From: Brian Lodwick (xpranax@xxxxxxxxxxx)
Date: Fri Mar 22 2002 - 14:54:14 GMT-3
Clipped from CCO. Notice this is a new command as of 12.0 code as Nicolai
originally said, and notice it does say it is applied to the interface, and
also says that it is backward compatible and that "authentication type for
an area is still supported". So the books and articles you were referrencing
Don were probobaly out of date.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r/1r
prt1/1rospf.htm
ip ospf authentication
To specify the authentication type for an interface, use the ip ospf
authentication interface configuration command. To remove the authentication
type for an interface, use the no form of this command.
ip ospf authentication [message-digest | null]
no ip ospf authentication
Syntax Description message-digest
(Optional) Specifies that message-digest authentication will be used.
null
(Optional) No authentication is used. Useful for overriding password or
message-digest authentication if configured for an area.
Defaults
The area default is no authentication (null authentication).
Command Modes
Interface configuration
Command History Release Modification
12.0
This command was introduced.
Usage Guidelines
Before using the ip ospf authentication command, configure a password for
the interface using the ip ospf authentication-key command. If you use the
ip ospf authentication message-digest command, configure the message-digest
key for the interface with the ip ospf message-digest-key command.
For backward compatibility, authentication type for an area is still
supported. If the authentication type is not specified for an interface, the
authentication type for the area will be used (the area default is null
authentication).
Examples
The following example enables message digest authentication:
ip ospf authentication message-digest
Related Commands Command Description
area authentication
Enables authentication for an OSPF area.
ip ospf authentication-key
Assigns a password to be used by neighboring routers that are using the
simple password authentication of OSPF.
ip ospf message-digest-key
Enables OSPF MD5 authentication.
>From: "Don Banyong" <don_study@hotmail.com>
>Reply-To: "Don Banyong" <don_study@hotmail.com>
>To: "Brian Lodwick" <xpranax@hotmail.com>
>CC: <ccielab@groupstudy.com>, "Conte, Charles" <Charles.Conte@NASD.com>,
> <contec@nasdaq.com>
>Subject: Re: RE: OSPF authentication per-link *****OSPF AUTHENTICATION 4
>DUMMIES plus******
>Date: Fri, 22 Mar 2002 01:43:34 -0500
>
>Brian,
>Firstly, the fact that your configuration works does not mean that you
>accomplished your lab objectives.
>
>Secondly,
>Let us take a look at your configuration below for router r1 only.
>Your Router R1 Config:
>
>interface Serial0.1 multipoint
> ip address 140.100.3.1 255.255.255.0
> no ip route-cache
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 cisco
> ip ospf message-digest-key 2 md5 cisco
>
>! You did correctly ASSIGN a message-digest key and a password for this
>interface
>! but this alone does not enable OSPF AUTHENTICATION
>! The above command is used to ASSIGN the LINK authentication type and
>password. You still need to ENABLE
>! AUTHENTICATION. (see below under router OSPF 100)
>! Also, you do not NEED to explicitly type both commands (ip ospf
>authentication message-digest
>! and ip ospf message-digest-key 1 md5 Cisco) Typing the later (ip ospf
>message-digest-key 1 md5 Cisco)
>! is sufficient to assign a message-digest-key for that interface.
>Hopefully,
>this will save you fifteen valuable seconds in your lab.
>
>
> ip ospf hello-interval 60
> no ip mroute-cache
> ipx network 213
> frame-relay map bridge 120 broadcast
> frame-relay map bridge 110 broadcast
> frame-relay map ipx 213.0002.0002.0002 110 broadcast
> frame-relay map ipx 213.00e0.b05a.c665 120 broadcast
> frame-relay map ip 140.100.3.2 110 broadcast
> frame-relay map ip 140.100.3.3 120 broadcast
> bridge-group 1
> !
> interface Serial0.2 point-to-point
> ip address 140.100.0.5 255.255.255.252
> no ip route-cache
> no ip mroute-cache
> ipx network 14
> frame-relay interface-dlci 130
> !
