also supports SHA256 for authentication which is even more secure than MD5.
You can find the output of the running configuration at the bottom of each lesson:
How to configure OSPF MD5 Authentication
OSPF Plain Text Authentication
OSPF MD5 Authentication
Rene
Hello Aniket
There are essentially two parts to the configuration of MD5 authentication for OSPF. One is the configuration of the parameters themselves such as key number and password. This is performed on the interface in question with the command ip ospf message-digest-key X md5 password.
The second part to the configuration has to do with the actual activation of the functionality. This can be done in two ways:
One is to activate the authentication functionality on a per interface basis. This involves implementing the ip ospf authentication message-dige
... Continue reading in our forumIn regards to what Rene was saying if you use GNS3 it has that built in wireshark which is very nice. to check out see pic below where you can see clear text password with wireshark in the OSPF header.
//cdn-forum.networklessons.com/uploads/default/original/1X/f0cf377f0058bc8194765faa6e694fbfc455206f.JPG
Also you have to understand I am no wireshark expert I am just starting to learn and play around with it more since starting my network studies. So if a novice could find it just think what pros could do and find!
Hello Muhammad
There are two ways to configure authentication. The first is to configure it on a per interface basis. In this case, you configure the commands as shown on the interfaces themsevles. This will enable authentication only between OSPF routers that are connected via interfaces that have been configured.
The second way to configure it is for all OSPF routers in the area. By enabling it under the OSPF configuration, all participating interfaces will attempt to authenticate with their neighbors that are in the same area. In this case, you don’t co
... Continue reading in our forum