Configuring Authentication

The system supports the following authentication capabilities:

• Null authentication
• Simple password authentication
• MD5 authentication

The MD5 algorithm takes as input a message of arbitrary length and produces a 128-bit fingerprint or message digest of the input. MD5 is used to create digital signatures. It is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, called a message digest.

When using a one-way hash function, you can compare a calculated message digest with the message digest that is decrypted using a public key (password). The key verifies that the message has not been tampered with. This comparison process is called a hashcheck.

Note: You must first issue the address area command before issuing any other address command.

Authentication Requirements

If you configure either simple password or MD5 authentication, the password or authentication key must be the same on both sides of an adjacency. When you change the password or key on one side of an established adjacency, you must also change it on the other side within the dead interval. This enables a hello packet that has the latest authentication information to be sent before the dead interval expires. If the packet is not sent with the dead interval, the adjacency breaks down and is not reestablished until both sides of the adjacency have the same password or key.

    address authentication-key

• Use to assign a password used by neighboring routers for OSPF simple password authentication.
• The interface can have an IP address, or it can be unnumbered.
• You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
• The password, or key, is a character string up to 8 characters in length.
• Example

host1(config-router)#address 10.12.10.2 authentication-key 
9rdf7

• Use the no version to delete the password from the specified interface.

    address authentication message-digest

• Use to specify that MD5 authentication is used for the OSPF interface.
• You must configure the MD5 key ID and password with the address message-digest-key md5 command.
• Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password.
• Example

host1(config-router)#address 10.12.10.2 authentication 
message-digest

• Use the no version to set authentication for the interface to none without removing any configured MD5 key. You could subsequently apply MD5 authentication to the interface without having to reconfigure the key.

    address authentication-none

• Use to disable authentication on the interface.
• The interface can have an IP address, or it can be unnumbered.
• Example

host1(config-router)#address 192.168.10.32 
authentication-none 

• The no version has no effect.

    address message-digest-key md5

• Use to enable OSPF MD5 authentication and configure the MD5 key.
• The MD5 key is a character string up to 16 characters long. You must also specify a key identifier and whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
• Configures an interface already created, or creates a new OSPF interface and configures the MD5 key. The interface can have an IP address, or it can be unnumbered.
• Example

host1(config-router)#address 10.1.1.1 message-digest-key 1 
md5 0 9mwk6gdr76

• Use the no version to delete the MD5 key.

    area virtual-link authentication-key

• Use to configure a simple password for a virtual link.
• You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
• The password can be up to eight characters long.
• Example

host1(config-router)#area 27.0.0.0 virtual-link 27.3.4.5 
authentication-key sadsa29c

• Use the no version to remove the password.

    area virtual-link authentication message-digest

• Use to specify that MD5 authentication is used for the particular virtual link.
• You must configure the MD5 key ID and password with the area virtual-link message-digest-key md5 command.
• Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password.
• Example

host1(config-router)#area 27.0.0.0 virtual-link 27.2.3.4 
authentication message-digest

• Use the no version to set authentication for the virtual link to none without removing any configured MD5 key. You could subsequently apply MD5 authentication to the virtual link without having to reconfigure the key.

    area virtual-link authentication-none

• Use to specify that no authentication is used for the particular virtual link.
• Example

host1(config-router)#area 27.0.0.0 virtual-link 27.2.3.4 
authentication-none

• The no version has no effect.

    area virtual-link message-digest-key md5

• Use to enable MD5 authentication and to configure MD5 keys for virtual links.
• The MD5 key is a character string up to 16 characters long. You must also specify a key identifier and whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
• Example

host1(config-router)#area 27.0.0.0 virtual-link 327.3.4.5 
message-digest-key 2 md5 rc45lsm2c

• Use the no version to remove the password.

    ip ospf authentication-key

• Use to configure a type 1 authentication (a simple password) on the interface.
• Neighboring OSPF routers use the password to access the router's interface.
• Use the same password on all neighboring routers on the same network.
• Use this password only when you enable authentication for the interface.
• You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
• Use a password that is a continuous string up to 8 characters long.
• Example

host1(config-if)#ip ospf authentication-key yourpwd

• Use the no version to remove the password on the interface.

    ip ospf authentication message-digest

• Use to specify the authentication method for the interface as MD5.
• You must configure the MD5 key ID and password with the ip ospf message-digest-key md5 command.
• Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password.
• Example

host1(config-if)#ip ospf authentication message-digest

• Use the no version to set authentication for the interface to none without removing any configured MD5 key. You could subsequently apply MD5 authentication to the interface without having to reconfigure the key.

    ip ospf authentication-none

• Use to specify that no authentication is used for the OSPF interface.
• Example

host1(config-if)#ip ospf authentication-none

• The no version has no effect.

    ip ospf message-digest-key md5

• Use to enable MD5 authentication on the OSPF interface and configure the MD5 key.
• The MD5 key is a character string up to 16 characters long. You must also specify a key identifier and whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
• Example

host1(config-if)#ip ospf message-digest-key 3 md5 0 tre987is

• Use the no version to delete an MD5 key from the OSPF interface.

Note: If all the MD5 keys have been deleted, the authentication type is still MD5, but you need to configure MD5 keys.

Note: To disable MD5 authentication for the interface, use the ip ospf authentication-none command.

Note: To display the password only in encrypted text, use the service password-encryption command.