From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Mon Apr 23 2007 - 08:47:42 ART
If there is area based authentication where is the area password applied?
;-)
--Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP) bdennis@internetworkexpert.com Internetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Direct: 775-745-6404 (Outside the US and Canada)
On 4/22/07 10:07 PM, "Darby Weaver" <darbyweaver@yahoo.com> wrote:
> Brian, > > Is the DOC CD wrong and I am quoting the command > reference below: > > Not to argue but to clarify. I'm too novice at this > to argue the point. > > But am I reading the the reference wrong when it talks > aout "area authentication". I have lost points on my > labs in the past so perhaps my understanding is > limited by this aspect. > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hirp_r/r > te_osph.htm#wp998741 > > area authentication > To enable authentication for an Open Shortest Path > First (OSPF) area, use the area authentication command > in router configuration mode. To remove an > authentication specification of an area or a specified > area from the configuration, use the no form of this > command. > > area area-id authentication [message-digest] > > no area area-id authentication [message-digest] > > Syntax Description > area-id > Identifier of the area for which authentication is to > be enabled. The identifier can be specified as either > a decimal value or an IP address. > > message-digest > (Optional) Enables Message Digest 5 (MD5) > authentication on the area specified by the area-id > argument. > > > > > Defaults > Type 0 authentication (no authentication) > > Command Modes > Router configuration > > Command History > Release Modification > 10.0 > This command was introduced. > > 11.0 > The message-digest keyword was added. > > > > > Usage Guidelines > Specifying authentication for an area sets the > authentication to Type 1 (simple password) as > specified in RFC 1247. If this command is not included > in the configuration file, authentication of Type 0 > (no authentication) is assumed. > > The authentication type must be the same for all > routers and access servers in an area. The > authentication password for all OSPF routers on a > network must be the same if they are to communicate > with each other via OSPF. Use the ip ospf > authentication-key interface command to specify this > password. > > If you enable MD5 authentication with the > message-digest keyword, you must configure a password > with the ip ospf message-digest-key interface command. > > > To remove the authentication specification for an > area, use the no form of this command with the > authentication keyword. > > > > ------------------------------------------------------------------------------ > -- > > Note To remove the specified area from the software > configuration, use the no area area-id command (with > no other keywords). That is, the no area area-id > command removes all area options, such as area > authentication, area default-cost, area nssa, area > range, area stub, and area virtual-link. > > > ------------------------------------------------------------------------------ > -- > > Examples > The following example mandates authentication for > areas 0 and 10.0.0.0 of OSPF routing process 201. > Authentication keys are also provided. > > interface ethernet 0 > > ip address 192.168.251.201 255.255.255.0 > > ip ospf authentication-key adcdefgh > > ! > > interface ethernet 1 > > ip address 10.56.0.201 255.255.0.0 > > ip ospf authentication-key ijklmnop > > ! > > router ospf 201 > > network 10.0.0.0 0.255.255.255 area 10.0.0.0 > > network 192.168.0.0 0.0.255.255 area 0 > > area 10.0.0.0 authentication > > area 0 authentication > > ===================================== > > Related Commands > Command Description > area default-cost > Specifies a cost for the default summary route sent > into a stub area. > > area stub > Defines an area as a stub area. > > ip ospf authentication-key > Assigns a password to be used by neighboring routers > that are using the simple password authentication of > OSPF. > > ip ospf message-digest-key > Enables OSPF MD5 authentication. > > ========================================= > ========================================= > ========================================= > > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/c > h15/1chospf.htm#wp1001216 > > Configuring OSPF Area Parameters > Our OSPF software allows you to configure several area > parameters. These area parameters, shown in the > following task table, include authentication, defining > stub areas, and assigning specific costs to the > default summary route. Authentication allows > password-based protection against unauthorized access > to an area. > > Stub areas are areas into which information on > external routes is not sent. Instead, there is a > default external route generated by the ABR, into the > stub area for destinations outside the autonomous > system. To take advantage of the OSPF stub area > support, default routing must be used in the stub > area. To further reduce the number of LSAs sent into a > stub area, you can configure the no-summary keyword of > the area stub router configuration command on the ABR > to prevent it from sending summary link advertisement > (LSAs Type 3) into the stub area. > > To specify an area parameter for your network, use the > following commands in router configuration mode as > needed: > > > Command Purpose > Router(config-router)# area area-id authentication > Enables authentication for an OSPF area. > > Router(config-router)# area area-id authentication > message-digest > Enables MD5 authentication for an OSPF area. > > Router(config-router)# area area-id stub [no-summary] > Defines an area to be a stub area. > > Router(config-router)# area area-id default-cost cost > Assigns a specific cost to the default summary route > used for the stub area > > > > > > > --- Brian Dennis <bdennis@internetworkexpert.com> > wrote: > >> This is in regards to a couple other "replies" you >> received on this subject. >> >> The authentication type used by OSPF can be changed >> from the default of >> "null" to "clear text" or "MD5" under the routing >> process which applies to >> all interfaces within that area, or can be done at >> the interface level. By >> setting the authentication type under the routing >> process you are not doing >> "area" authentication. You are just setting the >> authentication type for all >> interfaces on your router that are within that area. >> >> Example: >> If I have 50 interfaces in area 1 and I want to >> authentication all of them >> it's easier to just use the command under the >> routing process as opposed to >> typing the interface level command 50 times. >> >> If I have 50 interfaces in area 1 and I only want to >> authentication 10 of >> them then it's easiest to just apply the interface >> level command to the 10 >> interfaces that I want to enable authentication on. >> The reverse is to >> enable authentication under the routing process and >> set the authentication >> type to null on the other 40 interfaces within area >> 1 that we did not want >> to enable authentication for. >> >> So don't confuse setting the authentication type >> under the routing process >> with doing "area" authentication which is not >> supported in OSPF. Cisco's >> implementation in the past forced this upon us due >> to the limitations of the >> commands to enable authentication. So you can >> authentication all segments >> "within" an area but you can not do true "area" >> authentication. >> >> This would be the equivalent of saying that since I >> have all iBGP neighbors >> authenticating with a MD5 password that I'm doing >> BGP AS Authentication. In >> actually I'm authenticating all iBGP peering >> sessions but that doesn't mean >> I'm doing any sort of BGP AS Authentication ;-) >> >> -- >> >> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP) >> bdennis@internetworkexpert.com >> >> Internetwork Expert, Inc. >> http://www.InternetworkExpert.com >> Toll Free: 877-224-8987 >> Direct: 775-745-6404 (Outside the US and Canada) >> >> >> >> On 4/22/07 12:12 PM, "Jason Carpenter" >> <adventureracing@gmail.com> wrote: >> >>> Will this result in OSPF authentication with a MD5 >> hash of password CISCO >>> >>> router ospf 1 >>> area 0 authentication >>> >>> int s0/0 >>> ip ospf authentication message-digest >>> ip ospf authentication-key CISCO >>> >>> when I run sh ip ospf int s0/0 >>> it says message-digest authentication enabled >>> no key configured, using default key id 0 >>> >>> as long as the question does not specify a key >> number, (for example >>> key 1) would this result in md5 authentication >> with the password >>> CISCO? >>> >>> Thanks >>> >>> >> > _______________________________________________________________________ >>> Subscription information may be found at: >>> http://www.groupstudy.com/list/CCIELab.html >> >> > _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:37 ART