2/3/2014

Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems

IP Routing

Sample Configuration for Authentication in OSPF

HOME SUPPORT TECHNOLOGY SUPPORT IP IP ROUTING CONFIGURE CONFIGURATION EXAMPLES AND TECHNOTES Sample Configuration for Authentication in OSPF Introduction Prerequisites Requirements Components Used Conventions Background Information Configure Network Diagram Configurations for Plain Text Authentication Configurations for MD5 Authentication Verify Verify Plain Text Authentication Verify MD5 Authentication Troubleshoot Troubleshoot Plain Text Authentication Troubleshoot MD5 Authentication Related Information Related Cisco Support Community Discussions

Contents

Introduction
This document shows sample configurations for Open Shortest Path First (OSPF) authentication which allows the flexibility to authenticate OSPF neighbors. You can enable authentication in OSPF in order to exchange routing update information in a secure manner. OSPF authentication can either be none (or null), simple, or MD5. The authentication method "none" means that no authentication is used for OSPF and it is the default method. With simple authentication, the password goes in clear-text over the network. With MD5 authentication, the password does not pass over the network. MD5 is a message-digest algorithm specified in RFC 1321. MD5 is considered the most secure OSPF authentication mode. When you configure authentication, you must configure an entire area with the same type of authentication. Starting with Cisco IOS Software Release 12.0(8), authentication is supported on a perinterface basis. This is also mentioned in RFC 2328 , Appendix D. This feature is added in Cisco bug ID CSCdk33792 (registered customers only) .

Prerequisites
Requirements
Readers of this document should be familiar with basic concepts of OSPF routing protocol. Refer to the Open Shortest Path First documentation for information on OSPF routing protocol.

Components Used
The information in this document is based on these software and hardware versions. Cisco 2503 routers Cisco IOS Software Release 12.2(27) The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

Background Information

1/8

2/3/2014

Background Information

Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems

These are the three different types of authentication supported by OSPF. Null AuthenticationThis is also called Type 0 and it means no authentication information is included in the packet header. It is the default. Plain Text AuthenticationThis is also called Type 1 and it uses simple clear-text passwords. MD5 AuthenticationThis is also called Type 2 and it uses MD5 cryptographic passwords. Authentication does not need to be set. However, if it is set, all peer routers on the same segment must have the same password and authentication method. The examples in this document demonstrate configurations for both plain text and MD5 authentication.

Configure
This section presents you with the information to configure the features this document describes. Note: Use the Command Lookup Tool (registered customers only) to find additional information on the commands used in this document.

Network Diagram
This document uses this network setup.

Configurations for Plain Text Authentication

Plain text authentication is used when devices within an area cannot support the more secure MD5 authentication. Plain text authentication leaves the internetwork vulnerable to a "sniffer attack," in which packets are captured by a protocol analyzer and the passwords can be read. However, it is useful when you perform OSPF reconfiguration, rather than for security. For example, separate passwords can be used on older and newer OSPF routers that share a common broadcast network to prevent them from talking to each other. Plain text authentication passwords do not have to be the same throughout an area, but they must be the same between neighbors. R2-2503 R1-2503 R2-2503
i n t e r f a c eL o o p b a c k 0 i pa d d r e s s7 0 . 7 0 . 7 0 . 7 02 5 5 . 2 5 5 . 2 5 5 . 2 5 5 ! i n t e r f a c eS e r i a l 0 i pa d d r e s s1 9 2 . 1 6 . 6 4 . 22 5 5 . 2 5 5 . 2 5 5 . 0 i po s p fa u t h e n t i c a t i o n k e yc 1 $ c 0 ! -T h eK e yv a l u ei ss e ta s" c 1 $ c 0" . ! -I ti st h ep a s s w o r dt h a ti ss e n ta c r o s st h en e t w o r k . c l o c k r a t e6 4 0 0 0 ! r o u t e ro s p f1 0 l o g a d j a c e n c y c h a n g e s n e t w o r k7 0 . 0 . 0 . 00 . 2 5 5 . 2 5 5 . 2 5 5a r e a0 n e t w o r k1 9 2 . 1 6 . 6 4 . 00 . 0 . 0 . 2 5 5a r e a0 a r e a0a u t h e n t i c a t i o n ! -P l a i nt e x ta u t h e n t i c a t i o ni se n a b l e df o r ! -a l li n t e r f a c e si nA r e a0 .

