OSPF authentication

OSPF can be configured to authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a Denial-of-Service attack.

Two types of authentication can be used:
1.    clear text authentication – clear text passwords are used
2.    MD5 authentication – MD5 authentication is used. This type of authentication is more secure because the password doesn’t go in clear-text over the network.

NOTE
With OSPF authentication turned on, routers must pass the authentication process before becoming OSPF neighbors.

 

To configure clear text authentication, the following steps are required:

  1. configure the OSPF password on the interface by using the ip ospf authentication-key PASSWORD interface command
  2. configure the interface to use OSPF clear-text authentication by using the ip ospf authentication interface command

 

In the following example, we will configure OSPF clear-text authentication.

ospf authentication topology

Both routers are running OSPF. On R1, we need to enter the following commands:

R1(config)#int fa0/0
R1(config-if)#ip ospf authentication-key secret
R1(config-if)#ip ospf authentication

The same commands have to be entered on R2:

R2(config)#int fa0/0 
R2(config-if)#ip ospf authentication-key secret 
R2(config-if)#ip ospf authenticationTo verify that clear-text authentication is indeed turned on, we can use the show ip ospf interface INTERFACE_NUMBER/INTERFACE_TYPE command on either router:
R1#show ip ospf interface fa0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.0.0.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 1.1.1.1, Interface address 10.0.0.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

 

Configuring OSPF MD5 authentication is very similar to configuring clear-text authentication. Two commands are also used:

  1. First you need to configure the MD5 value on an interface by using the ip ospf message-digest-key 1 md5 VALUE interface command
  2. Next, you need to configure the interface to use MD5 authentication by using the ip ospf authentication message-digest interface command

 

Here is an example configuration on R1:

R1(config)#int fa0/0
R1(config-if)#ip ospf message-digest-key 1 md5 secret
R1(config-if)#ip ospf authentication message-digest

You can verify that R1 is using OSPF MD5 authentication by typing the show ip ospf INTERFACE/INTERFACE_TYPE command:

R1#show ip ospf interface fa0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.0.0.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 1.1.1.1, Interface address 10.0.0.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

 

NOTE
OSPF authentication type can also be enabled on an area basis, instead of configuring OSPF authentication type per interface basis. This is done by using the area AREA_ID authentication [message-digest] command under the OSPF configuration mode. If you omit the message-digest keyword, a clear-text authentication will be used for that area. All interfaces inside the area will use OSPF authentication.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: