Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Configuring Authentication
The router supports the following authentication capabilities:
- Null authentication
- Simple password authentication
- MD5 authentication
The MD5 algorithm takes as input a message of arbitrary length and produces a 128-bit fingerprint or message digest of the input. MD5 is used to create digital signatures. It is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, called a message digest.
When using a one-way hash function, you can compare a calculated message digest with the message digest that is decrypted by using a public key (password). The key verifies that the message has not been tampered with. This comparison process is called a hashcheck.
 | Note: You must first issue the address area command before issuing any other address command. |
Authentication Requirements
If you configure either simple password or MD5 authentication, the password or authentication key must be the same on both sides of an adjacency. When you change the password or key on one side of an established adjacency, you must also change it on the other side within the dead interval. Doing this enables a hello packet that has the latest authentication information to be sent before the dead interval expires. If the packet is not sent within the dead interval, the adjacency breaks down and is not reestablished until both sides of the adjacency have the same password or key.
address authentication-key
- Use to assign a password used by neighboring routers for OSPF simple password authentication.
- The interface can have an IP address, or it can be unnumbered.
- You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
- The password, or key, is a character string up to 8 characters long.
- Examplehost1(config-router)#address 10.12.10.2 authentication-key 9rdf7
- Use the no version to delete the password from the specified interface.
- See address authentication-key
address authentication message-digest
- Use to specify that MD5 authentication is used for the OSPF interface.
- You must configure the MD5 key ID and password with the address message-digest-key md5 command.
- Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password.
- Examplehost1(config-router)#address 10.12.10.2 authentication message-digest
- Use the no version to set authentication for the interface to none without removing any configured MD5 key. You can subsequently apply MD5 authentication to the interface without having to reconfigure the key.
- See address authentication message-digest
address authentication-none
- Use to disable authentication on the interface.
- The interface can have an IP address, or it can be unnumbered.
- Examplehost1(config-router)#address 192.168.10.32 authentication-none
- The no version has no effect.
- See address authentication-none
address message-digest-key md5
- Use to enable OSPF MD5 authentication and configure the MD5 key.
- The MD5 key is a character string up to 16 characters long. You must also specify a key identifier and whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
- Configures an interface already created, or creates a new OSPF interface and configures the MD5 key. The interface can have an IP address, or it can be unnumbered.
- Examplehost1(config-router)#address 10.1.1.1 message-digest-key 1 md5 0 9mwk6gdr76
- Use the no version to delete the MD5 key.
- See address message-digest-key md5
area virtual-link authentication-key
- Use to configure a simple password for a virtual link.
- You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
- The password can be up to eight characters long.
- Examplehost1(config-router)#area 27.0.0.0 virtual-link 27.3.4.5 authentication-key sadsa29c
- Use the no version to remove the password.
- See area virtual-link authentication-key
area virtual-link authentication message-digest
- Use to specify that MD5 authentication is used for the particular virtual link.
- You must configure the MD5 key ID and password with the area virtual-link message-digest-key md5 command.
- Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password.
- Examplehost1(config-router)#area 27.0.0.0 virtual-link 27.2.3.4 authentication message-digest
- Use the no version to set authentication for the virtual link to none without removing any configured MD5 key. You can subsequently apply MD5 authentication to the virtual link without having to reconfigure the key.
- See area virtual-link authentication message-digest
area virtual-link authentication-none
- Use to specify that no authentication is used for the particular virtual link.
- Examplehost1(config-router)#area 27.0.0.0 virtual-link 27.2.3.4 authentication-none
- The no version has no effect.
- See area virtual-link authentication-none
area virtual-link message-digest-key md5
- Use to enable MD5 authentication and to configure MD5 keys for virtual links.
- The MD5 key is a character string up to 16 characters long. You must also specify a key identifier and whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
- Examplehost1(config-router)#area 27.0.0.0 virtual-link 327.3.4.5 message-digest-key 2 md5 rc45lsm2c
- Use the no version to remove the password.
- See area virtual-link message-digest-key md5
ip ospf authentication-key
- Use to configure a type 1 authentication (a simple password) on the interface.
- Neighboring OSPF routers use the password to access the router’s interface.
- Use the same password on all neighboring routers on the same network.
- Use this password only when you enable authentication for the interface.
- You can specify whether the key is entered in unencrypted or encrypted format. If you do not specify which, the string is assumed to be unencrypted.
- Use a password that is a continuous string up to 8 characters long.
- Examplehost1(config-if)#ip ospf authentication-key yourpwd
- Use the no version to remove the password on the interface.
- See ip ospf authentication-key
ip ospf authentication message-digest
- Use to specify the authentication method for the interface as MD5.
- You must configure the MD5 key ID and password with the ip ospf message-digest-key md5 command.
- Switching between authentication types does not delete a configured MD5 key ID or password; only using the no version of that configuration command can delete the MD5 key ID and password.
- Examplehost1(config-if)#ip ospf authentication message-digest
- Use the no version to set authentication for the interface to none without removing any configured MD5 key. You can subsequently apply MD5 authentication to the interface without having to reconfigure the key.
- See ip ospf authentication message-digest
ip ospf authentication-none
- Use to specify that no authentication is used for the OSPF interface.
- Examplehost1(config-if)#ip ospf authentication-none
- The no version has no effect.
- See ip ospf authentication-none
ip ospf message-digest-key md5
- Use to enable MD5 authentication on the OSPF interface
and configure the MD5 key.
Note: If all the MD5 keys have been deleted, the authentication type is still MD5, but you need to configure MD5 keys.
- The MD5 key is a character string up to 16 characters
long. You must also specify a key identifier and whether the key is
entered in unencrypted or encrypted format. If you do not specify
which, the string is assumed to be unencrypted.
Note: To display the password only in encrypted text, use the service password-encryption command.
- Examplehost1(config-if)#ip ospf message-digest-key 3 md5 0 tre987is
- Use the no version to delete
an MD5 key from the OSPF interface.
Note: To disable MD5 authentication for the interface, use the ip ospf authentication-none command.
- See ip ospf message-digest-key md5
