2-1 area area-id authentication

2-1 area area-id authentication

Syntax Description:

• area-id ” OSPF area ID. This value can be entered as a decimal number in the range of 0 to 4,294,967,295 or in IP address format in the range 0.0.0.0 to 255.255.255.255. This command will enable simple password authentication in the indicated OSPF area. By default, authentication is not enabled.

• transit-area ” The OSPF area across which the virtual link is configured.

• password ” Clear-text password to be used for authentication in the selected area on the selected interface or virtual link. The password is an alphanumeric string from 1 to 8 characters .

• router-id ” OSPF router ID of the router at the remote end of the virtual link.

Purpose: To enable simple clear-text password authentication in an OSPF area. OSPF simple authentication requires the use of the router configuration command to enable authentication in an area and the interface or virtual-link command for password configuration. Because this router configuration command enables authentication in an area, you must configure every interface in the area for authentication if using Cisco IOS Software Release 11.X or earlier. In Cisco IOS Software Release 12.X, the authentication used on an interface can be different than the authentication enabled for an area. When using Cisco IOS Software Release 12.X, the authentication method used on different interfaces in the same area does not need to be the same. You can remove authentication from selected interfaces using the interface command ip ospf authentication null (see Section 19-1). The password does not need to be the same on every interface in the area, but both ends of a common link must use the same password. Authentication is enabled by area (Cisco IOS Software Release 11.X and earlier), so it is possible to employ authentication in one area without using authentication in other areas. The clear-text password is not encrypted, so it will be possible for someone to intercept OSPF protocol packets and compromise the password.

Initial Cisco IOS Software Release: 10.0

Configuration Example: Simple Password Authentication

For the network in Figure 2-1, start by configuring OSPF without authentication in Area 0.

 Router A  interface Loopback0   ip address 1.1.1.1 255.255.255.255   !   interface Serial0/0   ip address 10.1.1.9 255.255.255.252   !   interface Serial0/1   ip address 10.1.1.1 255.255.255.252   clock rate 64000   !   router ospf 1   network 10.1.1.0 0.0.0.15 area 0  _______________________________________________________________________ Router B  interface Loopback0   ip address 2.2.2.2 255.255.255.255   !   interface Serial0   ip address 10.1.1.2 255.255.255.252   !   interface Serial1   ip address 10.1.1.5 255.255.255.252   clock rate 64000   !   router ospf 1   network 10.1.1.0 0.0.0.15 area 0  _______________________________________________________________________ Router C  interface Loopback0   ip address 3.3.3.3 255.255.255.255   !   interface Serial0   ip address 10.1.1.6 255.255.255.252   !   interface Serial1   ip address 10.1.1.10 255.255.255.252   clock rate 64000   !   router ospf 1   network 10.1.1.0 0.0.0.15 area 0  

Verify the OSPF configuration on Routers A, B, and C by displaying the state of each router's OSPF neighbors.

 rtrA#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 3.3.3.3           1   FULL/  -        00:00:38    10.1.1.10       Serial0/0 2.2.2.2           1   FULL/  -        00:00:37    10.1.1.2        Serial0/1 _______________________________________________________________________ rtrB#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 1.1.1.1           1   FULL/  -        00:00:35    10.1.1.1        Serial0 3.3.3.3           1   FULL/  -        00:00:30    10.1.1.6        Serial1 _______________________________________________________________________ rtrC#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 2.2.2.2           1   FULL/  -        00:00:30    10.1.1.5        Serial0 1.1.1.1           1   FULL/  -        00:00:37    10.1.1.9        Serial1 

Verify that OSPF is not using authentication.

 rtrA#  show ip ospf  Routing Process "ospf 1" with ID 1.1.1.1  Supports only single TOS(TOS0) routes  SPF schedule delay 5 secs, Hold time between two SPFs 10 secs  Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs  Number of external LSA 0. Checksum Sum 0x0  Number of DCbitless external LSA 0  Number of DoNotAge external LSA 0  Number of areas in this router is 1. 1 normal 0 stub 0 nssa     Area BACKBONE(0)         Number of interfaces in this area is 2  Area has no authentication  SPF algorithm executed 6 times         Area ranges are         Number of LSA 3. Checksum Sum 0x25F8D         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 0 

Modify the configurations on Routers A, B, and C by adding simple password authentication to Area 0. For this example, you will use the clear-text password "cisco".

 Router A  interface Loopback0   ip address 1.1.1.1 255.255.255.255   !   interface Serial0/0   ip address 10.1.1.9 255.255.255.252    ip ospf authentication-key cisco    !   interface Serial0/1   ip address 10.1.1.1 255.255.255.252    ip ospf authentication-key cisco    clock rate 64000   !   router ospf 1    area 0 authentication    network 10.1.1.0 0.0.0.15 area 0  _______________________________________________________________________ Router B  interface Loopback0   ip address 2.2.2.2 255.255.255.255   !   interface Serial0   ip address 10.1.1.2 255.255.255.252    ip ospf authentication-key cisco    !   interface Serial1   ip address 10.1.1.5 255.255.255.252    ip ospf authentication-key cisco    clock rate 64000   !   router ospf 1    area 0 authentication    network 10.1.1.0 0.0.0.15 area 0  _______________________________________________________________________ Router C  interface Loopback0   ip address 3.3.3.3 255.255.255.255   !   interface Serial0   ip address 10.1.1.6 255.255.255.252    ip ospf authentication-key cisco    !   interface Serial1   ip address 10.1.1.10 255.255.255.252    ip ospf authentication-key cisco    clock rate 64000   !   router ospf 1    area 0 authentication    network 10.1.1.0 0.0.0.15 area 0  

