R1 – OSPF 0 – R3 – OSPF 1 -R2
R2:
#interface FastEthernet0/0
Router2(config-if)#ip ospf authentication message-digest
Router2(config-if)#ip ospf message-digest-key 1 md5 MD5MD5
Router2(config-if)#ip ospf 1 area 1
R1:
interface FastEthernet0/0
Router1(config-if)#ip ospf authentication
Router1(config-if)#ip ospf authentication-key CLEARTXT
Router1(config-if)#ip ospf 1 area 0
R3:
#router ospf 1
log-adjacency-changes
#area 0 authentication
#area 1 authentication message-digest
interface Vlan11
Router3(config-if)#ip ospf authentication null !– This will prevent vlan 11 int for ospf authentication
interface FastEthernet0/0
Router3(config-if)#ip ospf message-digest-key 1 md5 MD5MD5
Router3(config-if)#ip ospf 1 area 1
interface FastEthernet0/1
Router3(config-if)#ip ospf authentication-key CLEARTXT
Router3(config-if)#ip ospf 1 area 0
Router1#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.13.1/24, Area 0
Process ID 1, Router ID 150.1.1.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.1.1.1, Interface address 136.1.13.1
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.13.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 4
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
Router3#sh ip ospf int f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 136.1.13.3/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.1.1.1, Interface address 136.1.13.1
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.13.3
Flush timer for old DR LSA due in 00:00:25
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Index 1/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.1.1 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
Router3#
Router3#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.23.3/24, Area 1
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.1.2.2, Interface address 136.1.23.2
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.23.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Router3#
Router2#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.23.2/24, Area 1
Process ID 1, Router ID 150.1.2.2, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.1.2.2, Interface address 136.1.23.2
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.23.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Router2#
! – Failures in OSPF authentication can be verified as a failure to establish adjacency. The below debug shows a mismatch in authentication type, where R3 has MD5 authentication configured to R1, while R1 has clear-text authentication configured to R3. At the OSPF packet level, type 0 authentication means NULL – or no authentication, type 1 is clear-text, and type 2 is MD5.
Router1#
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication Key – Clear Text
OSPF: 1.1.1.1 address 136.1.13.3 on FastEthernet0/0 is dead
OSPF: 1.1.1.1 address 136.1.13.3 on FastEthernet0/0 is dead, state DOWN
%OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
OSPF: Neighbor change Event on interface FastEthernet0/0
OSPF: DR/BDR election on FastEthernet0/0
OSPF: Elect BDR 0.0.0.0
OSPF: Elect DR 150.1.1.1
DR: 150.1.1.1 (Id) BDR: none
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication Key – Clear Text
OSPF: Build router LSA for area 0, router ID 150.1.1.1, seq 0x80000005, process 1
OSPF: No full nbrs to build NetLSA for interface FastEthernet0/0
OSPF: Build network LSA for FastEthernet0/0, router ID 150.1.1.1
!- A mismatch in the password between two neighbours:
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1
! – To verify ospf, use:
Router1#sh ip osp neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/BDR 00:00:36 136.1.13.3 FastEthernet0/0
Router1#
Router3#sh ip osp neighbor
Neighbor ID Pri State Dead Time Address Interface
150.1.1.1 1 FULL/DR 00:00:32 136.1.13.1 FastEthernet0/1
150.1.2.2 1 FULL/DR 00:00:39 136.1.23.2 FastEthernet0/0
Router2#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/BDR 00:00:38 136.1.23.3 FastEthernet0/0
Router2#
!- If authentication has been enabled at the global level can be determined by using command show ip ospf:
Router3#sh ip ospf | se area
Supports area transit capability
It is an area border router
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Number of areas transit capable is 0
Number of interfaces in this area is 1
Number of interfaces in this area is 3 (1 loopback)
Router3#
##### Theory #####
On R1 and R2 ospf authentication is configured at interface level; in R3 ospf authentication is configured globally and interfaces are added into corresponding ospf areas. When OSPF authentication is enabled under the global process, it applies to all interfaces in that area. This means that all interfaces in area 0 run clear-text authentication, and all interfaces in area 1 run MD5 authentication. When OSPF authentication is enabled at the interface level, it overrides the configuration of the global process, but only for that particular interface. The authentication key, however, is always configured at the interface level.
########################################################################################
CCIE Security Blog 