EIGRP Authentication

An EIGRP enabled router may have authentication configured. This authentication should be the same on two routers for them to form adjacency



An EIGRP enabled router may have more than one key for authentication. This is for automated reason. So, if for example that later you decide it’s time to change the password for EIGRP authentication, you don’t have to configure all EIGRP routers all at the same time so they have the same key for authentication.



Keys in EIGRP can be given the start and end valid date. Usually you will give a short amount of time (an hour to a day) that the old key and the new key can be used (two keys are valid at a time). Say that at Dec 1st 2010, your old key will be expired and you choose a new key that will be valid at Nov 30th 2010, so that will give an error buffer, if for some reason there are some error preventing some EIGRP routers to communicate with each other.





To configure authentication in EIGRP, first you must create a key chain. In global configuration mode.


key chain WORD


WORD: the name of the keychain. Example key chain EIGRPAuth


After entering the above command, you will be inside the key-chain configuration level. Here, you can specify some keys as you like. The command is


key NUMBER


NUMBER: a number value, this is just for an identification for each key.


After you enter that command you will be in the key level configuration level. Here, you specify the string of the key (like the actual password of the key) and the send-lifetime and the accept-lifetime. Send-lifetime specifies the time when this router will send that key for authentication, the accept lifetime specifies the time when this router will be accepting that key.


The commands are


key-string WORD


accept-lifetime HH:MM:SS MONTH DATE YEAR HH:MM:SS MONTH DATE YEAR


send-lifetime HH:MM:SS MONTH DATE YEAR HH:MM:SS MONTH DATE YEAR



the first part of HH:MM:SS MONTH DATE YEAR is the start time while the second part is the end time.


A complete key chain configuration example as can be seen in a running-configuration is:


key chain EIGRPAuth
key 1
key-string student
accept-lifetime 12:00:00 Jan 1 2010 12:00:00 Jan 2 2011
send-lifetime 12:00:00 Jan 1 2010 12:00:00 Jan 2 2011
key 2
key-string cisco
accept-lifetime 12:00:00 Jan 1 2010 12:00:00 Jan 2 2011
send-lifetime 12:00:00 Jan 1 2010 12:00:00 Jan 2 2011



you must create these key chain configuration on other EIGRP routers too. To avoid setting wrong lifetime of the keys and end up with a chaos because of the different keys, you can just copy and paste this from the running-configuration and paste them on other routers.


After making those key chain, you enable the authentication per-interface basis. The commands are


ip authentication mode eigrp AS-NUMBER md5


this command turn on eigrp authentication on the interface. there’s only one mode available, which is md5 (don’t know why this command exists if there’s only one mode available).


Next step is to specify which key chain to be used for authentication. The command is


ip authentication key-chain eigrp AS-NUMBER WORD


WORD: the name of the key chain.



You must configure authentication on both routers, if one is not using authentication, the neighbor adjacency will down.


The key used to send is the first valid key sorted by the key ID. If key 1 is no longer valid to be sent, key 2 will be used instead.


Routers will receive keys based on the key id not the key string. The key ID sent should match the key ID set on the peer router.




0 comments:

top