> router ospf 100
> log-adjacency-changes
> network 140.100.0.1 0.0.0.0 area 10
> network 140.100.0.5 0.0.0.0 area 0
> network 140.100.3.1 0.0.0.0 area 0
> neighbor 140.100.3.3
> neighbor 140.100.3.2
>! If you noticed, you did not enable OSPF AUTHENTICATION.
>! Clear test or message digest AUTHENTICATION must be enabled under ip ospf
>! configuration mode to completely activate authentication.
>! to complete your configuration, add the following command
>Area 0 authentication message-digest
>
>Lets take this to another level. BRING IN AN AUTHORITY*!!!!! MINE CCO. YOU
>ARE
>FREE TO USE CCO - Just provide us with a link.
>
>I will prove to you that I am correct by referring to 5 CCO pages citing
>with
>the explanations in my previous emails to you and also to the corrections I
>have provided to your configuration.
>
>AUTHORITY - Somebody who is accepted as a source of reliable information
>on a
>subject, or a book in which such information is given
>(http://encarta.msn.com)
>
>
>OSPF Authentication
>Sample Configuration for Authentication in OSPF
>Area Authentication
>Q. Are OSPF Routing Protocol Exchanges Authnticated?
>OSPF Commands -ip ospf message-digest-key
>
>
>I can go on n on n on n on.... just like an energizer bunny...but I'll
>stop.
>One last thing, YOUR CONFIGURATION MIGHT WORK....BUT THIS DOES NOT MEAN YOU
>HAVE COMPLETED THE OBJECTIVE. YOU FAILED IN YOUR CONFIGURATION TO ENABLE
>OSPF,
>HENCE YOU FAILED TO ACCOMPLISH YOUR OBJECTIVE. Do a 'debug ip ospf packet'
>on
>r1, and look for the aut type attribute. I bet you it is 0 (authentication
>not
>enabled!!!). After enabling OSPF using cco/my way, do this again, and you
>will
>see aut:2 - for md5.
>I SEE WHY IT IS SO EASY TO COME BACK WITH LESS THAN 20%
>
>Please correct me if I am wrong. We are in the business of learning. No
>hard
>feelings :). Also let us know if you have learned something.
>
>Thanks,
>Don
>
>Below is a very workable copy of one of my routers which uses OSPF
>authentication. Sorry, no print outs of 'show ip ospf neighbor' or 'debug
>ip
>ospf packet'. I was not ready to lecture IP OSPF AUTHENTICATION 101 4
>DUMMIES+
>today.
>
>r2#sh run
>Building configuration...
>
>Current configuration : 1301 bytes
>!
>version 12.1
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>!
>hostname r2
>!
>ip subnet-zero
>no ip finger
>!
>interface Serial0
> no ip address
> encapsulation frame-relay
> frame-relay lmi-type cisco
>!
>interface Serial0.1 point-to-point
> ip address 150.50.24.2 255.255.255.0
> frame-relay interface-dlci 204
>!
>interface Serial0.2 multipoint
> ip address 150.50.100.2 255.255.255.224
> ip ospf message-digest-key 3 md5 cisco
> ip ospf priority 3
> frame-relay map ip 150.50.100.5 205 broadcast
> frame-relay map ip 150.50.100.6 206 broadcast
> !
>interface Serial1
> ip address 150.50.17.2 255.255.255.0
>!
>interface TokenRing0
> no ip address
> shutdown
>!
>interface BRI0
> no ip address
> shutdown
>!
>router ospf 1
> log-adjacency-changes
> area 0 authentication message-digest
> area 1 range 10.1.0.0 255.255.0.0
> area 3 nssa default-information-originate always
> summary-address 150.50.200.0 255.255.252.0
> network 150.50.17.0 0.0.0.255 area 3
> network 150.50.24.0 0.0.0.255 area 1
> network 150.50.100.2 0.0.0.0 area 0
> network 200.0.0.2 0.0.0.0 area 1
> neighbor 150.50.100.5
> neighbor 150.50.100.6
>!