R1-2503
i n t e r f a c eL o o p b a c k 0 i pa d d r e s s1 7 2 . 1 6 . 1 0 . 3 62 5 5 . 2 5 5 . 2 5 5 . 2 4 0 ! i n t e r f a c eS e r i a l 0 i pa d d r e s s1 9 2 . 1 6 . 6 4 . 12 5 5 . 2 5 5 . 2 5 5 . 0

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

2/8

2/3/2014

Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems

i pa d d r e s s1 9 2 . 1 6 . 6 4 . 12 5 5 . 2 5 5 . 2 5 5 . 0 i po s p fa u t h e n t i c a t i o n k e yc 1 $ c 0 ! -T h eK e yv a l u ei ss e ta s" c 1 $ c 0" . ! -I ti st h ep a s s w o r dt h a ti ss e n ta c r o s st h en e t w o r k . ! r o u t e ro s p f1 0 n e t w o r k1 7 2 . 1 6 . 0 . 00 . 0 . 2 5 5 . 2 5 5a r e a0 n e t w o r k1 9 2 . 1 6 . 6 4 . 00 . 0 . 0 . 2 5 5a r e a0 a r e a0a u t h e n t i c a t i o n

! -P l a i nt e x ta u t h e n t i c a t i o ni se n a b l e d ! -f o ra l li n t e r f a c e si nA r e a0 .

Note: The area authentication command in the configuration enables authentication for all the interfaces of the router in a particular area. You can also use the ip ospf authentication command under the interface to configure plain text authentication for the interface. This command can be used if a different authentication method or no authentication method is configured under the area to which the interface belongs. It overrides the authentication method configured for the area. This is useful if different interfaces that belong to the same area need to use different authentication methods.

Configurations for MD5 Authentication

MD5 authentication provides higher security than plain text authentication. This method uses the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a password (or key). This hash value is transmitted in the packet, along with a key ID and a non-decreasing sequence number. The receiver, which knows the same password, calculates its own hash value. If nothing in the message changes, the hash value of the receiver should match the hash value of the sender which is transmitted with the message. The key ID allows the routers to reference multiple passwords. This makes password migration easier and more secure. For example, to migrate from one password to another, configure a password under a different key ID and remove the first key. The sequence number prevents replay attacks, in which OSPF packets are captured, modified, and retransmitted to a router. As with plain text authentication, MD5 authentication passwords do not have to be the same throughout an area. However, they do need to be the same between neighbors. Note: Cisco recommends that you configure the service password-encryption command on all of the routers. This causes the router to encrypt the passwords in any display of the configuration file and guards against the password being learned by observing the text copy of the configuration of the router. R2-2503 R1-2503 R2-2503
i n t e r f a c eL o o p b a c k 0 i pa d d r e s s7 0 . 7 0 . 7 0 . 7 02 5 5 . 2 5 5 . 2 5 5 . 2 5 5 ! i n t e r f a c eS e r i a l 0 i pa d d r e s s1 9 2 . 1 6 . 6 4 . 22 5 5 . 2 5 5 . 2 5 5 . 0 i po s p fm e s s a g e d i g e s t k e y1m d 5c 1 $ c 0 ! -M e s s a g ed i g e s tk e yw i t hI D" 1 "a n d ! -K e yv a l u e( p a s s w o r d )i ss e ta s" c 1 $ c 0" . c l o c k r a t e6 4 0 0 0 ! r o u t e ro s p f1 0 n e t w o r k1 9 2 . 1 6 . 6 4 . 00 . 0 . 0 . 2 5 5a r e a0 n e t w o r k7 0 . 0 . 0 . 00 . 2 5 5 . 2 5 5 . 2 5 5a r e a0 a r e a0a u t h e n t i c a t i o nm e s s a g e d i g e s t>

! -M D 5a u t h e n t i c a t i o ni se n a b l e df o r ! -a l li n t e r f a c e si nA r e a0 .

R1-2503
i n t e r f a c eL o o p b a c k 0 i pa d d r e s s1 7 2 . 1 6 . 1 0 . 3 62 5 5 . 2 5 5 . 2 5 5 . 2 4 0 ! i n t e r f a c eS e r i a l 0

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

3/8

2/3/2014

i n t e r f a c eS e r i a l 0 i pa d d r e s s1 9 2 . 1 6 . 6 4 . 12 5 5 . 2 5 5 . 2 5 5 . 0 i po s p fm e s s a g e d i g e s t k e y1m d 5c 1 $ c 0

Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems

! -M e s s a g ed i g e s tk e yw i t hI D" 1 "a n d ! -K e y( p a s s w o r d )v a l u ei ss e ta s" c 1 $ c 0" . ! r o u t e ro s p f1 0 n e t w o r k1 7 2 . 1 6 . 0 . 00 . 0 . 2 5 5 . 2 5 5a r e a0 n e t w o r k1 9 2 . 1 6 . 6 4 . 00 . 0 . 0 . 2 5 5a r e a0 a r e a0a u t h e n t i c a t i o nm e s s a g e d i g e s t ! -M D 5a u t h e n t i c a t i o ni se n a b l e df o r ! -a l li n t e r f a c e si nA r e a0 .

