From: Darby Weaver (darbyweaver@yahoo.com)
Date: Mon Apr 23 2007 - 02:07:43 ART
Brian,
Is the DOC CD wrong and I am quoting the command
reference below:
Not to argue but to clarify. I'm too novice at this
to argue the point.
But am I reading the the reference wrong when it talks
aout "area authentication". I have lost points on my
labs in the past so perhaps my understanding is
limited by this aspect.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hirp_r/rte_osph.htm#wp998741
area authentication
To enable authentication for an Open Shortest Path
First (OSPF) area, use the area authentication command
in router configuration mode. To remove an
authentication specification of an area or a specified
area from the configuration, use the no form of this
command.
area area-id authentication [message-digest]
no area area-id authentication [message-digest]
Syntax Description
area-id
Identifier of the area for which authentication is to
be enabled. The identifier can be specified as either
a decimal value or an IP address.
message-digest
(Optional) Enables Message Digest 5 (MD5)
authentication on the area specified by the area-id
argument.
Defaults
Type 0 authentication (no authentication)
Command Modes
Router configuration
Command History
Release Modification
10.0
This command was introduced.
11.0
The message-digest keyword was added.
Usage Guidelines
Specifying authentication for an area sets the
authentication to Type 1 (simple password) as
specified in RFC 1247. If this command is not included
in the configuration file, authentication of Type 0
(no authentication) is assumed.
The authentication type must be the same for all
routers and access servers in an area. The
authentication password for all OSPF routers on a
network must be the same if they are to communicate
with each other via OSPF. Use the ip ospf
authentication-key interface command to specify this
password.
If you enable MD5 authentication with the
message-digest keyword, you must configure a password
with the ip ospf message-digest-key interface command.
To remove the authentication specification for an
area, use the no form of this command with the
authentication keyword.
--------------------------------------------------------------------------------
Note To remove the specified area from the software
configuration, use the no area area-id command (with
no other keywords). That is, the no area area-id
command removes all area options, such as area
authentication, area default-cost, area nssa, area
range, area stub, and area virtual-link.
--------------------------------------------------------------------------------
Examples
The following example mandates authentication for
areas 0 and 10.0.0.0 of OSPF routing process 201.
Authentication keys are also provided.
interface ethernet 0
ip address 192.168.251.201 255.255.255.0
ip ospf authentication-key adcdefgh
!
interface ethernet 1
ip address 10.56.0.201 255.255.0.0
ip ospf authentication-key ijklmnop
!
router ospf 201
network 10.0.0.0 0.255.255.255 area 10.0.0.0
network 192.168.0.0 0.0.255.255 area 0
area 10.0.0.0 authentication
area 0 authentication
=====================================
Related Commands
Command Description
area default-cost
Specifies a cost for the default summary route sent
into a stub area.
area stub
Defines an area as a stub area.
ip ospf authentication-key
Assigns a password to be used by neighboring routers
that are using the simple password authentication of
OSPF.
ip ospf message-digest-key
Enables OSPF MD5 authentication.
=========================================
=========================================
=========================================
Configuring OSPF Area Parameters
Our OSPF software allows you to configure several area
parameters. These area parameters, shown in the
following task table, include authentication, defining
stub areas, and assigning specific costs to the
default summary route. Authentication allows
password-based protection against unauthorized access
to an area.
Stub areas are areas into which information on
external routes is not sent. Instead, there is a
default external route generated by the ABR, into the
stub area for destinations outside the autonomous
system. To take advantage of the OSPF stub area
support, default routing must be used in the stub
area. To further reduce the number of LSAs sent into a
stub area, you can configure the no-summary keyword of
the area stub router configuration command on the ABR
to prevent it from sending summary link advertisement
(LSAs Type 3) into the stub area.
To specify an area parameter for your network, use the
following commands in router configuration mode as
needed:
Command Purpose
Router(config-router)# area area-id authentication
Enables authentication for an OSPF area.
Router(config-router)# area area-id authentication
message-digest
Enables MD5 authentication for an OSPF area.
Router(config-router)# area area-id stub [no-summary]
Defines an area to be a stub area.
Router(config-router)# area area-id default-cost cost
Assigns a specific cost to the default summary route
used for the stub area
--- Brian Dennis <bdennis@internetworkexpert.com>
wrote:
> This is in regards to a couple other "replies" you
> received on this subject.
>
> The authentication type used by OSPF can be changed
> from the default of
> "null" to "clear text" or "MD5" under the routing
> process which applies to
> all interfaces within that area, or can be done at
> the interface level. By
> setting the authentication type under the routing
> process you are not doing
> "area" authentication. You are just setting the
> authentication type for all
> interfaces on your router that are within that area.
>
> Example:
> If I have 50 interfaces in area 1 and I want to
> authentication all of them
> it's easier to just use the command under the
> routing process as opposed to
> typing the interface level command 50 times.
>
> If I have 50 interfaces in area 1 and I only want to
> authentication 10 of
> them then it's easiest to just apply the interface
> level command to the 10
> interfaces that I want to enable authentication on.
> The reverse is to
> enable authentication under the routing process and
> set the authentication
> type to null on the other 40 interfaces within area
> 1 that we did not want
> to enable authentication for.
>
> So don't confuse setting the authentication type
> under the routing process
> with doing "area" authentication which is not
> supported in OSPF. Cisco's
> implementation in the past forced this upon us due
> to the limitations of the
> commands to enable authentication. So you can
> authentication all segments
> "within" an area but you can not do true "area"
> authentication.
>
> This would be the equivalent of saying that since I
> have all iBGP neighbors
> authenticating with a MD5 password that I'm doing
> BGP AS Authentication. In
> actually I'm authenticating all iBGP peering
> sessions but that doesn't mean
> I'm doing any sort of BGP AS Authentication ;-)
>
> --
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
>
> On 4/22/07 12:12 PM, "Jason Carpenter"
> <adventureracing@gmail.com> wrote:
>
> > Will this result in OSPF authentication with a MD5
> hash of password CISCO
> >
> > router ospf 1
> > area 0 authentication
> >
> > int s0/0
> > ip ospf authentication message-digest
> > ip ospf authentication-key CISCO
> >
> > when I run sh ip ospf int s0/0
> > it says message-digest authentication enabled
> > no key configured, using default key id 0
> >
> > as long as the question does not specify a key
> number, (for example
> > key 1) would this result in md5 authentication
> with the password
> > CISCO?
> >
> > Thanks
> >
> >
>
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:37 ART