>ip classless
>no ip http server
>!
>!
>line con 0
> transport input none
>line aux 0
>line vty 0 4
>!
>end
>
>
>----- Original Message -----
>From: "Brian Lodwick" <xpranax@hotmail.com>
>To: <Donbans@hotmail.com>
>Cc: <ccielab@groupstudy.com>
>Sent: Thursday, March 21, 2002 5:25 PM
>Subject: Re: RE: OSPF authentication per-link
>
>
> > Don,
> > I hate to say it, but you were wrong and Nicolai was absolutely right.
> >
> > I have labed this scenario up and it does work to configure the below
> > commands on the INTRERFACE to establish per-link authentication instead
>of
> > per-area authentication.
> >
> > ip ospf authentication message-digest
> > ip ospf message-digest-key 2 md5 <key>
> >
> > Below is my lab setup. r1, r2, and r4 are all a part of OSPF area 0 via
> > their Frame-Relay connection, yet authentication is only happening
>between
> > r1 and r2 and all neighbor relationships are FULL.
> >
> > r2#sh run
> > !
> > interface Serial0
> > bandwidth 64
> > ip address 140.100.3.2 255.255.255.0
> > no ip directed-broadcast
> > encapsulation frame-relay
> > ip ospf authentication message-digest
> > ip ospf message-digest-key 2 md5 cisco
> > ip ospf hello-interval 60
> > ip ospf priority 0
> > no ip mroute-cache
> > ipx network 213
> > no fair-queue
> > clockrate 64000
> > frame-relay map bridge 111 broadcast
> > frame-relay map ipx 213.0001.0001.0001 111 broadcast
> > frame-relay map ipx 213.0002.0002.0002 111 broadcast
> > frame-relay map ipx 213.00e0.b05a.c665 111 broadcast
> > frame-relay map ip 140.100.3.1 111 broadcast
> > frame-relay map ip 140.100.3.2 111 broadcast
> > frame-relay map ip 140.100.3.3 111 broadcast
> > bridge-group 1
> > !
> > router ospf 100
> > redistribute eigrp 2020 subnets route-map eigrp
> > network 140.100.3.2 0.0.0.0 area 0
> >
> > r2#sh ip ospf nei
> >
> > Neighbor ID Pri State Dead Time Address Interface
> > 140.100.3.1 1 FULL/DR 00:03:01 140.100.3.1 Serial0
> >
> >
> > r1#sh run
> > !
> > interface Serial0.1 multipoint
> > ip address 140.100.3.1 255.255.255.0
> > no ip route-cache
> > ip ospf authentication message-digest
> > ip ospf message-digest-key 1 md5 cisco
> > ip ospf message-digest-key 2 md5 cisco
> > ip ospf hello-interval 60
> > no ip mroute-cache
> > ipx network 213
> > frame-relay map bridge 120 broadcast
> > frame-relay map bridge 110 broadcast
> > frame-relay map ipx 213.0002.0002.0002 110 broadcast
> > frame-relay map ipx 213.00e0.b05a.c665 120 broadcast
> > frame-relay map ip 140.100.3.2 110 broadcast
> > frame-relay map ip 140.100.3.3 120 broadcast
> > bridge-group 1
> > !
> > interface Serial0.2 point-to-point
> > ip address 140.100.0.5 255.255.255.252
> > no ip route-cache
> > no ip mroute-cache
> > ipx network 14
> > frame-relay interface-dlci 130
> > !