Note: The area authentication message-digest command in this configuration enables authentication for all of the router interfaces in a particular area. You can also use the ip ospf authentication message-digest command under the interface to configure MD5 authentication for the specific interface. This command can be used if a different authentication method or no authentication method is configured under the area to which the interface belongs. It overrides the authentication method configured for the area. This is useful if different interfaces that belong to the same area need to use different authentication methods.

Verify
These sections provide information you can use to confirm your configurations work properly. Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

Verify Plain Text Authentication

Use the show ip ospf interface command to view the authentication type configured for an interface, as this output shows. Here, the Serial 0 interface is configured for Plain text authentication.
R 1 2 5 0 3 #s h o wi po s p fi n t e r f a c es e r i a l 0 S e r i a l 0i su p ,l i n ep r o t o c o li su p I n t e r n e tA d d r e s s1 9 2 . 1 6 . 6 4 . 1 / 2 4 ,A r e a0 P r o c e s sI D1 0 ,R o u t e rI D1 7 2 . 1 6 . 1 0 . 3 6 ,N e t w o r kT y p eP O I N T _ T O _ P O I N T ,C o s t :6 4 T r a n s m i tD e l a yi s1s e c ,S t a t eP O I N T _ T O _ P O I N T , T i m e ri n t e r v a l sc o n f i g u r e d ,H e l l o1 0 ,D e a d4 0 ,W a i t4 0 ,R e t r a n s m i t5 H e l l od u ei n0 0 : 0 0 : 0 4 I n d e x2 / 2 ,f l o o dq u e u el e n g t h0 N e x t0 x 0 ( 0 ) / 0 x 0 ( 0 ) L a s tf l o o ds c a nl e n g t hi s1 ,m a x i m u mi s1 L a s tf l o o ds c a nt i m ei s0m s e c ,m a x i m u mi s4m s e c N e i g h b o rC o u n ti s0 ,A d j a c e n tn e i g h b o rc o u n ti s0 S u p p r e s sh e l l of o r0n e i g h b o r ( s ) S i m p l ep a s s w o r da u t h e n t i c a t i o ne n a b l e d

The show ip ospf neighbor command displays the neighbor table that consists of the neighbor details, as this output shows.
R 1 2 5 0 3 #s h o wi po s p fn e i g h b o r N e i g h b o rI D 7 0 . 7 0 . 7 0 . 7 0 P r i 1 S t a t e F U L L / D e a dT i m e 0 0 : 0 0 : 3 1 A d d r e s s 1 9 2 . 1 6 . 6 4 . 2 I n t e r f a c e S e r i a l 0

The show ip route command displays the routing table, as this output shows.
R 1 2 5 0 3 #s h o wi pr o u t e C o d e s :C-c o n n e c t e d ,S-s t a t i c ,I-I G R P ,R-R I P ,M-m o b i l e ,B-B G P D-E I G R P ,E X-E I G R Pe x t e r n a l ,O-O S P F ,I A-O S P Fi n t e ra r e a N 1-O S P FN S S Ae x t e r n a lt y p e1 ,N 2-O S P FN S S Ae x t e r n a lt y p e2 E 1-O S P Fe x t e r n a lt y p e1 ,E 2-O S P Fe x t e r n a lt y p e2 ,E-E G P i-I S I S ,L 1-I S I Sl e v e l 1 ,L 2-I S I Sl e v e l 2 ,i a-I S I Si n t e ra r e a *-c a n d i d a t ed e f a u l t ,U-p e r u s e rs t a t i cr o u t e ,o-O D R P-p e r i o d i cd o w n l o a d e ds t a t i cr o u t e G a t e w a yo fl a s tr e s o r ti sn o ts e t 7 0 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 7 0 . 7 0 . 7 0 . 7 0[ 1 1 0 / 6 5 ]v i a1 9 2 . 1 6 . 6 4 . 2 ,0 0 : 0 3 : 2 8 ,S e r i a l 0 1 7 2 . 1 6 . 0 . 0 / 2 8i ss u b n e t t e d ,1s u b n e t s 1 7 2 . 1 6 . 1 0 . 3 2i sd i r e c t l yc o n n e c t e d ,L o o p b a c k 0 1 9 2 . 1 6 . 6 4 . 0 / 2 4i sd i r e c t l yc o n n e c t e d ,S e r i a l 0

