OSPF Authentication Types – Part 1

There are three types of OSPF authentication.

Type 0 – no authentication
Type 1 – clear text
Type 2 – cryptographic (MD5 or SHA)

Lets explore each type in a lot more detail and then look at the router configuration for some real world examples.

Authentication can be configured on a per area or per interface, but any passwords have to be configured on the interface.

The topology being used for this post is very simply 2 routers

OPSF Authentication – Type 0

OSPF authentication type 1 means no authentication and is the default on any link.

You can verify this by running the sh ip ospf interface command on an interface that is running ospf.

At the bottom of the output you are looking for authentication and as you do not see anything it is not configured.

To make this check a bit more focussed you can use the command

sh ip ospf interface | include authentication

I will use the brief form of that command sh ip ospf int | inc auth 

R2#sh ip ospf int
FastEthernet0/0 is up, line protocol is up
  Internet Address 10.0.1.2/24, Area 0, Attached via Interface Enable
  Process ID 1, Router ID 10.0.1.2, Network Type BROADCAST, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Enabled by interface config, including secondary ip addresses
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 10.0.1.2, Interface address 10.0.1.2
  Backup Designated router (ID) 10.0.1.1, Interface address 10.0.1.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:00
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 10.0.1.1  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)

And now with the more focussed command just looking for auth in the output

R2#sh ip ospf int | inc auth
R2#

Nothing! The keyword authentication does not appear in the ospf interface output so it has not been configured.

OSPF Authentication – Type 1

OSPF Authentication type 2 means clear text password. For this type you need to do 2 things. First enable authentication and secondly create a password. Lets look at that below.

On the same interface we are just going to enable ospf authentication with the command:

ip ospf authentication – remember this is under the interface configuration.

R2(config)#int f0/0
R2(config-if)#ip ospf auth
R2(config-if)#ip ospf authentication

Lets run the checks we did above to see if we can now see authentication enabled.

R2#sh ip ospf int | inc auth

  Simple password authentication enabled
R2#

This tells us that authentication is enabled but it doesn’t make the link come up. OSPF authentication has to be configured on both ends of the link and the type and password (if configured) have to match.

So lets put a password on the interface – you use the command ip ospf authentication-key [password]

R2(config-if)#ip ospf authentication-key cisco
R2(config-if)#

Lets look at the configuration that we now have on the interface

R2#sh run int f0/0
interface FastEthernet0/0
 ip address 10.0.1.1 255.255.255.0
 ip ospf authentication
 ip ospf authentication-key cisco
 ip ospf 1 area 0
R2#

Router 1 has been configured already with the matching router configuration so OSPF should now come up.

*Jan 20 19:04:25.155: %SYS-5-CONFIG_I: Configured from console by console
*Jan 20 19:04:25.359: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done

And it does – so how do you troubleshoot ospf adjacencies?

OSPF Authentication Troubleshooting

The most common cause of problems between two ospf neighbors is a mismatch either in the type or password. So lets first change the password on the interface and see how to troubleshoot.

R2(config)#int f0/0
R2(config-if)#ip ospf au
R2(config-if)#ip ospf authentication-key c1sco (PASSWORD MISMATCH!)
R2(config-if)#end

We now have to wait for the dead time to expire which is currently 40 seconds and the neighbor will go down.

R2#
*Jan 20 19:11:07.255: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

Just looking at the configuration you may not spot that the passwords are mismatched so you need to run a debug. The debug command to discover this probelm is debug ip ospf adj
Before long you will see the problem – mismatched authentication key

R2#debug ip ospf adj
OSPF adjacency debugging is on
R2#
*Jan 20 19:15:49.135: OSPF-1 ADJ   Fa0/0: Rcv pkt from 10.0.1.1, 
 : Mismatched Authentication Key - Clear Text
R2#
*Jan 20 19:15:58.359: OSPF-1 ADJ   Fa0/0: Rcv pkt from 10.0.1.1,  
 : Mismatched Authentication Key - Clear Text
R2#

The most sure way to fix this problem is to copy and paste the interface configuration from one side and paste it onto the other.

Mismatched authentication type

Lets change the authentication type on one side of the interface and leave the debug running to see what error we get this time.

R2(config)#int f0/0
R2(config-if)#ip ospf authentication message-digest

This changes the type from Type 1 to Type 2 Crytographic. As you can see the debug now reflects this and tells us there is a mismatch in the authentication type – we are configured for type 2 but the remote router is using type 1

R2# *Jan 20 19:23:05.267: OSPF-1 ADJ Fa0/0: Rcv pkt from 10.0.1.1 
: Mismatched Authentication type. Input packet specified type 1, we use type 2 R2# *Jan 20 19:23:07.675: OSPF-1 ADJ Fa0/0: Send with youngest Key 0 
R2#

OSPF authentication Type 2

The final authentication type is Cryptographic or MD5 – you configure it with the command ip ospf authentication message-digest

R1(config)#int f0/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#end
R1#sh run int f0/0
interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
ip ospf authentication message-digest
ip ospf authentication-key c1sco
ip ospf 1 area 0
R1#

As we have already configured R2 we have now configured R1 with the matching configuration. The more observant of you will notice that although we have enabled cryptographic authentication the password is still showing in the config. This command encrypts the password on the wire but to make it encrypted in the router configuration you need to enable that with the global command service password-encryption

R1(config)#service password-encryption
R1(config)#end

R1#sh run int f0/0

interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
ip ospf authentication message-digest
ip ospf authentication-key 7 011057175804
ip ospf 1 area 0

Now when you look at the configuration you can see the password is encrypted – even though the remote router does not have password-encryption enabled and you can see the password in the router configuration. The OSPF interface password is still being sent encrypted across the wire and the OSPF adjacency is up.

R1#sh ip ospf neigh

Neighbor ID Pri State Dead Time Address Interface
10.0.1.2 1 FULL/DR 00:00:33 10.0.1.2 FastEthernet0/0
R1#

There are many more areas to explore in this area

Using a key-chain, authentication of a virtual link and using SHA

For more coverage on this topic please refer to some more sample configurations from Cisco

http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html

Other OSPF posts

• Troubleshooting OSPF Hello Mis-match
• How to run OSPF over DMVPN
• OSPF LSA Types
• OSPF Cost Calculation