Uncategorized

Eigrp Authentication

Basil ThomasLeave a comment

EIGRP only supports Message Digest 5 (MD5)

authentication to prevent malicious and incorrect routing information from being introduced into the routing table of a router.

Configuration overview:

To configure EIGRP authentication, the keys used in the authentication used in the authentication process have to be configured and attached to an interface along with MD5 as the mode of authentication. Any other interface does not form a relationship unless it passes the authentication process. The steps are:

  1. The Creation of a key-chain and key
  2. Configuring key in the interface
  3. Enable the Key (Password) in the interface.

Prerequisites

Requirements:

  • The time must be configured properly on all routers. Refer to Configuring NTP by cisco
  • A working EIGRP configuration is recommended.
  • Make sure that all the interfaces are in default condition.

The router uses two types of authentication:

  • Simple password authentication (also called plain text authentication)—Supported by Integrated System-Integrated System (IS-IS), Open Shortest Path First (OSPF), and Routing Information Protocol Version 2 (RIPv2)
  • MD5 authentication—Supported by OSPF, RIPv2, BGP, and EIGRP

SUMMARY STEPS in NUT_SHELL

1. enable
2. configure terminal
3. interface type number
4. no switchport
5. ip authentication mode eigrp autonomous-system md5
6. ip authentication key-chain eigrp autonomous-system key-chain
7. exit
8. key chain name-of-chain
9. key key-id
10. key-string text
11. accept-lifetime start-time {infinite | end-time | duration seconds}
12. send-lifetime start-time {infinite | end-time | duration seconds}
13. end

  1. The creation of a key-chain and keyConfiguration
    • First we need to configure key chain in global configuration mode.
    • Under key chain we need to configure key number.
      • Key number must be matched both side of router.
      • If multiple keys are present router choose the lowest one.
    • After step you need to issue authentication string (password).

    Example:
    Router#configure terminal
    Router(config)#key chain mykey //configure key chain name mykey
    Router(config-keychain)#key 1 // Specifies the key number
    Router(config-keychain-key)#key-string cisco //Specifies the authentication string for a key.
    Router(config-keychain-key)#end

  2. Configuring key in the interfaceConfiguration
    • Enable authentication for EIGRP packets and to specify the set of keys to be used on an interface:

    Example:
    ip authentication key-chain eigrp <as-number> <key-chain> ip

  3. Enable the Key (Password) in the interface.Configuration
    • Specify MD5 as the type of authentication to be used for EIGRP packets:

    Example:
    authentication mode eigrp <as-number> md5

Configuring EIGRP authentication for IP4 Configuring EIGRP authentication for IP6

Router(config)#interface fa0/0
Router(config-if)#ip authentication mode eigrp 1 md5
Router(config-if)#ip authentication key-chain eigrp 1 mykey
Router(config-if)#end		 Router(config)#interface fa0/0
Router(config-if)#ipv6 authentication mode eigrp 1 md5
Router(config-if)#ipv6 authentication key-chain eigrp 1 mykey
Router(config-if)#end

Accept-lifetime and Send-lifetime

Optionally, you can configure key management to automatically migrate from one authentication key to another by configuring following commands in key-chain key configuration mode

1) accept-lifetime <start-time> {infinite | end-time | duration seconds}
2) send-lifetime <start-time> {infinite | end-time | duration seconds}

One of the biggest problems with using this sort of authentication system is that changing the keys can break eigrp neighborship in your network.The following example shows a way around for this problem. By configuring timed keys, you can roll out a new key throughout your network without disrupting service:

Example:
Router(config)#key chain mykey
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string abc
Router(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2012 00:15:00 Nov 1 2012
Router(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2012 00:00:00 Nov 1 2012
Router(config-keychain-key)#key 2
Router(config-keychain-key)#key-string abc@123
Router(config-keychain-key)#accept-lifetime 23:45:00 Oct 31 2012 infinite
Router(config-keychain-key)#send-lifetime 00:00:00 Nov 1 2012 infinite
Router(config-keychain-key)#end

In the above case, this router will accept the original key string, abc, until 12:15 AM on November 1, 2012. It will send this same key string until 12:00 AM on the same date. And it will start accepting the new key string, abc@123, at 11:45 PM on October 31, 2012. In this way, there is a safe 30-minute transition period that you can configure in advance throughout the network. Then, the next day or whenever it is convenient, you can remove the configuration for the old key string on all the affected routers. This process is very dependent on synchronized clocks between routers.

Verification commands

1) Key chain configuration verification:
Router#sh key chain

2) In key-string whitespaces counts as a character that can leads to key misconfiguration on router.
Router#sh run | sec key chain

Router#sh key chain

3) You can see from the following debug trace that when the authentication fails, EIGRP simply ignores the routing updates:
Router#debug eigrp packet

Leave a comment