From: Narbik Kocharians (narbikk@gmail.com)
Date: Mon Apr 23 2007 - 10:00:02 ART
Brain, Once again you are saying area based. i am saying area
authentication. I totally agree with you on area based, there is no area
based authetication.
On 4/23/07, Brian Dennis <bdennis@internetworkexpert.com> wrote:
>
> If there is area based authentication where is the area password applied?
> ;-)
>
> --
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
>
> On 4/22/07 10:07 PM, "Darby Weaver" <darbyweaver@yahoo.com> wrote:
>
> > Brian,
> >
> > Is the DOC CD wrong and I am quoting the command
> > reference below:
> >
> > Not to argue but to clarify. I'm too novice at this
> > to argue the point.
> >
> > But am I reading the the reference wrong when it talks
> > aout "area authentication". I have lost points on my
> > labs in the past so perhaps my understanding is
> > limited by this aspect.
> >
> >
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hirp_r/r
> > te_osph.htm#wp998741
> >
> > area authentication
> > To enable authentication for an Open Shortest Path
> > First (OSPF) area, use the area authentication command
> > in router configuration mode. To remove an
> > authentication specification of an area or a specified
> > area from the configuration, use the no form of this
> > command.
> >
> > area area-id authentication [message-digest]
> >
> > no area area-id authentication [message-digest]
> >
> > Syntax Description
> > area-id
> > Identifier of the area for which authentication is to
> > be enabled. The identifier can be specified as either
> > a decimal value or an IP address.
> >
> > message-digest
> > (Optional) Enables Message Digest 5 (MD5)
> > authentication on the area specified by the area-id
> > argument.
> >
> >
> >
> >
> > Defaults
> > Type 0 authentication (no authentication)
> >
> > Command Modes
> > Router configuration
> >
> > Command History
> > Release Modification
> > 10.0
> > This command was introduced.
> >
> > 11.0
> > The message-digest keyword was added.
> >
> >
> >
> >
> > Usage Guidelines
> > Specifying authentication for an area sets the
> > authentication to Type 1 (simple password) as
> > specified in RFC 1247. If this command is not included
> > in the configuration file, authentication of Type 0
> > (no authentication) is assumed.
> >
> > The authentication type must be the same for all
> > routers and access servers in an area. The
> > authentication password for all OSPF routers on a
> > network must be the same if they are to communicate
> > with each other via OSPF. Use the ip ospf
> > authentication-key interface command to specify this
> > password.
> >
> > If you enable MD5 authentication with the
> > message-digest keyword, you must configure a password
> > with the ip ospf message-digest-key interface command.
> >
> >
> > To remove the authentication specification for an
> > area, use the no form of this command with the
> > authentication keyword.
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > --
> >
> > Note To remove the specified area from the software
> > configuration, use the no area area-id command (with
> > no other keywords). That is, the no area area-id
> > command removes all area options, such as area
> > authentication, area default-cost, area nssa, area
> > range, area stub, and area virtual-link.
> >
> >
> >
> ------------------------------------------------------------------------------
> > --
> >
> > Examples
> > The following example mandates authentication for
> > areas 0 and 10.0.0.0 of OSPF routing process 201.
> > Authentication keys are also provided.
> >
> > interface ethernet 0
> >
> > ip address 192.168.251.201 255.255.255.0
> >
> > ip ospf authentication-key adcdefgh
> >
> > !
> >
> > interface ethernet 1
> >
> > ip address 10.56.0.201 255.255.0.0
> >
> > ip ospf authentication-key ijklmnop
> >
> > !
> >
> > router ospf 201
> >
> > network 10.0.0.0 0.255.255.255 area 10.0.0.0
> >
> > network 192.168.0.0 0.0.255.255 area 0
> >
> > area 10.0.0.0 authentication
> >
> > area 0 authentication
> >
> > =====================================
> >
> > Related Commands
> > Command Description
> > area default-cost
> > Specifies a cost for the default summary route sent
> > into a stub area.
> >
> > area stub
> > Defines an area as a stub area.
> >
> > ip ospf authentication-key
> > Assigns a password to be used by neighboring routers
> > that are using the simple password authentication of
> > OSPF.
> >
> > ip ospf message-digest-key
> > Enables OSPF MD5 authentication.
> >
> > =========================================
> > =========================================
> > =========================================
> >
> >
> >
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/c
> > h15/1chospf.htm#wp1001216
> >
> > Configuring OSPF Area Parameters
> > Our OSPF software allows you to configure several area
> > parameters. These area parameters, shown in the
> > following task table, include authentication, defining
> > stub areas, and assigning specific costs to the
> > default summary route. Authentication allows
> > password-based protection against unauthorized access
> > to an area.
> >
> > Stub areas are areas into which information on
> > external routes is not sent. Instead, there is a
> > default external route generated by the ABR, into the
> > stub area for destinations outside the autonomous
> > system. To take advantage of the OSPF stub area
> > support, default routing must be used in the stub
> > area. To further reduce the number of LSAs sent into a
> > stub area, you can configure the no-summary keyword of
> > the area stub router configuration command on the ABR
> > to prevent it from sending summary link advertisement
> > (LSAs Type 3) into the stub area.
> >
> > To specify an area parameter for your network, use the
> > following commands in router configuration mode as
> > needed:
> >
> >
> > Command Purpose
> > Router(config-router)# area area-id authentication
> > Enables authentication for an OSPF area.
> >
> > Router(config-router)# area area-id authentication
> > message-digest
> > Enables MD5 authentication for an OSPF area.
> >
> > Router(config-router)# area area-id stub [no-summary]
> > Defines an area to be a stub area.
> >
> > Router(config-router)# area area-id default-cost cost
> > Assigns a specific cost to the default summary route
> > used for the stub area
> >
> >
> >
> >
> >
> >
> > --- Brian Dennis <bdennis@internetworkexpert.com>
> > wrote:
> >
> >> This is in regards to a couple other "replies" you
> >> received on this subject.
> >>
> >> The authentication type used by OSPF can be changed
> >> from the default of
> >> "null" to "clear text" or "MD5" under the routing
> >> process which applies to
> >> all interfaces within that area, or can be done at
> >> the interface level. By
> >> setting the authentication type under the routing
> >> process you are not doing
> >> "area" authentication. You are just setting the
> >> authentication type for all
> >> interfaces on your router that are within that area.
> >>
> >> Example:
> >> If I have 50 interfaces in area 1 and I want to
> >> authentication all of them
> >> it's easier to just use the command under the
> >> routing process as opposed to
> >> typing the interface level command 50 times.
> >>
> >> If I have 50 interfaces in area 1 and I only want to
> >> authentication 10 of
> >> them then it's easiest to just apply the interface
> >> level command to the 10
> >> interfaces that I want to enable authentication on.
> >> The reverse is to
> >> enable authentication under the routing process and
> >> set the authentication
> >> type to null on the other 40 interfaces within area
> >> 1 that we did not want
> >> to enable authentication for.
> >>
> >> So don't confuse setting the authentication type
> >> under the routing process
> >> with doing "area" authentication which is not
> >> supported in OSPF. Cisco's
> >> implementation in the past forced this upon us due
> >> to the limitations of the
> >> commands to enable authentication. So you can
> >> authentication all segments
> >> "within" an area but you can not do true "area"
> >> authentication.
> >>
> >> This would be the equivalent of saying that since I
> >> have all iBGP neighbors
> >> authenticating with a MD5 password that I'm doing
> >> BGP AS Authentication. In
> >> actually I'm authenticating all iBGP peering
> >> sessions but that doesn't mean
> >> I'm doing any sort of BGP AS Authentication ;-)
> >>
> >> --
> >>
> >> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> >> bdennis@internetworkexpert.com
> >>
> >> Internetwork Expert, Inc.
> >> http://www.InternetworkExpert.com
> >> Toll Free: 877-224-8987
> >> Direct: 775-745-6404 (Outside the US and Canada)
> >>
> >>
> >>
> >> On 4/22/07 12:12 PM, "Jason Carpenter"
> >> <adventureracing@gmail.com> wrote:
> >>
> >>> Will this result in OSPF authentication with a MD5
> >> hash of password CISCO
> >>>
> >>> router ospf 1
> >>> area 0 authentication
> >>>
> >>> int s0/0
> >>> ip ospf authentication message-digest
> >>> ip ospf authentication-key CISCO
> >>>
> >>> when I run sh ip ospf int s0/0
> >>> it says message-digest authentication enabled
> >>> no key configured, using default key id 0
> >>>
> >>> as long as the question does not specify a key
> >> number, (for example
> >>> key 1) would this result in md5 authentication
> >> with the password
> >>> CISCO?
> >>>
> >>> Thanks
> >>>
> >>>
> >>
> > _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> > _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Narbik Kocharians CCIE# 12410 (R&S, SP, Security) CCSI# 30832 Network Learning, Inc. (CCIE class Instructor) www.ccbootcamp.com (CCIE Training)
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:37 ART