> > router ospf 100
> > log-adjacency-changes
> > network 140.100.0.1 0.0.0.0 area 10
> > network 140.100.0.5 0.0.0.0 area 0
> > network 140.100.3.1 0.0.0.0 area 0
> > neighbor 140.100.3.3
> > neighbor 140.100.3.2
> >
> > r1#sh ip ospf nei
> >
> > Neighbor ID Pri State Dead Time Address Interface
> > 155.10.6.6 0 FULL/DROTHER 00:03:21 140.100.3.3 Serial0.1
> > 192.128.128.2 0 FULL/DROTHER 00:03:15 140.100.3.2 Serial0.1
> > 199.199.10.1 1 FULL/ - 00:00:34 140.100.0.6 Serial0.2
> > 199.199.10.1 1 FULL/ - 00:00:34 140.100.0.2 Serial1
> >
> >
> > r4# sh run
> > interface Serial0
> > bandwidth 64
> > ip address 140.100.0.6 255.255.255.252
> > encapsulation frame-relay
> > no ip route-cache
> > ip ospf network point-to-point
> > no ip mroute-cache
> > ipx network 14
> > frame-relay map ip 140.100.0.5 131 broadcast
> > frame-relay map ip 140.100.0.6 131 broadcast
> > !
> > router ospf 100
> > log-adjacency-changes
> > redistribute connected subnets route-map loops
> > network 140.100.0.2 0.0.0.0 area 10
> > network 140.100.0.6 0.0.0.0 area 0
> >
> > r4#sh ip ospf nei
> >
> > Neighbor ID Pri State Dead Time Address
>Interface
> > 140.100.3.1 1 FULL/ - 00:00:34 140.100.0.5 Serial0
> > 140.100.3.1 1 FULL/ - 00:00:34 140.100.0.1 Serial1
> >
> > >>>Brian
> >
> >
> >
> >
> >
> > >From: "Don Banyong" <Donbans@hotmail.com>
> > >To: "Brian Lodwick" <xpranax@hotmail.com>
> > >Subject: Re: RE: OSPF authentication per-link
> > >Date: Wed, 20 Mar 2002 10:54:35 -0500
> > >
> > >All ospf intf by default has the IP OSPF AUTHENTICATION NULL by default
> > >(Jeff Doyle, Routing TCP/IP Vol 1, p 550). You do not need to
>explicitly
> > >use that command on an intf which you do not want to put a password on.
> > >
> > >Just remember.... there are two things going on here.
> > >The first thing is
> > >For two routers to create neighborships, the hello packets must agree
>to a
> > >couple of flags. Two of these flag are the area authentication and area
> > >authentication type
> > >See OSPF packet structure:
> > >http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm
> > >It is for this reason that authentication type is a per area attribute.
> > >(area x authentication message-digest for md5 or area x authentication
>for
> > >clear text).
> > >If you noticed, there is no particular password for the area........!!!
> > >
> > >The second thing is
> > >For two routers having a link to become ospf neighbors in an ospf
> > >authenticated area, the link password should be the same.
> > >The same passwords can also include NULL passwords (ie no passwords) on
> > >either side of the link......
> > >
> > >You explicitly use the cmd ip ospf authentication NULL as an
>alternative
> > >way to turn off a previously enabled message-digest or clear test ospf
> > >interface password.
> > >Another way of turning of a previously used message-digest or clear
>test
> > >ospf interface password is by using the no form of the command.
> > >Using the no form of any command returns that command attribute to its
> > >default (in this case NULL password)
> > >
> > >Feel me on this?
> > >
> > >
> > >----- Original Message -----
> > >From: "Brian Lodwick" <xpranax@hotmail.com>
> > >To: <Donbans@hotmail.com>
> > >Sent: Wednesday, March 20, 2002 9:49 AM
> > >Subject: Re: RE: OSPF authentication per-link
> > >
> > >
> > > > Don,
> > > > Good call! You are probobaly right people often write in without
>much
> > >thought process or experience behind their messages. It is difficult to
> > >weed out the junk in here sometimes.