O C C

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

4/8

2/3/2014

Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems

Verify MD5 Authentication

Use the show ip ospf interface command to view the authentication type configured for an interface, as this output shows. Here, the Serial 0 interface has been configured for MD5 authentication with key ID "1".
R 1 2 5 0 3 #s h o wi po s p fi n t e r f a c es e r i a l 0 S e r i a l 0i su p ,l i n ep r o t o c o li su p I n t e r n e tA d d r e s s1 9 2 . 1 6 . 6 4 . 1 / 2 4 ,A r e a0 P r o c e s sI D1 0 ,R o u t e rI D 1 7 2 . 1 6 . 1 0 . 3 6,N e t w o r kT y p eP O I N T _ T O _ P O I N T ,C o s t :6 4 T r a n s m i tD e l a yi s1s e c ,S t a t eP O I N T _ T O _ P O I N T , T i m e ri n t e r v a l sc o n f i g u r e d ,H e l l o1 0 ,D e a d4 0 ,W a i t4 0 ,R e t r a n s m i t5 H e l l od u ei n0 0 : 0 0 : 0 5 I n d e x2 / 2 ,f l o o dq u e u el e n g t h0 N e x t0 x 0 ( 0 ) / 0 x 0 ( 0 ) L a s tf l o o ds c a nl e n g t hi s1 ,m a x i m u mi s1 L a s tf l o o ds c a nt i m ei s0m s e c ,m a x i m u mi s4m s e c N e i g h b o rC o u n ti s1 ,A d j a c e n tn e i g h b o rc o u n ti s1 A d j a c e n tw i t hn e i g h b o r7 0 . 7 0 . 7 0 . 7 0 S u p p r e s sh e l l of o r0n e i g h b o r ( s ) M e s s a g ed i g e s ta u t h e n t i c a t i o ne n a b l e d Y o u n g e s tk e yi di s1

The show ip ospf neighbor command displays the neighbor table that consists of the neighbor details, as this output shows.
R 1 2 5 0 3 #s h o wi po s p fn e i g h b o r N e i g h b o rI D 7 0 . 7 0 . 7 0 . 7 0 R 1 2 5 0 3 # P r i 1 S t a t e F U L L / D e a dT i m e 0 0 : 0 0 : 3 4 A d d r e s s 1 9 2 . 1 6 . 6 4 . 2 I n t e r f a c e S e r i a l 0

The show ip route command displays the routing table, as this output shows.
R 1 2 5 0 3 #s h o wi pr o u t e C o d e s :C-c o n n e c t e d ,S-s t a t i c ,I-I G R P ,R-R I P ,M-m o b i l e ,B-B G P D-E I G R P ,E X-E I G R Pe x t e r n a l ,O-O S P F ,I A-O S P Fi n t e ra r e a N 1-O S P FN S S Ae x t e r n a lt y p e1 ,N 2-O S P FN S S Ae x t e r n a lt y p e2 E 1-O S P Fe x t e r n a lt y p e1 ,E 2-O S P Fe x t e r n a lt y p e2 ,E-E G P i-I S I S ,L 1-I S I Sl e v e l 1 ,L 2-I S I Sl e v e l 2 ,i a-I S I Si n t e ra r e a *-c a n d i d a t ed e f a u l t ,U-p e r u s e rs t a t i cr o u t e ,o-O D R P-p e r i o d i cd o w n l o a d e ds t a t i cr o u t e G a t e w a yo fl a s tr e s o r ti sn o ts e t 7 0 . 0 . 0 . 0 / 3 2i ss u b n e t t e d ,1s u b n e t s 7 0 . 7 0 . 7 0 . 7 0[ 1 1 0 / 6 5 ]v i a1 9 2 . 1 6 . 6 4 . 2 ,0 0 : 0 1 : 2 3 ,S e r i a l 0 1 7 2 . 1 6 . 0 . 0 / 2 8i ss u b n e t t e d ,1s u b n e t s 1 7 2 . 1 6 . 1 0 . 3 2i sd i r e c t l yc o n n e c t e d ,L o o p b a c k 0 1 9 2 . 1 6 . 6 4 . 0 / 2 4i sd i r e c t l yc o n n e c t e d ,S e r i a l 0

O C C

Troubleshoot
These sections provide information you can use to troubleshoot your configurations. Issue the debug ip ospf adj command in order to capture the authentication process. This debug command should be issued before the neighbor relationship is established. Note: Refer to Important Information on Debug Commands before you use debug commands.

