Configuring OSPF neighbor authentication

OSPF has an authenticate neighbor feature. The authentication feature allows the router to form neighbor only with legitimate routers.

Figure OSPF neighbor authentication
Figure OSPF neighbor authentication

This section describes how to configure the OSPF neighbor authentication feature on Cisco routers.

There are two steps to configuring the authentication feature.

  1. Enabling authentication
  2. Configuring authentication passwords

1.Enabling authentication

There are two types of authentication: plaintext passwords and MD5 message digests. There are also three ways to enable authentication.

  • Area
  • interface
  • virtual-link

Enable authentication for an area

When authentication is enabled for an area, all interfaces contained in that area are enabled authentication. To enable authentication for an area, enter the following command in OSPF configuration mode

Enable authentication for an area

(config)#router ospf < process-id >
(config-router)#area < area-id > authentication [message-digest]

< process-id > : OSPF process ID
< area-id > : area ID

Until “authentication”, the authentication is based on plaintext passwords; when “message-digest” is added, the authentication is based on MD5 message digests of passwords.

Note that if you enable authentication in area 0 (the backbone area), authentication will also be enabled on the virtual link.

Enabling authentication for an interface

If authentication is enabled on an interface, authentication will be performed only on that interface. To enable authentication on an interface, enter the following command in interface configuration mode.

Enabling authentication for an interface

(config)#interface < interface-name >
(config-if)#ip ospf authentication [message-digest]

< interface-name > : interface name

As with area-targeted authentication, up to “authentication” is plain-text password authentication, and with “message-digest” is MD5 message-digest password authentication.

Enabling authentication for virtual links

When authentication is enabled on a virtual link, authentication is performed on the virtual link. To enable authentication on the virtual link, enter the following command in OSPF configuration mode

Enabling authentication for virtual links

(config)#router ospf < process-id >
(config-router)#area < area-id > virtual-link < router-id > authentication [message-digest]

< process-id > : OSPF process ID
< area-id > : area ID of virtual-link transit area
< router-id > : Router ID of the router on the other side of the virtual link

Note that if you enable neighbor authentication in Area 0, the authentication will also be enabled in the virtual link. This is because the virtual link is a virtual Area 0 link.

2.Configuring authentication passwords

The authentication password only needs to be configured on the interface where the neighbor exists. It is not necessary to configure the authentication password on interfaces that do not have neighbors. To configure the authentication password, enter the following command in interface configuration mode.

plaintext password

Configuring plaintext passwords

(config)#interface < interface-name >
(config-if)#ip ospf authentication-key < password >

< interface-name > : interface name
< password > : authentication password

Message Digest

Configuring MD5

(config)#interface < interface-name >
(config-if)#ip ospf message-digest-key < key-id > md5 < password >

< interface-name > : interface name
< key-id > : key ID
< password > : authentication password

Message digest authentication requires that neighbors configure the same key ID and password for each other.

Authentication password for virtual link

The virtual link is a virtual OSPF area 0 interface, and its association with the physical interface is not fixed. Therefore, the password for neighbor authentication on the virtual link cannot be configured in the interface configuration mode described above. Please configure it as an option in the virtual link configuration command.

Plain text password(virtual-link)
Plain text password(virtual-link)

(config)#router ospf < process-id >
(config-router)#area < area-id > virtual-link < router-id > authentication-key < password >

< process-id > : OSPF process ID
< area-id > : area ID of virtual-link transit area
< router-id > : Router ID of the router on the other side of the virtual link
< password > : authentication password

Message digest(virtual-link)
Message digest(virtual-link)

(config)#router ospf < process-id >
(config-router)#area < area-id > virtual-link < router-id > message-digest-key < key-id > md5 < password >

< process-id > : OSPFプロセスID
< area-id > : area ID of virtual-link transit area
< router-id > : Router ID of the router on the other side of the virtual link
< key-id > : key ID
< password > : authentication password

Verify OSPF neighbor authentication

The following table summarizes the main commands for verifying OSPF neighbor authentication.

CommandContent
#show ip ospf interfaceYou can see if neighbor authentication is enabled or not.
#show ip ospf neighborIf the authentication configuration is correct, you will be able to establish a neighbor successfully.
Table Main verification commands for OSPF neighbor authentication

How the OSPF works