From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sun Oct 01 2006 - 03:25:31 ART
Also as a site note OSPF doesn't do "area authentication" as per the
RFC.
Cisco originally implemented OSPF authentication by only allowing
authentication to be enabled on all interfaces within an area using the
"area <area> authentication" and "area <area> authentication
message-digest" commands. Due to Cisco's original implementation you
were forced to authenticate all interfaces within an area once
authentication was enabled but this isn't as per the RFC. In IOS
12.0(4) Cisco added the interface level authentication command which
should have been implemented when OSPF authentication was first
supported in the IOS. This would have created less confusion as many
people think that the authentication command under the routing process
is "area authentication".
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Magmax
Sent: Saturday, September 30, 2006 8:34 PM
To: swm@emanon.com; ccielab@groupstudy.com
Subject: RE: ospf authentication
My mistake it should be
interface Serial0/0.315 multipoint
ip address 190.168.315.3 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO
frame-relay map ip 192.168.315.2 502 broadcast
frame-relay map ip 192.168.315.3 503
no frame-relay inverse-arp
Right now I will do interface authentication but not ospf area
authentication. Also I don't need to enable any virtual-link
authentication
or need area 0 authetication message-digest command under ospf process
Ubaid
-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Sunday, 1 October 2006 1:25 PM
To: 'Magmax'; ccielab@groupstudy.com
Subject: RE: ospf authentication
Are you asking or telling? ;)
You CAN.... And it will work with your peers (if they're identical).
However, you won't get any points for it.
"ip ospf authentication message-digest" needs to have "ip ospf
message-digest-key ..." in order to use the password CISCO. You
configured
a clear-text key yet enabled message-digest authentication.
When you do "show ip ospf interface s0/0.235" you'll find that
message-digest authentication IS indeed enabled but is using Key 0,
which is
the NULL keyset. So if all of your routers are like that you'll get
peers,
and things will look good but you aren't using Key 1 CISCO, so you don't
get
points.
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Magmax
Sent: Saturday, September 30, 2006 11:06 PM
To: ccielab@groupstudy.com
Subject: ospf authentication
interface Serial0/0.235 multipoint
ip address 190.168.315.3 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO
frame-relay map ip 192.168.315.2 502 broadcast
frame-relay map ip 192.168.315.3 503 broadcast
no frame-relay inverse-arp
Guys,
I can enable ospf authentication on per interface basis like above
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:03 ART