Troubleshoot Plain Text Authentication

The deb ip ospf adj output for R1-2503 shows when plain text authentication is successful.
R 1 2 5 0 3 #d e b u gi po s p fa d j 0 0 : 5 0 : 5 7 :% L I N K 3 U P D O W N :I n t e r f a c eS e r i a l 0 ,c h a n g e ds t a t et od o w n 0 0 : 5 0 : 5 7 :O S P F :I n t e r f a c eS e r i a l 0g o i n gD o w n 0 0 : 5 0 : 5 7 :O S P F :1 7 2 . 1 6 . 1 0 . 3 6a d d r e s s1 9 2 . 1 6 . 6 4 . 1o nS e r i a l 0i sd e a d , s t a t eD O W N 0 0 : 5 0 : 5 7 :O S P F :7 0 . 7 0 . 7 0 . 7 0a d d r e s s1 9 2 . 1 6 . 6 4 . 2o nS e r i a l 0i sd e a d , s t a t eD O W N 0 0 : 5 0 : 5 7 :% O S P F 5 A D J C H G :P r o c e s s1 0 ,N b r7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0f r o m F U L Lt oD O W N ,N e i g h b o rD o w n :I n t e r f a c ed o w no rd e t a c h e d 0 0 : 5 0 : 5 8 :O S P F :B u i l dr o u t e rL S Af o ra r e a0 ,r o u t e rI D1 7 2 . 1 6 . 1 0 . 3 6 , s e q0 x 8 0 0 0 0 0 0 9 0 0 : 5 0 : 5 8 :% L I N E P R O T O 5 U P D O W N :L i n ep r o t o c o lo nI n t e r f a c eS e r i a l 0 , c h a n g e ds t a t et od o w n 0 0 : 5 1 : 0 3 :% L I N K 3 U P D O W N :I n t e r f a c eS e r i a l 0 ,c h a n g e ds t a t et ou p 0 0 : 5 1 : 0 3 :O S P F :I n t e r f a c eS e r i a l 0g o i n gU p 0 0 : 5 1 : 0 4 :O S P F :B u i l dr o u t e rL S Af o ra r e a0 ,r o u t e rI D1 7 2 . 1 6 . 1 0 . 3 6 , s e q0 x 8 0 0 0 0 0 0 A

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

0 0 : 5 1 : 0 4 :% L I N E P R O T O 5 U P D O W N :L i n ep r o t o c o lo nI n t e r f a c eS e r i a l 0 ,

5/8

2/3/2014

Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems

0 0 : 5 1 : 0 4 :% L I N E P R O T O 5 U P D O W N :L i n ep r o t o c o lo nI n t e r f a c eS e r i a l 0 , c h a n g e ds t a t et ou p 0 0 : 5 1 : 1 3 :O S P F :2W a yC o m m u n i c a t i o nt o7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0 , s t a t e2 W A Y 0 0 : 5 1 : 1 3 :O S P F :S e n dD B Dt o7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 4 8 6o p t0 x 4 2 f l a g0 x 7l e n3 2 0 0 : 5 1 : 1 3 :O S P F :R c vD B Df r o m7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 1 9 A 4o p t0 x 4 2 f l a g0 x 7l e n3 2m t u1 5 0 0s t a t eE X S T A R T 0 0 : 5 1 : 1 3 :O S P F :F i r s tD B Da n dw ea r en o tS L A V E 0 0 : 5 1 : 1 3 :O S P F :R c vD B Df r o m7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 4 8 6o p t0 x 4 2 f l a g0 x 2l e n7 2m t u1 5 0 0s t a t eE X S T A R T 0 0 : 5 1 : 1 3 :O S P F :N B RN e g o t i a t i o nD o n e .W ea r et h eM A S T E R 0 0 : 5 1 : 1 3 :O S P F :S e n dD B Dt o7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 4 8 7o p t0 x 4 2 f l a g0 x 3l e n7 2 0 0 : 5 1 : 1 3 :O S P F :D a t a b a s er e q u e s tt o7 0 . 7 0 . 7 0 . 7 0 0 0 : 5 1 : 1 3 :O S P F :s e n tL SR E Qp a c k e tt o1 9 2 . 1 6 . 6 4 . 2 ,l e n g t h1 2 0 0 : 5 1 : 1 3 :O S P F :R c vD B Df r o m7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 4 8 7o p t0 x 4 2 f l a g0 x 0l e n3 2m t u1 5 0 0s t a t eE X C H A N G E 0 0 : 5 1 : 1 3 :O S P F :S e n dD B Dt o7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 4 8 8o p t0 x 4 2 f l a g0 x 1l e n3 2 0 0 : 5 1 : 1 3 :O S P F :R c vD B Df r o m7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 4 8 8o p t0 x 4 2 f l a g0 x 0l e n3 2m t u1 5 0 0s t a t eE X C H A N G E 0 0 : 5 1 : 1 3 :O S P F :E x c h a n g eD o n ew i t h7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0 0 0 : 5 1 : 1 3 :O S P F :S y n c h r o n i z e dw i t h7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0 ,s t a t eF U L L ! -I n d i c a t e st h en e i g h b o ra d j a c e n c yi se s t a b l i s h e d . 0 0 : 5 1 : 1 3 :% O S P F 5 A D J C H G :P r o c e s s1 0 ,N b r7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0f r o mL O A D I N G t oF U L L ,L o a d i n gD o n e 0 0 : 5 1 : 1 4 :O S P F :B u i l dr o u t e rL S Af o ra r e a0 ,r o u t e rI D1 7 2 . 1 6 . 1 0 . 3 6 , s e q0 x 8 0 0 0 0 0 0 B R 1 2 5 0 3 #

