From: Ayman Hamza (ayhamza@cisco.com)
Date: Mon Sep 30 2002 - 15:41:27 GMT-3
Dave;
See below in-line !
Regards;
Ayman
> From nobody@groupstudy.com Mon Sep 30 06:04:09 2002
> From: "Dave Stoddard" <dstoddard@thrupoint.net>
> To: <ccielab@groupstudy.com>
> Subject: OSPF Authentication
> Date: Tue, 24 Sep 2002 10:58:30 -0700
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0)
> X-ASK-Info: Whitelist match
> Sender: nobody@groupstudy.com
> Reply-To: "Dave Stoddard" <dstoddard@thrupoint.net>
>
> I sent this question yesterday, but I didn't see that it made it to the
> list. So sorry if somehow this makes it to the list twice.
>
>
> 1> I have the following configuration (only a portion shown) & everything is
> working fine. The specific requirement I'm working on is MD5 authentication
> in area 1. What I don't understand is that when I issue the show ip ospf
> interface command it shows "Message digest authentication enabled", but "No
> key configured, using default key id 0". Why does it show no key
> configured?
>
> 2> When the lab asks to use MD5 authentication, does it matter encryption
> type, i.e. "<0-7> Encryption type (0 for not yet encrypted, 7 for
> proprietary)"?
The encryption level is not important in the LAB
>
>
> interface Serial0/0.4 multipoint
> ip address 135.3.12.4 255.255.255.248
> ip ospf authentication message-digest
> ip ospf authentication-key 6 secure
> ip ospf network non-broadcast
> frame-relay map ip 135.3.12.3 300 broadcast
> frame-relay map ip 135.3.12.4 401 broadcast
> frame-relay map ip 135.3.12.6 401 broadcast
> no frame-relay inverse-arp
> !
> router ospf 100
> router-id 135.3.4.4
> log-adjacency-changes
> area 0 authentication
> area 1 authentication message-digest
> area 1 virtual-link 135.3.6.6 authentication message-digest
> authentication-key 6 secure
> area 1 virtual-link 135.3.3.3 authentication message-digest
> authentication-key 6 secure
> passive-interface Ethernet0/0
> passive-interface Serial0/1
> network 135.3.4.0 0.0.0.255 area 1
> network 135.3.12.0 0.0.0.7 area 1
> network 135.3.28.0 0.0.0.255 area 0
> neighbor 135.3.12.3
> neighbor 135.3.12.6
Your configuration here is wrong completely !!
OSPF Autentication configuration has two flavours:
1- Interface Authetication: WHich means the OSPF LSA sent on this interface will
carry Authetication passwords , and all the neighboring OSPF on this interface
should have the same Authentication type and password.
2- Area Authetication:
Which means all the OSPF routers in specific area should enable that type of
authetication under their interfaces located in this area.
Let's examine you configuration !
You are configuring Area with Authentication MD5:
' area 1 authentication message-digest '
But you are not enabling the Authetication correctly under
interface Serial0/0.4 multipoint interface . you should only configure:
' ip ospf message-digest-key <key id> md5 <password> '
The command 'ip ospf authentication-key 6 secure' is worng!!!
the interface comamnd 'ip ospf authentication-key <key-id> <poassword>
is for assigning the interface the PLAIN passwprd for OSPF LSA authetication
using plain text Authetication method after you enable this meathod for
the area using teh command :
area <area-id> authentication
For enabling Interface Authetication , you should configure:
First , enable the Authetication method under the interface you
want to use authentication :
a- for MD5,type;
router(config-if)# ip ospf authetication message-digest
then under teh same interface :
router(config-if)#ip ospf message-digest-key <key id> md5 <password>
b- for PLAIN text authetication :
router(config-if)#ip ospf authetication
then type under the same interface :
router(config-if)#ip ospf authentication-key <key-id> <poassword>
If you want to enable MD5 authetication for Virtual-link - what you have
configured is wrong - type the following:
area 1 virtual-link 135.3.3.3 authentication message-digest
message-digest-key <key-id> md5 <password>
all in one line .
for plain text authetication for virtual link:
area 1 virtual-link 135.3.3.3 authentication authetication-key <key-id>
<password>
all in online
Kindly, read the IOS command reference carefully for these two commands
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt2/1rdospf.htm
Best regards;
Ayman
>
> **********************
>
> r4#sh ip ospf int
> Serial0/0.4 is up, line protocol is up
> Internet Address 135.3.12.4/29, Area 1
> Process ID 100, Router ID 135.3.4.4, Network Type NON_BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State DR, Priority 1
> Designated Router (ID) r4, Interface address 135.3.12.4
> No backup designated router on this network
> Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
> Hello due in 00:00:06
> Index 1/1, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 4
> Last flood scan time is 0 msec, maximum is 4 msec
> Neighbor Count is 2, Adjacent neighbor count is 2
> Adjacent with neighbor r3
> Adjacent with neighbor r6
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> No key configured, using default key id 0
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:44:08 GMT-3