How to Configure OSPF Plain Text Authentication

All routing protocols can be protected by using authentication and OSPF is no exception. There are two options for authentication:

  • Plain text authentication
  • MD5 authentication

Each OSPF packet will be authenticated if you enable any form of authentication. In this lesson we’ll take a look at how to configure plain text authentication for OSPF. Here’s the topology that we’ll use:

ospf authentication

Above you see the topology I’m going to use for authentication. Just two routers but we can use it to check all different methods of authentication.

R1(config)#router ospf 1
R1(config-router)#network 192.168.12.0 0.0.0.255 area 0
R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 0

First I’ll enable OSPF, nothing fancy here.

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key MYPASS
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key MYPASS

By using the ip ospf authentication command we enable plain text authentication on the interface level. I configured the password MYPASS by using the ip ospf authentication-key command.

R1(config)#router ospf 1
R1(config-router)#area 0 authentication

If you have a lot of interfaces you probably don’t want to enable OSPF authentication for each interface. You can also enable area-wide authentication by using the area authentication command. In my example above I enabled authentication for area 0.

R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up 
  Internet Address 192.168.12.1/24, Area 0 
  Process ID 1, Router ID 192.168.12.1, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State BDR, Priority 1 
  Designated Router (ID) 192.168.12.2, Interface address 192.168.12.2
  Backup Designated router (ID) 192.168.12.1, Interface address 192.168.12.1
  Flush timer for old DR LSA due in 00:01:49
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:01
  Supports Link-local Signaling (LLS)
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.168.12.2  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled

If you use the show ip ospf interface command you can see OSPF information per interface. You can also check if authentication is enabled. You can see the neighbor count is 1 and simple password authentication is enabled.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 654 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

535 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Can we use either one for plain text authentication under interfaces or ospf process, Lets say we dont configure authentication under interfaces and configure authentication under area only then what should be the authentication credentials.

  2. Hi Sudej,

    If you enable authentication for the entire area then you still have to configure the password on the interface.

    Rene

  3. HI Rene,

    This seems like bad design by Cisco or ignorance on my part. Why enable authentication at the area to save work but still have to go into each interface to add the key?

    I can only think they know something I don’t or they would have made it where you can do both at the global level… anyway thanks for clarifying!

  4. Hello Brian

    The reason the key must be configured on the interface is because each link between two OSPF routers can have a different key. The keys are not global but are specific to the interfaces being connected.

    I hope this has been helpful!

    Laz

  5. There is very short theory concept about this topic, but practically very explained, you configured many few things on the router, i want to know this is completely configuration of ospf plain text authantiction in CCNP Ospf ?

11 more replies! Ask a question or join the discussion by visiting our Community Forum