This is the output of the debug ip ospf adj command when there is a mismatch in the type of authentication configured on the routers. This output shows that Router R1-2503 uses type 1 authentication whereas router R2-2503 is configured for type 0 authentication. This means that Router R1-2503 is configured for plain text authentication (Type 1) whereas Router R2-2503 is configured for null authentication (Type 0).
R 1 2 5 0 3 #d e b u gi po s p fa d j 0 0 : 5 1 : 2 3 :O S P F :R c vp k tf r o m1 9 2 . 1 6 . 6 4 . 2 ,S e r i a l 0:M i s m a t c h A u t h e n t i c a t i o nt y p e . ! -I n p u tp a c k e ts p e c i f i e dt y p e0 ,y o uu s et y p e1 .

This is the output of the debug ip ospf adj command when there is a mismatch in the authentication key (password) values. In this case, both routers are configured for plain text authentication (Type 1) but there is a mismatch in the key (password) values.
R 1 2 5 0 3 #d e b u gi po s p fa d j 0 0 : 5 1 : 3 3 :O S P F :R c vp k tf r o m1 9 2 . 1 6 . 6 4 . 2 ,S e r i a l 0:M i s m a t c h A u t h e n t i c a t i o nK e y-C l e a rT e x t

Troubleshoot MD5 Authentication

This is the debug ip ospf adj command output for R1-2503 when MD5 authentication is successful.
R 1 2 5 0 3 #d e b u gi po s p fa d j 0 0 : 5 9 : 0 3 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 1 3 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 1 7 :% L I N K 3 U P D O W N :I n t e r f a c eS e r i a l 0 ,c h a n g e ds t a t et od o w n 0 0 : 5 9 : 1 7 :O S P F :I n t e r f a c eS e r i a l 0g o i n gD o w n 0 0 : 5 9 : 1 7 :O S P F :1 7 2 . 1 6 . 1 0 . 3 6a d d r e s s1 9 2 . 1 6 . 6 4 . 1o nS e r i a l 0i sd e a d , s t a t eD O W N 0 0 : 5 9 : 1 7 :O S P F :7 0 . 7 0 . 7 0 . 7 0a d d r e s s1 9 2 . 1 6 . 6 4 . 2o nS e r i a l 0i sd e a d , s t a t eD O W N 0 0 : 5 9 : 1 7 :% O S P F 5 A D J C H G :P r o c e s s1 0 ,N b r7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0f r o m F U L Lt oD O W N ,N e i g h b o rD o w n :I n t e r f a c ed o w no rd e t a c h e d 0 0 : 5 9 : 1 7 :O S P F :B u i l dr o u t e rL S Af o ra r e a0 ,r o u t e rI D1 7 2 . 1 6 . 1 0 . 3 6 , s e q0 x 8 0 0 0 0 0 0 E 0 0 : 5 9 : 1 8 :% L I N E P R O T O 5 U P D O W N :L i n ep r o t o c o lo nI n t e r f a c eS e r i a l 0 , c h a n g e ds t a t et od o w n 0 0 : 5 9 : 3 2 :% L I N K 3 U P D O W N :I n t e r f a c eS e r i a l 0 ,c h a n g e ds t a t et ou p 0 0 : 5 9 : 3 2 :O S P F :I n t e r f a c eS e r i a l 0g o i n gU p 0 0 : 5 9 : 3 2 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 3 3 :O S P F :B u i l dr o u t e rL S Af o ra r e a0 ,r o u t e rI D1 7 2 . 1 6 . 1 0 . 3 6 , s e q0 x 8 0 0 0 0 0 0 F 0 0 : 5 9 : 3 3 :% L I N E P R O T O 5 U P D O W N :L i n ep r o t o c o lo nI n t e r f a c eS e r i a l 0 , c h a n g e ds t a t et ou p 0 0 : 5 9 : 4 2 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 4 2 :O S P F :2W a yC o m m u n i c a t i o nt o7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0 , s t a t e2 W A Y

