There are three types of OSPF authentication.
Type 0 – no authentication
Type 1 – clear text
Type 2 – cryptographic (MD5 or SHA)
Lets explore each type in a lot more detail and then look at the router configuration for some real world examples.
Authentication can be configured on a per area or per interface, but any passwords have to be configured on the interface.
The topology being used for this post is very simply 2 routers
OPSF Authentication – Type 0
OSPF authentication type 1 means no authentication and is the default on any link.
You can verify this by running the sh ip ospf interface command on an interface that is running ospf.
At the bottom of the output you are looking for authentication and as you do not see anything it is not configured.
To make this check a bit more focussed you can use the command
sh ip ospf interface | include authentication
I will use the brief form of that command sh ip ospf int | inc auth
R2#sh ip ospf int FastEthernet0/0 is up, line protocol is up Internet Address 10.0.1.2/24, Area 0, Attached via Interface Enable Process ID 1, Router ID 10.0.1.2, Network Type BROADCAST, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Enabled by interface config, including secondary ip addresses Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.0.1.2, Interface address 10.0.1.2 Backup Designated router (ID) 10.0.1.1, Interface address 10.0.1.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.0.1.1 (Backup Designated Router) Suppress hello for 0 neighbor(s)
And now with the more focussed command just looking for auth in the output
R2#sh ip ospf int | inc auth R2#
Nothing! The keyword authentication does not appear in the ospf interface output so it has not been configured.
OSPF Authentication – Type 1
OSPF Authentication type 2 means clear text password. For this type you need to do 2 things. First enable authentication and secondly create a password. Lets look at that below.
On the same interface we are just going to enable ospf authentication with the command:
ip ospf authentication – remember this is under the interface configuration.
R2(config)#int f0/0 R2(config-if)#ip ospf auth R2(config-if)#ip ospf authentication
Lets run the checks we did above to see if we can now see authentication enabled.
R2#sh ip ospf int | inc auth
Simple password authentication enabled R2#
This tells us that authentication is enabled but it doesn’t make the link come up. OSPF authentication has to be configured on both ends of the link and the type and password (if configured) have to match.
So lets put a password on the interface – you use the command ip ospf authentication-key [password]
R2(config-if)#ip ospf authentication-key cisco R2(config-if)#
Lets look at the configuration that we now have on the interface
R2#sh run int f0/0 interface FastEthernet0/0 ip address 10.0.1.1 255.255.255.0 ip ospf authentication ip ospf authentication-key cisco ip ospf 1 area 0 R2#
Router 1 has been configured already with the matching router configuration so OSPF should now come up.
*Jan 20 19:04:25.155: %SYS-5-CONFIG_I: Configured from console by console *Jan 20 19:04:25.359: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
And it does – so how do you troubleshoot ospf adjacencies?
OSPF Authentication Troubleshooting
The most common cause of problems between two ospf neighbors is a mismatch either in the type or password. So lets first change the password on the interface and see how to troubleshoot.
R2(config)#int f0/0 R2(config-if)#ip ospf au R2(config-if)#ip ospf authentication-key c1sco (PASSWORD MISMATCH!) R2(config-if)#end
We now have to wait for the dead time to expire which is currently 40 seconds and the neighbor will go down.
R2#
*Jan 20 19:11:07.255: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
Just looking at the configuration you may not spot that the passwords are mismatched so you need to run a debug. The debug command to discover this probelm is debug ip ospf adj
Before long you will see the problem – mismatched authentication key
R2#debug ip ospf adj OSPF adjacency debugging is on R2# *Jan 20 19:15:49.135: OSPF-1 ADJ Fa0/0: Rcv pkt from 10.0.1.1, : Mismatched Authentication Key - Clear Text R2# *Jan 20 19:15:58.359: OSPF-1 ADJ Fa0/0: Rcv pkt from 10.0.1.1, : Mismatched Authentication Key - Clear Text R2#
The most sure way to fix this problem is to copy and paste the interface configuration from one side and paste it onto the other.
Mismatched authentication type
Lets change the authentication type on one side of the interface and leave the debug running to see what error we get this time.
R2(config)#int f0/0 R2(config-if)#ip ospf authentication message-digest
This changes the type from Type 1 to Type 2 Crytographic. As you can see the debug now reflects this and tells us there is a mismatch in the authentication type – we are configured for type 2 but the remote router is using type 1
R2# *Jan 20 19:23:05.267: OSPF-1 ADJ Fa0/0: Rcv pkt from 10.0.1.1 : Mismatched Authentication type. Input packet specified type 1, we use type 2 R2# *Jan 20 19:23:07.675: OSPF-1 ADJ Fa0/0: Send with youngest Key 0 R2#
OSPF authentication Type 2
The final authentication type is Cryptographic or MD5 – you configure it with the command ip ospf authentication message-digest
R1(config)#int f0/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#end
R1#sh run int f0/0
interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
ip ospf authentication message-digest
ip ospf authentication-key c1sco
ip ospf 1 area 0
R1#
As we have already configured R2 we have now configured R1 with the matching configuration. The more observant of you will notice that although we have enabled cryptographic authentication the password is still showing in the config. This command encrypts the password on the wire but to make it encrypted in the router configuration you need to enable that with the global command service password-encryption
R1(config)#service password-encryption
R1(config)#end
R1#sh run int f0/0
interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
ip ospf authentication message-digest
ip ospf authentication-key 7 011057175804
ip ospf 1 area 0
Now when you look at the configuration you can see the password is encrypted – even though the remote router does not have password-encryption enabled and you can see the password in the router configuration. The OSPF interface password is still being sent encrypted across the wire and the OSPF adjacency is up.
R1#sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
10.0.1.2 1 FULL/DR 00:00:33 10.0.1.2 FastEthernet0/0
R1#
There are many more areas to explore in this area
Using a key-chain, authentication of a virtual link and using SHA
For more coverage on this topic please refer to some more sample configurations from Cisco
http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html
Pat Barnes
Type 7 authentication is reversible – although removing service password-encryption will not respectively do this.
Create a key chain and paste the type 7 (including the seven) passcode into a key-string.
Show key chain will display the decrypted password.
Roger Perkin
Thanks for the tip Pat,
Ritesh
Hi Roger,
A simple and nice explanation for OSPF authentication.
Your blog is awesome and really helpful.
Just want to mention that
Type 0 : authentication “null”
Type 1 : clear text
Type 2 : Message-digest , MD5 (Cryptographic-algorithm)
Ritesh.
Roger Perkin
Thanks Ritesh
Musole
Hi Roger,
I’m really enjoying your articles. May I suggest though that the PDF downloads make it possible to include the comments section as well? I like the views that other readers contribute to the discussion as well.
Roger Perkin
Thank you for your comments, I will look into that as I am not aware of that functionality in the pdf plugin, you could just print the entire page ?