- Define a key chain > key > key-string.
- Reference the key-chain under the interface configuration.
key chain RIPkey key 0 key-string cisco123 ! interface fa0/0 ip rip authentication key-string ip rip authentication mode [md5 | text]
show ip route rip debug ip rip
Cisco Doc Link: Technology > IP > IP Routing > Routing Information Protocol (RIP) > Sample Configuration for Authentication in RIPv2 > Configurations
- Key chains aren’t used in OSPF authentication.
- Interface level configuration – you have more control as to which neighbor needs to be authenticated and by which type of authentication.
- Router level configuration – all the neighbors in an area will require to be authenticated by the specified type of authentication.
- ip ospf authentication-key – truncates the key to 8 characters.
- If there are multiple neighbors in the same subnet being authenticated by MD5, you have to use different key IDs for each of the neighbor on the router which has adjacency to multiple neighbors.
- Interface-level authentication type is preferred over router-level authentication type, if both are specified.
- Following are the authentication types as seen in the debug output
aut0 – no authentication
aut1 – plain-text
aut2 – md5
interface fa0/0 ip ospf authentication [message-digest | null] ip ospf authentication-key cisco123 ip ospf message-digest 1 md5 cisco123strong (use for md5 auth) OR router ospf 1 area 0 authentication [message-digest] ! interface fa0/0 ip ospf authentication-key cisco123 ip ospf message-digest 1 md5 cisco123strong (use for md5 auth)
show ip route ospf debug ip ospf packet
Cisco Doc Link: Technology > IP > IP Routing > Sample Configuration for Authentication in OSPF > Configure
- EIGRP uses key chains.
- Interface level configuration only.
- You can configure two key chains with different validity so that when one expires the other one takes over.
- Make sure the time is synchronized between the neighbors.
key chain KEY1 key 1 key-string cisco123key accept-lifetime 18:00:00 Jan 1 2014 18:00:00 Jan 30 2014 send-lifetime 18:00:00 Jan 1 2014 18:00:00 Jan 30 2014 key 2 key-string cisco321key accept-lifetime 17:00:00 Jan 30 2014 infinite send-lifetime 17:00:00 Jan 30 2014 infinite ! interface FastEthernet0/0 ip address 126.96.36.199 255.255.255.0 ip authentication mode eigrp 10 md5 ip authentication key-chain eigrp 10 KEY1
show ip eigrp neighbors debug ip eigrp packets
Cisco Doc Link: Technology > IP > IP Routing > Enhanced Interior Gateway Routing Protocol (EIGRP) > EIGRP Message Authentication Configuration Example > Configure EIGRP Message Authentication
- Only a password needs to be set for the ‘neighbor’.
neighbor 188.8.131.52 password ciscoBGPpass
Cisco Doc Link:
Technology > IP > IP Routing > Border Gateway Protocol (BGP) > MD5 Authentication Between BGP Peers Configuration Example > Configurations