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

6/8

2/3/2014

Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems

s t a t e2 W A Y ! -B o t hn e i g h b o r sc o n f i g u r e df o rM e s s a g e ! -d i g e s ta u t h e n t i c a t i o nw i t hK e yI D" 1 " . 0 0 : 5 9 : 4 2 :O S P F :S e n dD B Dt o7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 1 2 5o p t0 x 4 2 f l a g0 x 7 l e n3 2 0 0 : 5 9 : 4 2 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 4 2 :O S P F :R c vD B Df r o m7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 1 1 F 3o p t0 x 4 2 f l a g0 x 7l e n3 2m t u1 5 0 0s t a t eE X S T A R T 0 0 : 5 9 : 4 2 :O S P F :F i r s tD B Da n dw ea r en o tS L A V E 0 0 : 5 9 : 4 2 :O S P F :R c vD B Df r o m7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 1 2 5o p t0 x 4 2 f l a g0 x 2l e n7 2m t u1 5 0 0s t a t eE X S T A R T 0 0 : 5 9 : 4 2 :O S P F :N B RN e g o t i a t i o nD o n e .W ea r et h eM A S T E R 0 0 : 5 9 : 4 2 :O S P F :S e n dD B Dt o7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 1 2 6o p t0 x 4 2 f l a g0 x 3l e n7 2 0 0 : 5 9 : 4 2 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 4 2 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 4 2 :O S P F :D a t a b a s er e q u e s tt o7 0 . 7 0 . 7 0 . 7 0 0 0 : 5 9 : 4 2 :O S P F :s e n tL SR E Qp a c k e tt o1 9 2 . 1 6 . 6 4 . 2 ,l e n g t h1 2 0 0 : 5 9 : 4 2 :O S P F :R c vD B Df r o m7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 1 2 6o p t0 x 4 2 f l a g0 x 0l e n3 2m t u1 5 0 0s t a t eE X C H A N G E 0 0 : 5 9 : 4 2 :O S P F :S e n dD B Dt o7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 1 2 7o p t0 x 4 2 f l a g0 x 1 l e n3 2 0 0 : 5 9 : 4 2 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 4 2 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 4 2 :O S P F :R c vD B Df r o m7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0s e q0 x 2 1 2 7o p t0 x 4 2 f l a g0 x 0l e n3 2m t u1 5 0 0s t a t eE X C H A N G E 0 0 : 5 9 : 4 2 :O S P F :E x c h a n g eD o n ew i t h7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0 0 0 : 5 9 : 4 2 :O S P F :S y n c h r o n i z e dw i t h7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0 ,s t a t eF U L L 0 0 : 5 9 : 4 2 :% O S P F 5 A D J C H G :P r o c e s s1 0 ,N b r7 0 . 7 0 . 7 0 . 7 0o nS e r i a l 0f r o m L O A D I N Gt oF U L L ,L o a d i n gD o n e 0 0 : 5 9 : 4 3 :O S P F :B u i l dr o u t e rL S Af o ra r e a0 ,r o u t e rI D1 7 2 . 1 6 . 1 0 . 3 6 , s e q0 x 8 0 0 0 0 0 1 0 0 0 : 5 9 : 4 3 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 4 5 :O S P F :S e n dw i t hy o u n g e s tK e y1 R 1 2 5 0 3 #

This is the output of the debug ip ospf adj command when there is a mismatch in the type of authentication configured on the routers. This output shows that the router R1-2503 uses type 2 (MD5) authentication whereas Router R2-2503 uses type 1 authentication (plain text authentication).
R 1 2 5 0 3 #d e b u gi po s p fa d j 0 0 : 5 9 : 3 3 :O S P F :R c vp k tf r o m1 9 2 . 1 6 . 6 4 . 2 ,S e r i a l 0:M i s m a t c h A u t h e n t i c a t i o nt y p e . ! -I n p u tp a c k e ts p e c i f i e dt y p e1 ,y o uu s et y p e2 .

