


	More Testimonials >

Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!

Configuring Clear-Text OSPF Neighbor Authentication

A Cisco CCNP 642-901 BSCI Certification Exam Tutorial

By Chris Bryant, CCIE #12933

OSPF adjacencies can be authenticated in either clear-text or MD5 (Message-Digest 5). I personally never use clear-text anything unless an exam makes me do so, but it's a great idea to be familiar with the commands for both neighbor authentication methods and to know how to troubleshoot both authentication types.

In today's Cisco CCNP certification exam tutorial, we'll concentrate on the commands necessary to configure clear-text OSPF neighbor authentication.

Clear-text password protection for OSPF adjacencies is configured with the ip ospf authentication-key and ip ospf authentication commands. Those two commands are very similar, so it's a good idea to know exactly how they're used. We'll use them both to authenticate an adjacency between R1, R2, and R3. R1 is the hub router of an OSPF NBMA network running over a frame relay cloud. R1 has an adjacency with both R2 and R3, the spoke routers of this configuration.

The command ip ospf authentication-key defines the actual password. Obviously, this has to be the same on all routers involved. There's a classic "gotcha" with this command that you should be familiar with. I'll configure a password of ccnptestpass on the serial interface and then look at the router's configuration to make sure I typed it correctly.

R1(config-if)#ip ospf authentication-key ?

<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)

LINE The OSPF password (key)

R1(config-if)#ip ospf authentication-key ccnptestexam

R1#show config

interface Serial0

ip address 172.12.123.1 255.255.255.0

encapsulation frame-relay

ip ospf authentication-key ccnptest

The password was cut off after eight characters. That's because this command has a limit of eight characters, and for some reason the IOS doesn't tell us that when we enter a longer one! This behavior changed with IOS 12.4 (the router now gives a warning regarding password length), but since there are a lot of routers out there not running 12.4 or later, you should be prepared to see a password in the config that may be shorter than the one you typed in!

Once the password is defined, clear-text authentication must be enabled. As always, we can use IOS Help to see our options... but there's no listing for clear-text authentication.

R1(config)#int serial0

R1(config-if)#ip ospf authentication ?

message-digest Use message-digest authentication

null Use no authentication

<cr>

For clear-text authentication, use the basic command with no options.

R1(config-if)#ip ospf authentication

We'll now configure the same commands on R2 and R3....because we have to in order to get the adjacencies to form again! Here are the messages I received on R1 shortly after configuring that router for neighbor authentication:

R1#

00:25:38: %OSPF-5-ADJCHG: Process 1, Nbr 172.12.123.2 on Serial0 from FULL to DOWN, Neighbor Down: Dead timer expired

R1#

00:25:58: %OSPF-5-ADJCHG: Process 1, Nbr 172.12.123.3 on Serial0 from FULL to DOWN, Neighbor Down: Dead timer expired

R1#

If you remember the dead time for OSPF NBMA networks, you know about how long that took! When OSPF neighbor authentication is configured on an interface, it must be configured on all neighbors reached through that interface or the adjacencies will drop when the dead timer expires, as they did above. Let's get R2 and R3 up to speed:

R2(config)#interface serial0

R2(config-if)#ip ospf authentication-key ccnptest

R2(config-if)#ip ospf authentication

R3(config)#interface serial0

R3(config-if)#ip ospf authentication-key ccnptest

R3(config-if)#ip ospf authentication

We go back to R1 to check the adjacencies just in time to get a message that the adjacency to R3 is back up. show ip ospf neighbor verifies that both adjacencies are back.

00:31:58: %OSPF-5-ADJCHG: Process 1, Nbr 172.12.123.3 on Serial0 from LOADING to FULL, Loading Done

R1#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

172.12.123.3 0 FULL/DROTHER 00:01:58 172.12.123.3 Serial0

172.12.123.2 0 FULL/DROTHER 00:01:37 172.12.123.2 Serial0

In the next part of this exclusive 642-901 CCNP BSCI exam tutorial, we'll take a look at configuring OSPF neighbor authentication with MD5. See you then!

Why Pay The Outrageous Boot Camp Fees of $2,000 to $4,000+
To Pass The BSCI Exam, When For The First Time Ever You Can…

“Become A CCNP And Earn An Average Salary Of $88,000 A Year
Using A Proven BSCI Exam Study Package That’s Guaranteed To Add 150+ Points To Your Exam Score… Dirt Cheap!"

… And You Will NOT Pay For Expensive Software!
… You’ll Work On REAL Cisco Routers and Switches!
… And You’ll Do It All From The Comfort of Your Home!

All With The Ultimate BSCI Study Package.

Start Preparing To Pass The BSCI Exam Today!

To your success,

Chris Bryant

CCIE #12933

chris@thebryantadvantage.com

The Ultimate CCNA Study Package | The Ultimate CCNA Study Guide

Binary Math And Subnetting Mastery

Cisco Rack Rentals

CCNP BSCI Exam Study Package

CCNP BCMSN Exam Study Package

CCNP BCRAN Exam Study Package