RE: EIGRP Authentication

From: kasturi cisco (kasturi_cisco@hotmail.com)
Date: Sat Jul 15 2006 - 14:56:12 ART

• Next message: Jeff Ryan: "CLASS MAP on 3550"
• Previous message: Scott Morris: "RE: FW: Delivery Status Notification (Failure)"
• Maybe in reply to: sugam agrawal: "EIGRP Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Sugam,

I think what u are seeing is the expected behaviour. Experts correct me here
if needed !

The key number is NOT locally significant though lot of doc say so. It's
used as a key value/component for creating the MD5 hash of the key-string.
If the key number does not match on both sides authentication will not be
successful. But there is a difference when we use this in RIP vs EIGRP from
what i remember. Have not checked with recent IOS versions...to see if this
has changed.

1. Key-string and Key-id need to match for MD5 Auth to work for EIGRP
2. Only key string needs to match for MD5 auth to work in RIP.
3. If there are 2 keys, then as long as key 1 is valid (time) it will try
and continue to use Key 1 itself i.e. If several keys have an overlapping
send-lifetime, it uses the key with the lowest sequence number to sign the
outgoing EIGRP packets.

So what is happening in ur case is since key 1 same both sides is working as
it matches rule 1 and 3.
When key 1 and key 2 have same key strings they dont work bcoz of rule 1.
When both sides have same keyid and key string it works fine per rule 1.

HTH.
Kasturi.

>From: "sugam agrawal" <netshikhar@gmail.com>
>Reply-To: "sugam agrawal" <netshikhar@gmail.com>
>To: "Cisco certification" <ccielab@groupstudy.com>
>Subject: EIGRP Authentication
>Date: Sun, 9 Jul 2006 17:29:50 +0530
>
>Hi,
>
>I am trying authentication with EIGRP.
>
>It is working only when "key id 1" has the same key-string value on both
>sides.
>
>In case key-string value of "key id 1" on one side matches with key-string
>value of "key id 2" of other side
>It says -> EIGRP: pkt key id = 1, authentication mismatch
>
>Also I tried with using same key-string values for "key id 2" on both
>sides(key-string values for "key id 1" still being different)......still
>the
>same message -> EIGRP: pkt key id = 1, authentication mismatch
>As per the CCO Documentation, the IOS sends the packet with only one key
>and
>keeps searching till it gets one valid key which is same on both
>sides.....I
>interpret it like -> It would keep sending the packets with different keys
>one after the another untill & unless it finds any matching key-string from
>other side.Ideally it wouldn't care for "key-id" nos., It would rather care
>for "key-string" values.
>
>Could somebody clarify please....
>
>Thanks,
>Sugam
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Jeff Ryan: "CLASS MAP on 3550"
• Previous message: Scott Morris: "RE: FW: Delivery Status Notification (Failure)"
• Maybe in reply to: sugam agrawal: "EIGRP Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART