From: Joe Higgins (netsat@xxxxxxxxxxxxx)
Date: Wed May 08 2002 - 20:42:31 GMT-3
The way that the IOS appears to handle virtual interface authentication is as
follows:
On the virtual border routers is there a "area x authentication" or a "area x
authentication message-digest" command configured at the router ospf level?
If no, then use no authentication on the virtual link
If yes, then look at the "area x virtual x.x.x.x etc." command for a matching
type
and password
If yes, then use that type and password to authenticate the link
If no, i.e. no password or different type password, then authenticate using th
e
configured router ospf type level with a null password .
Joe Higgins wrote:
> The way that I perceive that the ospf authentication is done by the IOS is as
> follows:
>
> The IOS looks first at interface commands
> 1) Is there an "ip ospf authentication" or "ip ospf authentication message"
> command on the interface ?
> If no go to (2)
> If yes, is there a matching type command on the interface with a password?
> If no, authenticate with a null password using that type level
> If yes, then use that type of authentication and the password to form an
> adjacency.
>
> (2) Is there an "area x authentication" or "area x message-digest " command a
t
> the router ospf configuration level
> If no,. use no authentication.
> If yes, is there a corresponding type key or password command configured on t
he
> interface
> If yes, then authentication at the ospf router configured type level and and
use
> the interface password configured
> If no, then authenticate at the configured router ospf type level with a nul
l
> password.
>
> garcia wrote:
>
> > that's a good one. i would think you would get an authentication type erro
r
> > between mismatched neighbors and only form neighbors on those that match.
> > if you configure md5 between rtr_b -- rtr_a and type 1 clear-text between
> > rtr_b -- rtr_c, rtr_a should only form neighbor with rtr_b and rtr_c should
> > only form neighbor with rtr_b. did you clear ip ospf proc or reload after
> > you set up authentication?
> >
> > ----- Original Message -----
> > From: Joe Higgins <netsat@optonline.net>
> > To: <ccielab@groupstudy.com>
> > Sent: Wednesday, May 08, 2002 11:29 AM
> > Subject: ospf authentication
> >
> > > RTR_A (area 0 ) e0 -- e0 RTR_B (area 0) e1---e0 RTR_C (area 0}
> > >
> > > In the above scenario if I have the following commands on all three
> > > routers running IOS 12.1 will the routers ospf authenticate using md5
> > > encryption on that network segment even though on the router
> > > configuration level I have specified plain text configuration? From
> > > what I see it appears that if the first command ( ip ospf authentication
> > > message-digest) is there on the interface level it does not care what,
> > > if anything, is on the router configuration level as far as that
> > > interface is concerned. It only looks to the router level command if
> > > the first interface command is not present in the configuration.
> > >
> > > router ospf 1
> > > area 0 authentication
> > >
> > > interface Ex
> > > ip ospf authentication message-digest
> > > ip ospf message-digest 1 md5 cisco
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:53 GMT-3