From: Jason Sinclair (sinclairj@xxxxxxxxxxxxxxx)
Date: Wed May 08 2002 - 20:24:47 GMT-3
All,
As per CCO http://www.cisco.com/warp/customer/104/25.shtml
<http://www.cisco.com/warp/customer/104/25.shtml>
If per interface authentication is defined then that will be used, if not
the auth defined at router level will be used. There is an associated BUG ID
that shows how Cisco changed their implementation to conform to RFC 2328.
Regards,
Jason Sinclair CCIE #9100
Manager, Network Control Centre
POWERTEL
Ground Level, 55 Clarence Street,
SYDNEY NSW 2000
AUSTRALIA
office: + 61 2 8264 3820
mobile: + 61 416 105 858
* sinclairj@powertel.com.au
-----Original Message-----
From: Joe Higgins [mailto:netsat@optonline.net]
Sent: Thursday, 9 May 2002 08:54
To: garcia
Cc: ccielab@groupstudy.com
Subject: Re: ospf authentication
The way that I perceive that the ospf authentication is done
by the IOS is as
follows:
The IOS looks first at interface commands
1) Is there an "ip ospf authentication" or "ip ospf
authentication message"
command on the interface ?
If no go to (2)
If yes, is there a matching type command on the interface
with a password?
If no, authenticate with a null password using that type
level
If yes, then use that type of authentication and the
password to form an
adjacency.
(2) Is there an "area x authentication" or "area x
message-digest " command at
the router ospf configuration level
If no,. use no authentication.
If yes, is there a corresponding type key or password
command configured on the
interface
If yes, then authentication at the ospf router configured
type level and and use
the interface password configured
If no, then authenticate at the configured router ospf type
level with a null
password.
garcia wrote:
> that's a good one. i would think you would get an
authentication type error
> between mismatched neighbors and only form neighbors on
those that match.
> if you configure md5 between rtr_b -- rtr_a and type 1
clear-text between
> rtr_b -- rtr_c, rtr_a should only form neighbor with rtr_b
and rtr_c should
> only form neighbor with rtr_b. did you clear ip ospf proc
or reload after
> you set up authentication?
>
> ----- Original Message -----
> From: Joe Higgins <netsat@optonline.net>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, May 08, 2002 11:29 AM
> Subject: ospf authentication
>
> > RTR_A (area 0 ) e0 -- e0 RTR_B (area 0) e1---e0 RTR_C
(area 0}
> >
> > In the above scenario if I have the following commands
on all three
> > routers running IOS 12.1 will the routers ospf
authenticate using md5
> > encryption on that network segment even though on the
router
> > configuration level I have specified plain text
configuration? From
> > what I see it appears that if the first command ( ip
ospf authentication
> > message-digest) is there on the interface level it does
not care what,
> > if anything, is on the router configuration level as far
as that
> > interface is concerned. It only looks to the router
level command if
> > the first interface command is not present in the
configuration.
> >
> > router ospf 1
> > area 0 authentication
> >
> > interface Ex
> > ip ospf authentication message-digest
> > ip ospf message-digest 1 md5 cisco
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:53 GMT-3