© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Configuring EIGRP Configuring EIGRP Authentication
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Router Authentication Many routing protocols support authentication such that a router authenticates the source of each routing update packet that it receives. Simple password authentication is supported by: –IS-IS –OSPF –RIPv2 MD5 authentication is supported by: –OSPF –RIPv2 –BGP –EIGRP
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Simple Password vs. MD5 Authentication Simple password authentication: –Router sends packet and key. –Neighbor checks whether key matches its key. –Process not secure. MD5 authentication: –Configure a key (password) and key ID; router generates a message digest, or hash, of the key, key ID and message. –Message digest is sent with packet; key is not sent. –Process OS secure.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v EIGRP MD5 Authentication EIGRP supports MD5 authentication. Router generates and checks every EIGRP packet. Router authenticates the source of each routing update packet that it receives. Configure a key (password) and key ID; each participating neighbor must have same key configured.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v MD5 Authentication EIGRP MD5 authentication: Router generates a message digest, or hash, of the key, key ID, and message. EIGRP allows keys to be managed using key chains. Specify key ID (number), key, and lifetime of key. First valid activated key, in order of key numbers, is used.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Configuring EIGRP MD5 Authentication ip authentication mode eigrp autonomous-system md5 Router(config-if)# Specifies MD5 authentication for EIGRP packets Router(config-if)# ip authentication key-chain eigrp autonomous-system name-of-chain Enables authentication of EIGRP packets using key in the keychain
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Configuring EIGRP MD5 Authentication (Cont.) key chain name-of-chain Router(config)# Enters configuration mode for the keychain Router(config-keychain)# key key-id Identifies key and enters configuration mode for the keyid
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Configuring EIGRP MD5 Authentication (Cont.) Router(config-keychain-key)# key-string text Identifies key string (password) Router(config-keychain-key)# accept-lifetime start-time {infinite | end-time | duration seconds} Optional: Specifies when key will be accepted for received packets Router(config-keychain-key)# send-lifetime start-time {infinite | end-time | duration seconds} Optional: Specifies when key can be used for sending packets
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Example MD5 Authentication Configuration
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v R1 Configuration for MD5 Authentication key chain R1chain key 1 key-string firstkey accept-lifetime 04:00:00 Jan infinite send-lifetime 04:00:00 Jan :01:00 Jan key 2 key-string secondkey accept-lifetime 04:00:00 Jan infinite send-lifetime 04:00:00 Jan infinite interface FastEthernet0/0 ip address ! interface Serial0/0/1 bandwidth 64 ip address ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 R1chain ! router eigrp 100 network network auto-summary
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v R2 Configuration for MD5 Authentication key chain R2chain key 1 key-string firstkey accept-lifetime 04:00:00 Jan infinite send-lifetime 04:00:00 Jan infinite key 2 key-string secondkey accept-lifetime 04:00:00 Jan infinite send-lifetime 04:00:00 Jan infinite interface FastEthernet0/0 ip address ! interface Serial0/0/1 bandwidth 64 ip address ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 R2chain ! router eigrp 100 network network auto-summary
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Verifying MD5 Authentication R1# *Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor (Serial0/0/1) is up: new adjacency R1#show ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num Se0/0/ :03: R1#show ip route Gateway of last resort is not set D /16 [90/ ] via , 00:02:22, Serial0/0/ /16 is variably subnetted, 2 subnets, 2 masks D /16 is a summary, 00:31:31, Null0 C /24 is directly connected, FastEthernet0/ /24 is variably subnetted, 2 subnets, 2 masks C /27 is directly connected, Serial0/0/1 D /24 is a summary, 00:31:31, Null0 R1#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Troubleshooting MD5 Authentication R1#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) *Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1 *Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr *Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe erQ un/rely 0/0 R2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) R2# *Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2 *Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr *Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe erQ un/rely 0/0
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Troubleshooting MD5 Authentication Problem R1(config-if)#key chain R1chain R1(config-keychain)#key 2 R1(config-keychain-key)#key-string wrongkey R2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) R2# *Jan 21 16:50:18.749: EIGRP: pkt key id = 2, authentication mismatch *Jan 21 16:50:18.749: EIGRP: Serial0/0/1: ignored packet from , opc ode = 5 (invalid authentication) *Jan 21 16:50:18.749: EIGRP: Dropping peer, invalid authentication *Jan 21 16:50:18.749: EIGRP: Sending HELLO on Serial0/0/1 *Jan 21 16:50:18.749: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Jan 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor (Serial0/0/1) is down: Auth failure R2#show ip eigrp neighbors IP-EIGRP neighbors for process 100 R2# MD5 authentication on both R1 and R2, but R1 key 2 (that it uses when sending) changed
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Summary There are two types of router authentication: simple password and MD5. When EIGRP authentication is configured, the router generates and checks every EIGRP packet and authenticates the source of each routing update packet that it receives. EIGRP supports MD5 authentication. To configure MD5 authentication, use the ip authentication mode eigrp and ip authentication key-chain interface commands. The key chain must also be configured, starting with the key chain command. Use debug eigrp packets to verify and troubleshoot MD5 authentication.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v