Configuring EIGRP

Configuring EIGRP Authentication

Router Authentication

• Many routing protocols support authentication such that a router

authenticates the source of each routing update packet that it receives.
• Simple password authentication is supported by:
– IS-IS
– OSPF
– RIPv2
• MD5 authentication is supported by:
– OSPF
– RIPv2
– BGP
– EIGRP
Simple Password vs. MD5 Authentication

• Simple password authentication:

– Router sends packet and key.
– Neighbor checks whether key matches its key.
– Process not secure.
• MD5 authentication:
– Configure a key (password) and key ID; router generates a
message digest, or hash, of the key, key ID and message.
– Message digest is sent with packet; key is not sent.
– Process OS secure.
EIGRP MD5 Authentication

• EIGRP supports MD5 authentication.

• Router generates and checks every EIGRP packet. Router
authenticates the source of each routing update packet that
it receives.
• Configure a key (password) and key ID; each participating
neighbor must have same key configured.
MD5 Authentication

EIGRP MD5 authentication:

• Router generates a message digest, or hash, of the key,
key ID, and message.
• EIGRP allows keys to be managed using key chains.
• Specify key ID (number), key, and lifetime of key.
• First valid activated key, in order of key numbers, is used.
Configuring EIGRP MD5 Authentication

Router(config-if)#
ip authentication mode eigrp autonomous-system md5

• Specifies MD5 authentication for EIGRP packets

Router(config-if)#
ip authentication key-chain eigrp autonomous-system
name-of-chain

• Enables authentication of EIGRP packets using key in the

keychain
Configuring EIGRP MD5 Authentication
(Cont.)

Router(config)#
key chain name-of-chain

• Enters configuration mode for the keychain

Router(config-keychain)#
key key-id

• Identifies key and enters configuration mode for the keyid

Configuring EIGRP MD5 Authentication
(Cont.)

Router(config-keychain-key)#
key-string text

• Identifies key string (password)

Router(config-keychain-key)#
accept-lifetime start-time {infinite | end-time | duration
seconds}

• Optional: Specifies when key will be accepted for received

packets
Router(config-keychain-key)#
send-lifetime start-time {infinite | end-time | duration
seconds}

• Optional: Specifies when key can be used for sending packets

Example MD5 Authentication Configuration
R1 Configuration for MD5 Authentication
<output omitted>
key chain R1chain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.101 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 R1chain
!
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.1.0
auto-summary
R2 Configuration for MD5 Authentication
<output omitted>
key chain R2chain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
interface FastEthernet0/0
ip address 172.17.2.2 255.255.255.0
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.102 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 R2chain
!
router eigrp 100
network 172.17.2.0 0.0.0.255
network 192.168.1.0
auto-summary
 Verifying MD5 Authentication
R1#
*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor
192.168.1.102 (Serial0/0/1) is up: new adjacency

R1#show ip eigrp neighbors

IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14
R1#show ip route
<output omitted>
Gateway of last resort is not set
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:31:31, Null0
C 172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.96/27 is directly connected, Serial0/0/1
D 192.168.1.0/24 is a summary, 00:31:31, Null0
R1#ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
 Troubleshooting MD5 Authentication

R1#debug eigrp packets

EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0

R2#debug eigrp packets

EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2#
*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2
*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101
*Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
 Troubleshooting MD5 Authentication
Problem
MD5 authentication on both R1 and R2, but R1 key 2 (that it uses when
sending) changed
R1(config-if)#key chain R1chain
R1(config-keychain)#key 2
R1(config-keychain-key)#key-string wrongkey

R2#debug eigrp packets

EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2#
*Jan 21 16:50:18.749: EIGRP: pkt key id = 2, authentication mismatch
*Jan 21 16:50:18.749: EIGRP: Serial0/0/1: ignored packet from 192.168.1.101, opc
ode = 5 (invalid authentication)
*Jan 21 16:50:18.749: EIGRP: Dropping peer, invalid authentication
*Jan 21 16:50:18.749: EIGRP: Sending HELLO on Serial0/0/1
*Jan 21 16:50:18.749: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jan 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.101
(Serial0/0/1) is down: Auth failure

R2#show ip eigrp neighbors

IP-EIGRP neighbors for process 100
R2#
Summary

• There are two types of router authentication: simple password

and MD5.
• When EIGRP authentication is configured, the router generates
and checks every EIGRP packet and authenticates the source of
each routing update packet that it receives. EIGRP supports MD5
authentication.
• To configure MD5 authentication, use the ip authentication mode
eigrp and ip authentication key-chain interface commands. The key
chain must also be configured, starting with the key chain
command.
• Use debug eigrp packets to verify and troubleshoot MD5
authentication.