Configuring Clear-Text OSPF Neighbor Authentication
A Cisco CCNP 642-901 BSCI Certification Exam Tutorial
By Chris Bryant, CCIE #12933
OSPF adjacencies can be authenticated in either clear-text or MD5 (Message-Digest 5). I personally never use clear-text anything unless an exam makes me do so, but it's a great idea to be familiar with the commands for both neighbor authentication methods and to know how to troubleshoot both authentication types.
In today's Cisco CCNP certification exam tutorial, we'll concentrate on the commands necessary to configure clear-text OSPF neighbor authentication.
Clear-text password protection for OSPF adjacencies is configured with the ip ospf authentication-key and ip ospf authentication commands. Those two commands are very similar, so it's a good idea to know exactly how they're used. We'll use them both to authenticate an adjacency between R1, R2, and R3. R1 is the hub router of an OSPF NBMA network running over a frame relay cloud. R1 has an adjacency with both R2 and R3, the spoke routers of this configuration.
The command ip ospf authentication-key defines the actual password. Obviously, this has to be the same on all routers involved. There's a classic "gotcha" with this command that you should be familiar with. I'll configure a password of ccnptestpass on the serial interface and then look at the router's configuration to make sure I typed it correctly.
R1(config-if)#ip ospf authentication-key ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key)
R1(config-if)#ip ospf authentication-key ccnptestexam
ip address 184.108.40.206 255.255.255.0
ip ospf authentication-key ccnptest
The password was cut off after eight characters. That's because this command has a limit of eight characters, and for some reason the IOS doesn't tell us that when we enter a longer one! This behavior changed with IOS 12.4 (the router now gives a warning regarding password length), but since there are a lot of routers out there not running 12.4 or later, you should be prepared to see a password in the config that may be shorter than the one you typed in!
Once the password is defined, clear-text authentication must be enabled. As always, we can use IOS Help to see our options... but there's no listing for clear-text authentication.
R1(config-if)#ip ospf authentication ?
message-digest Use message-digest authentication
null Use no authentication
For clear-text authentication, use the basic command with no options.
R1(config-if)#ip ospf authentication
We'll now configure the same commands on R2 and R3....because we have to in order to get the adjacencies to form again! Here are the messages I received on R1 shortly after configuring that router for neighbor authentication:
00:25:38: %OSPF-5-ADJCHG: Process 1, Nbr 220.127.116.11 on Serial0 from FULL to DOWN, Neighbor Down: Dead timer expired
00:25:58: %OSPF-5-ADJCHG: Process 1, Nbr 18.104.22.168 on Serial0 from FULL to DOWN, Neighbor Down: Dead timer expired
If you remember the dead time for OSPF NBMA networks, you know about how long that took! When OSPF neighbor authentication is configured on an interface, it must be configured on all neighbors reached through that interface or the adjacencies will drop when the dead timer expires, as they did above. Let's get R2 and R3 up to speed:
R2(config-if)#ip ospf authentication-key ccnptest
R2(config-if)#ip ospf authentication
R3(config-if)#ip ospf authentication-key ccnptest
R3(config-if)#ip ospf authentication
We go back to R1 to check the adjacencies just in time to get a message that the adjacency to R3 is back up. show ip ospf neighbor verifies that both adjacencies are back.
00:31:58: %OSPF-5-ADJCHG: Process 1, Nbr 22.214.171.124 on Serial0 from LOADING to FULL, Loading Done
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
126.96.36.199 0 FULL/DROTHER 00:01:58 188.8.131.52 Serial0
184.108.40.206 0 FULL/DROTHER 00:01:37 220.127.116.11 Serial0
In the next part of this exclusive 642-901 CCNP BSCI exam tutorial, we'll take a look at configuring OSPF neighbor authentication with MD5. See you then!
Why Pay The Outrageous Boot Camp Fees of $2,000 to $4,000+
To Pass The BSCI Exam, When For The First Time Ever You Can…
“Become A CCNP And Earn An Average Salary Of $88,000 A Year
Using A Proven BSCI Exam Study Package That’s Guaranteed To Add 150+ Points To Your Exam Score… Dirt Cheap!"
… And You Will NOT Pay For Expensive Software!
… You’ll Work On REAL Cisco Routers and Switches!
… And You’ll Do It All From The Comfort of Your Home!
All With The Ultimate BSCI Study Package.
Start Preparing To Pass The BSCI Exam Today!
To your success,