Verification

Verify that the OSPF neighbor relationships are still active.

 rtrA#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 3.3.3.3           1   FULL/  -        00:00:31    10.1.1.10       Serial0/0 2.2.2.2           1   FULL/  -        00:00:30    10.1.1.2        Serial0/1 _______________________________________________________________________ rtrB#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 1.1.1.1           1   FULL/  -        00:00:38    10.1.1.1        Serial0 3.3.3.3           1   FULL/  -        00:00:33    10.1.1.6        Serial1 _______________________________________________________________________ rtrC#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 2.2.2.2           1   FULL/  -        00:00:33    10.1.1.5        Serial0 1.1.1.1           1   FULL/  -        00:00:30    10.1.1.9        Serial1 

Verify that simple authentication is enabled for Area 0.

 rtrA#  show ip ospf  Routing Process "ospf 1" with ID 1.1.1.1  Supports only single TOS(TOS0) routes  SPF schedule delay 5 secs, Hold time between two SPFs 10 secs  Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs  Number of external LSA 0. Checksum Sum 0x0  Number of DCbitless external LSA 0  Number of DoNotAge external LSA 0  Number of areas in this router is 1. 1 normal 0 stub 0 nssa     Area BACKBONE(0)         Number of interfaces in this area is 2  Area has simple password authentication  SPF algorithm executed 9 times         Area ranges are         Number of LSA 3. Checksum Sum 0x24F95         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 0 

The password used can be seen by anyone looking at your configuration. For added security, the password in the configuration can be encrypted using the global configuration command service password-encryption, as shown in the following configuration.

 Router A  service password-encryption  

Listing the configuration will show that the password has been encrypted. Although the password is encrypted in the configuration, it will still be sent in clear text by OSPF.

 rtrA#  show running-config  Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime  service password-encryption  ! hostname rtrA ! ip subnet-zero ! interface Loopback0  ip address 1.1.1.1 255.255.255.255  no ip directed-broadcast ! interface Serial0/0  ip address 10.1.1.9 255.255.255.252  no ip directed-broadcast  ip ospf authentication-key 7 121A0C041104  no ip mroute-cache ! interface Serial0/1  ip address 10.1.1.1 255.255.255.252  no ip directed-broadcast  ip ospf authentication-key 7 02050D480809  clockrate 64000 

Troubleshooting

Step 1. Before enabling authentication in an OSPF area, verify that there is a neighbor relationship among all OSPF routers by using the show ip ospf neighbor command.

Step 2. Verify that authentication has been enabled for every OSPF router with an interface in the area where authentication is being deployed.

Step 3. Verify that every interface in an OSPF area that is using authentication is configured with the proper password.

Step 4. If any OSPF neighbor relationships disappear after configuring authentication, then debugging can be used to determine the problem. For example, change the password on Router A, Interface Serial 0/0, to bosco, as shown here.

 Router A  interface Serial0/0   ip address 10.1.1.9 255.255.255.252    ip ospf authentication-key bosco   

List the OSPF neighbors for Router A.

 rtrA#  show ip ospf neighbor   Neighbor ID     Pri   State           Dead Time   Address         Interface   2.2.2.2           1   FULL/  -        00:00:36    10.1.1.2        Serial0/1  

Router A has lost Router C as a neighbor. Enable debugging on Router A to see if the problem can be determined.

 rtrA#  debug ip ospf events  OSPF events debugging is on rtrA# 03:41:09: OSPF: Rcv hello from 2.2.2.2 area 0 from Serial0/1 10.1.1.2 03:41:09: OSPF: End of hello processing  03:41:09: OSPF: Rcv pkt from 10.1.1.10, Serial0/0 : Mismatch Authentication Key   - Clear Text  

Be careful when configuring passwords. A space is a valid character, so if you use the password cisco<space> then there will be a password mismatch, but you won't be able to tell by looking at the configuration.

Change the password on Router A, serial 0/0, back to cisco and remove the OSPF router configuration command area 0 authentication.

 Router A  interface Serial0/0   ip address 10.1.1.9 255.255.255.252    ip ospf authentication-key cisco    !   router ospf 1    no area 0 authentication   

Router A should drop both OSPF neighbors.

 rtrA#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 3.3.3.3           1   INIT/  -        00:00:38    10.1.1.10       Serial0/0 2.2.2.2           1   INIT/  -        00:00:39    10.1.1.2        Serial0/1 

Now debug the OSPF traffic on Router B or C to determine the problem.

 rtrB#  debug ip ospf events  OSPF events debugging is on rtrB#  03:55:35: OSPF: Rcv pkt from 10.1.1.1, Serial0 : Mismatch Authentication type. I   nput packet specified type 0, we use type 1  03:55:40: OSPF: Rcv hello from 3.3.3.3 area 0 from Serial1 10.1.1.6 03:55:40: OSPF: End of hello processing 

Routers B and C are using type 1 authentication (simple password) and Router A is using type 0 authentication (none).