27 nov. 2011

OSPF Authentication #1

Three authentication modes:
  • 0 - null, no authentication
  • 1 - clear-text
  • 2 - md5
Per interface authentication
r1(config)#interface s1/0
r1(config-if)#ip ospf authentication ?
  message-digest  Use message-digest authentication
  null            Use no authentication


MD5 Authentication:


If "ip ospf authentication message-digest", then:
r1(config-if)#ip ospf message-digest-key 1 md5 ccie_lab


If you just entered "ip ospf authentication", it is clear-text authentication, then:
r1(config-if)#ip ospf authentication-key joe

Bad configuration #1: 

interface Serial1/1
 ip address 13.0.0.1 255.255.255.0
 ip ospf authentication-key joe


There is no authentication here, but it works. Check with show ip ospf interface.



Bad configuration #2: 

interface Serial1/1

 ip ospf authentication message-digest
 ip ospf authentication-key joe


There is md5 authentication here, but there is no md5 password specified, it works:
r1#show ip ospf interface Serial1/1
Serial1/1 is up, line protocol is up 
[...]
  Message digest authentication enabled
      No key configured, using default key id 0

Don't forget to use the same key id on both sides, else it won't work. Multiple key numbers can exist on the same interface.


Area Authentication


Authentication can be configured for the whole area (md5 or plain-text).
On each router:
router ospf 1
 area 0 authentication message-digest
And on all interface configured with area 0:

interface Serial1/0
 ip ospf message-digest-key 1 md5 CCIE_LAB


Note that here, there is no need to configure "ip ospf authentication message-digest" on the interface.


If using a Virtual_Link (which belong to area 0), configure on each router (even if no interfaces belongs to area 0):



router ospf 1
 area 0 authentication message-digest
 message-digest-key 1 md5 CCIE_LAB
 area 234 virtual-link 2.2.2.2 authentication 



Troubleshooting
Always look at "show ip ospf interface (intf)" and see what's happening.  If you see "key 0" is used in MD5, then you will NOT be getting credit for that section where they likely tell you to use "cisco" as the password!


To check authentication problems:
r1#debug ip ospf adj 


00:39:54: OSPF: Rcv pkt from 13.0.0.3, Serial1/1 : Mismatch Authentication type. Input packet specified type 2, we use type 0


00:40:04: OSPF: Rcv pkt from 13.0.0.3, Serial1/1 : Mismatch Authentication type. Input packet specified type 2, we use type 1

00:51:54: OSPF: Rcv pkt from 13.0.0.3, Serial1/1 : Mismatch Authentication Key - No message digest key 0 on interface



-
Libellés : , ,

NTP - ACL

NTP - Network Time Protocol Packet types: -  Control messages : don't bother with this. -  NTP request/update messages: used for time sy...

  • Unicast Reverse Path Forwarding (uRPF)
    Unicast Reverse Path Forwarding (uRPF) uRPF est une feature permettant d'éviter l'IP Spoofing. Lorsque urpf est activé sur une in...
  • NTP - ACL
    NTP - Network Time Protocol Packet types: -  Control messages : don't bother with this. -  NTP request/update messages: used for time sy...
  • Basic IPsec Virtual Tunnel Interface - VTI
    Le but est de monter un tunnel IPSec entre deux routeurs en utilisant des VTI. La clé partagée est: 1234. hostname R1 ! crypto isakm...