> > > > I only know of one way to do authentication in OSPF and that is to
> > >configure it on every link within an area (clear or md5). That is why I
> > >asked the question. I've already got a lab setup with OSPF area 0
>across 2
> > >links. I am going to try using the NULL method even though it doesn't
>seem
> > >like it will work. I am pretty sure the other way won't work, unless
>there
> > >is some validity to what Nicolai said and now after IOS release 12.0(8)
>it
> > >is possible? I was actually in a hurry when I received that e-mail, and
>I
> > >figured since I got a reply so quickly it must be possible.
> > > >
> > > > >>>Brian
> > > >
> > > >
> > > > >From: "Don Banyong" <Donbans@hotmail.com>
> > > > >To: "Brian Lodwick" <xpranax@hotmail.com>
> > > > >Subject: Re: RE: OSPF authentication per-link
> > > > >Date: Wed, 20 Mar 2002 01:21:53 -0500
> > > > >
> > > > >The first thing is one of the guys is not so sure on what he is
>talking
> > >about. He is just following someone else's configuration. If I was
>you, I
> > >will do more research.
> > > > >
> > > > >For example
> > > > > > > >-----Original Message-----
> > > > > > > >From: Nicolai Gersbo Solling [mailto:nicolai@cisco.com]
> > > > >said
> > > > >to configure OSPF md5 configuration under an interface, use TWO IP
>OSPF
> > >cmds
> > > > > > > >IP ospf authentication message-digest
> > > > > > > >IP ospf message-digest 1 md5 password
> > > > >
> > > > >This is not true. You need a single command to configure md5 on an
> > >interface and this cmd is
> > > > >'IP ospf message-digest 1 md5 password'
> > > > >http://www.cisco.com/warp/public/104/25.shtml
> > > > >
> > > > >Secondly, the command 'ip ospf authentication null' does not need
>to
>be
> > >issued on an interface that has never had an 'ip ospf authentication or
>ip
> > >ospf message-gigest' issued on. This command is the default on all
>OSPF
> > >interfaces.
> > > > >
> > > > >An extract from
> >
> >http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r
>/1rprt1/1rospf.htm#xtocid272949
> > > > >Before using the ip ospf authentication command, configure a
>password
> > >for the interface using the ip ospf authentication-key command. If you
>use
> > >the ip ospf authentication message-digest command, configure the
> > >message-digest key for the interface with the ip ospf
>message-digest-key
> > >command.
> > > > >
> > > > >For backward compatibility, authentication type for an area is
>still
> > >supported. If the authentication type is not specified for an
>interface,
> > >the authentication type for the area will be used (the area default is
>null
> > >authentication).
> > > > >
> > > > >
> > > > >
> > > > >I could go on and on..... do your research....
> > > > >
> > > > >
> > > > >
> > > > >----- Original Message -----
> > > > >From: "Brian Lodwick" <xpranax@hotmail.com>
> > > > >To: <Donbans@hotmail.com>
> > > > >Sent: Tuesday, March 19, 2002 9:33 PM
> > > > >Subject: Fwd: RE: OSPF authentication per-link
> > > > >
> > > > >
> > > > > > Parry says it is possible if you use the keyword NULL on the
> > >interfaces of the links you do not want to require authentication
>within
>an
> > >area.
> > > > > > I'm going to try both and see what works and what doesn't.
> > > > > >
> > > > > > >>>Brian
> > > > > >
> > > > > >
> > > > > >
> > > > > > >From: "Chua, Parry" <Parry.Chua@compaq.com>
> > > > > > >Reply-To: "Chua, Parry" <Parry.Chua@compaq.com>
> > > > > > >To: "Brian Lodwick" <xpranax@hotmail.com>, <nicolai@cisco.com>,
> > > <ccielab@groupstudy.com>
> > > > > > >Subject: RE: OSPF authentication per-link
> > > > > > >Date: Wed, 20 Mar 2002 10:13:01 +0800
> > > > > > >
> > > > > > >Extract from 12.1 CD doc :
> > > > > > >
> > > > > > >ip ospf authentication
> > > > > > >======================
> > > > > > >To specify the authentication type for an interface, use the ip
> > >ospf authentication interface configuration command.