This is the output of the debug ip ospf adj command when there is a mismatch in the key IDs that are used for authentication. This output shows that the router R1-2503 uses MD5 authentication with Key ID 1, whereas the Router R2-2503 uses MD5 authentication with Key ID 2.
R 1 2 5 0 3 #d e b u gi po s p fa d j 0 0 : 5 9 : 3 3 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 4 3 :O S P F :R c vp k tf r o m1 9 2 . 1 6 . 6 4 . 2 ,S e r i a l 0:M i s m a t c h A u t h e n t i c a t i o nK e y-N om e s s a g ed i g e s tk e y2o ni n t e r f a c e

This debug ip ospf adj command output for R1-2503 shows when both Key 1 and Key 2 for MD5 authentication are configured as part of migration.
R 1 2 5 0 3 #d e b u gi po s p fa d j 0 0 : 5 9 : 4 3 :O S P F :S e n dw i t hy o u n g e s tK e y1 0 0 : 5 9 : 5 3 :O S P F :S e n dw i t hy o u n g e s tK e y2 ! -I n f o r m st h a tt h i sr o u t e ri sa l s oc o n f i g u r e d ! -f o rK e y2a n db o t hr o u t e r sn o wu s eK e y2 . 0 1 : 0 0 : 5 3 :O S P F :2W a yC o m m u n i c a t i o nt o7 0 . 7 0 . 7 0 . 7 0 o nS e r i a l 0 ,s t a t e2 W A Y R 1 2 5 0 3 #

Related Information
Configuring OSPF Authentication on a Virtual Link Why Does the show ip ospf neighbor Command Reveal Neighbors in the Init State? OSPF Commands OSPF Configuration Examples OSPF Technology Support Page Technical Support & Documentation - Cisco Systems

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

7/8

2/3/2014

Sample Configuration for Authentication in OSPF [IP Routing] - Cisco Systems

Was this document helpful?

Yes

No

Open a Support Case

(Requires a Cisco Service Contract.)

Related Cisco Support Community Discussions

Ask the Expert: Open Shortest Path First (OSPF)
Hi, Kindly explain the concept of forw arding address in OSPF. in WAN, Routing and Sw itching by suresh vs 7 months ago Last Reply 7 months ago

Re: Open Shortest Path First

OSPF by default does not summarize at classsful boundries. It may make it easier if you post your configs. HTH, Dean in WAN, Routing and Sw itching by doliver@crescentheigh ... 8 years and 2 months ago months ago

Re: OSPF route-map not working

The distribute-list command is used to prevent Open Shortest Path First (OSPF) routes from being added to the routing table. It can't really used to adjust ... in WAN, Routing and Sw itching by dclark@au1.ibm.com 4 years and 9 months ago ago

How to see "debug ip ospf events "

To display information on Open Shortest Path First (OSPF)-related events, such as adjacencies, flooding information, designated router selection, and shorte ... in LAN, Sw itching and Routing by Reza Sharifi 1 year ago Last Reply 1 year ago

Catalyst 3750X OSPF support in IP Base image?

Hi all, I'm trying to w ork out if I need to order the "IP services" image for a couple of C3750-X. I need to run OSPF on these sw itches, but find the IOS im ... in LAN, Sw itching and Routing by Simon O'Sullivan 2 years and 10 months ago Last Reply

The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers. Refer to Cisco Technical Tips Conventions for information on conventions used in this document.

Updated: Aug 23, 2005

Document ID: 13697

Information For
Small Business Midsize Business Service Provider Executives Home (Linksys)

News & Alerts

New sroom Blogs Field Notices Security Advisories

Support
Dow nloads Documentation

About Cisco
Investor Relations Corporate Social Responsibility Environmental Sustainability Tomorrow Starts Here Career Opportunities

Communities
Developer Netw ork Learning Netw ork Support Community

Technology Trends
Cloud IPv6 Mobility Open Netw ork Environment Trustw orthy Systems

Industries Contacts
Contact Cisco Find a Partner

Programs
Cisco Designated VIP Program Cisco Pow ered Financing Options

Video Portal

Contacts |

Feedback | Help | Site Map | Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

8/8