Monday, July 26, 2010


Like my previous post, the way authentication is applied for each protocol varies in a EIGRP, OSPF, IS-IS, and BGP.

Supports MD5/Plain text
Applied to the interface that connects to the neighbour, must be the same at each side.

Configure by doing:
R1(config)#int s0/0
R1(config0if)#ip authentication eigrp 1 md5
R1(config-if)#ip authentication key-chain eigrp 1 EIGRP_AUTH
R1(config)#key-chain EIGRP_AUTH
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string P@ssw0rd

Applied on the interface
Can be MD5/Plain text
Configure the same authentication on all neighbors

Configure plain text:
R1(config)#int s0/0
R1(config-if)#ip ospf authentication*
R1(config-if)#ip ospf authentication-key 1 P@ssw0rd
  *This cmd, without any switches, configures authentication in plain text

Configure MD5 authentication:
R1(config)#int s0/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 1 md5 P@ssw0rd

Offers 2 layers of authentication
i) Area-Passwords - between Level1 routers
ii)Domain-Password - between Level2 routers

Can be plain text or MD5 (out of scope of BSCI though)
Apply the cmd on all routers within the area or domain (for Level2)

Configure Level1 plain text authentication by:
R1(config)#router isis
R1(config-router)#area-password P@ssW0rd

Configure Level2 plain text authentication by:
R2(config)#router isis
R2(config-router)#domain-password P@ssw0rd

Protect specific links by applying the authentication on the interface:
R2(config)#int s0/0
R2(config-if)#isis password P@ssw0rd level-2*
 *you should state the router level to apply the authentication to, default is level1

Uses MD5 authentication
Must be configured on each side of the neighbor relationship otherwise the connection is not made

Configure authentication by:
R4(config)#router bgp 100
R4(config-router)#neighbor password P@ssw0rd

No comments:

Post a Comment