> > > > > > >To remove the authentication type for an interface, use the no
>form
> > >of this command.
> > > > > > >
> > > > > > >ip ospf authentication [message-digest | null]
> > > > > > > *****
> > > > > > >no ip ospf authentication
> > > > > > >
> > > > > > >Syntax Description
> > > > > > >====================
> > > > > > >+ message-digest
> > > > > > > -(Optional) Specifies that message-digest authentication
>will
>be
> > >used.
> > > > > > >
> > > > > > >+ null
> > > > > > > -(Optional) No authentication is used. Useful for overriding
> > >password or message-digest
> > > > > > > authentication if configured for an area.
> > > > > > >
> > > > > > >Parry Chua
> > > > > > >
> > > > > > >-----Original Message-----
> > > > > > >From: Brian Lodwick [mailto:xpranax@hotmail.com]
> > > > > > >Sent: Wednesday, March 20, 2002 9:47 AM
> > > > > > >To: Chua, Parry; nicolai@cisco.com; ccielab@groupstudy.com
> > > > > > >Subject: RE: OSPF authentication per-link
> > > > > > >
> > > > > > >
> > > > > > >Parry,
> > > > > > >Could you please expound upon your reply a little for me?
> > > > > > >I don't quite understand what you mean by using the keyword
>NULL
> > >within OSPF
> > > > > > >authentication.
> > > > > > >Thanks,
> > > > > > > >>>Brian
> > > > > > >
> > > > > > >
> > > > > > > >From: "Chua, Parry" <Parry.Chua@compaq.com>
> > > > > > > >To: "Nicolai Gersbo Solling" <nicolai@cisco.com>, "Brian
>Lodwick"
> > > > > > > ><xpranax@hotmail.com>, <ccielab@groupstudy.com>
> > > > > > > >Subject: RE: OSPF authentication per-link
> > > > > > > >Date: Wed, 20 Mar 2002 09:17:20 +0800
> > > > > > > >
> > > > > > > >I belive you can still use per area authentification, for the
> > >links that
> > > > > > > >belong to this area and not authentification using the
>keyword
> > >NULL.
> > > > > > > >
> > > > > > > >Parry Chua
> > > > > > > >
> > > > > > > >-----Original Message-----
> > > > > > > >From: Nicolai Gersbo Solling [mailto:nicolai@cisco.com]
> > > > > > > >Sent: Wednesday, March 20, 2002 6:08 AM
> > > > > > > >To: Brian Lodwick; ccielab@groupstudy.com
> > > > > > > >Subject: RE: OSPF authentication per-link
> > > > > > > >
> > > > > > > >
> > > > > > > >Yes...first of all you need IOS coed 12.0(8) or later!
> > > > > > > >
> > > > > > > >next thing is the following commands on the interface
> > > > > > > >
> > > > > > > >IP ospf authentication message-digest
> > > > > > > >IP ospf message-digest 1 md5 password
> > > > > > > >
> > > > > > > >Where 1 is the key and password is your password....Password
>an
> > >key must
> > > > > > > >match in boith ends!
> > > > > > > >
> > > > > > > >
> > > > > > > >Nic
> > > > > > > >
> > > > > > > >-----Original Message-----
> > > > > > > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> > >Behalf Of
> > > > > > > >Brian Lodwick
> > > > > > > >Sent: 19. marts 2002 21:49
> > > > > > > >To: ccielab@groupstudy.com
> > > > > > > >Subject: OSPF authentication per-link
> > > > > > > >
> > > > > > > >
> > > > > > > >List,
> > > > > > > > Does anyone know if there is a way to use authentication
>for
>a
> > >single
> > > > > > > >link
> > > > > > > >within an area, but have all of the other links not use
> > >authentication?
> > > > > > > >
> > > > > > > > >>>Brian
> > > > > > > >
> > > > > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:17 GMT-3