How to Configure OSPF MD5 Authentication

Posted on February 20, 2013

by Rene Molenaar
in CCNA R&S, CCNP R&S, Cisco, OSPF
In a re!ious article I de"onstrated #o$ to con%i&ure lain te't aut#entication %or OSPF( )#is ti"e
$e*ll loo+ at M,- aut#entication( )#e idea is t#e sa"e but so"e o% t#e co""ands are di%%erent(
Any$ay #ere is t#e toolo&y t#at $e $ill use.
/ust t$o routers in t#e sa"e area, not#in& secial( 0ere is t#e con%i&uration to enable M,-
aut#entication.
Donna(config)#interface fastEthernet 0/0
Donna(config-if)#ip ospf message-digest-key 1 md5 MYPASS
Donna(config-if)#ip ospf authentication message-digest
Mary(config)#interface fastEthernet 0/0
Mary(config-if)#ip ospf message-digest-key 1 md5 MYPASS
Mary(config-if)#ip ospf authentication message-digest
For M,- aut#entication you need di%%erent co""ands( First use ip ospf message-digest-key md5 to
seci%y t#e +ey nu"ber and a ass$ord( It doesn*t "atter $#ic# +ey nu"ber you c#oose but it #as to be
t#e sa"e on bot# ends( )o enable OSPF aut#entication you need to tye in ip ospf authentication
message-digest!
Donna(config)#router ospf 1
Donna(config-router)#area 0 authentication message-digest
I% you don*t $ant to enable OSPF aut#entication er inter%ace you can use t#e area authentication
message-digest co""and(
Donna#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address !"#$%#"#/"&, Area 0
'rocess ID , (outer ID !"#$%#"#, )et*or+ ,ype -(.AD/A0,, /ost1
,rans2it Delay is sec, 0tate -D(, 'riority
Designated (outer (ID) !"#$%#"#", Interface address !"#$%#"#"
-ac+up Designated router (ID) !"#$%#"#, Interface address !"#$%#"#
Flush ti2er for old D( 30A due in 0010145
,i2er inter6als configured, 7ello 0, Dead &0, 8ait &0, (etrans2it 4
oo9-resync ti2eout &0
7ello due in 00100104
0upports 3in+-local 0ignaling (330)
Inde: /, flood ;ueue length 0
)e:t 0:0(0)/0:0(0)
3ast flood scan length is , 2a:i2u2 is
3ast flood scan ti2e is 0 2sec, 2a:i2u2 is 0 2sec
eigh!or "ount is 1# Ad$acent neigh!or count is 1
Ad<acent *ith neigh9or !"#$%#"#" (Designated (outer)
0uppress hello for 0 neigh9or(s)
Message digest authentication ena!%ed
Youngest key id is 1
1sin& show ip ospf interface $e see M,- aut#entication is enabled and $e are usin& +ey I, 1( 2e
#a!e a nei&#bor so it see"s to be $or+in&(
Donna#de!ug ip ospf packet
&SP' packet de!ugging is on
.0'F1 rc6# 61" t1 l1&% rid1!"#$%#"#"
aid10#0#0#0 ch+10 aut() keyid(1 se;10:5/=E/$45 fro2 FastEthernet0/0
,ebu& s#o$s us t#at M,- aut#entication is enabled 3aut.24 and $e are usin& +ey I, 1( ,ebu& is also
&reat to %i' aut#entication errors, #ere*s $#y.
Donna(config)#interface fastEthernet 0/0
Donna(config-if)#no ip ospf message-digest-key 1 md5 MYPASS
Donna(config-if)#ip ospf message-digest-key 1 md5 MY*+&,PASS
First $e*ll enter a $ron& ass$ord5
Donna#de!ug ip ospf ad$
&SP' ad$acency e-ents de!ugging is on
Donna#c%ear ip ospf process
+eset A.. &SP' processes/ 0no1( yes
I*ll debu& t#e OSPF nei&#bor ad6acency and reset t#e OSPF nei&#bors(
Donna#
.0'F1 +c- pkt from 12)314531)3)# 'astEthernet0/0 ( Mismatch Authentication 6ey -
Message 7igest 6ey 1
So"e$#ere in t#e debu& you*ll see t#e "essa&e abo!e( )#is "eans t#at $e are usin& M,- +ey I, 1 on
bot# sides but t#at t#e ass$ord is incorrect(
)#at*s all t#ere is %or no$( I #oe t#is $as use%ul %or you7 I% you #a!e any 8uestions lease lea!e a
co""ent(
Read "ore. #tt.99net$or+lessons(co"9os%9#o$:to:con%i&ure:os%:"d-:
aut#entication9;i'<<3-$!A$=>)