EIGRP MD5 & SHA-256 Authentication

Expand all



Contents

EIGRP MD5 & SHA-256 Authentication

Last updated: July 7, 2014

A Note On Section Initial Configuration Files: You must load the initial configuration files for the section, named Initial EIGRP, which can be found in CCIE R&S v5 Topology Diagrams & Initial Configurations. Note that R4’s link to VLAN 146 and the link between R2 and R3 are disabled. Reference the Advanced Technology Labs With Addressing Diagram to complete this task.

Task

  • Configure an EIGRP process named MULTI-AF on R1 - R5.
  • Configure EIGRP in Classic Mode on R6 - R10.
  • Use Autonomous System 100 on all devices.
  • Enable EIGRP on all links in the 150.1.0.0/16 and 155.1.0.0/16 networks.
  • Disable EIGRP split-horizon on R5's tunnel interface connecting to the DMVPN network.
  • Configure EIGRP authentication on R6 - R10 as follows:
    • Create a key-chain named MD5_KEYS.
    • Use the key-id 1 and the key-string MD5_PASS.
    • Apply the key-chain for MD5 authentication on all links with EIGRP adjacencies.
  • Configure EIGRP authentication on R1 - R5 as follows:
    • Create an identical key-chain named MD5_KEYS on R1, R3, and R5.
    • Apply the key-chain for MD5 authentication toward their neighbors running EIGRP Classic Mode.
    • R1 - R5 should use the SHA-256 password SHA_KEY on their DMVPN tunnel interfaces.
    • R4 and R5 should use the SHA-256 password SHA_DEFAULT on their VLAN 45 connection, as well as any new interfaces added to the EIGRP process in the future.
  • When complete, all devices should have full IPv4 reachability throughout the network.

Configuration

R1:
key chain MD5_KEYS
 key 1
   key-string MD5_PASS
!
router eigrp MULTI-AF
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface Tunnel0
   authentication mode hmac-sha-256 SHA_KEY
  exit-af-interface
  !
  af-interface GigabitEthernet1.146
   authentication mode md5
   authentication key-chain MD5_KEYS
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family


R2:
router eigrp MULTI-AF
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface Tunnel0
   authentication mode hmac-sha-256 SHA_KEY
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family


R3:
key chain MD5_KEYS
 key 1
   key-string MD5_PASS
!
router eigrp MULTI-AF
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface Tunnel0
   authentication mode hmac-sha-256 SHA_KEY
  exit-af-interface
  !
  af-interface GigabitEthernet1.37
   authentication mode md5
   authentication key-chain MD5_KEYS
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family


R4:
router eigrp MULTI-AF
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   authentication mode hmac-sha-256 SHA_DEFAULT
  exit-af-interface
  !
  af-interface Tunnel0
   authentication mode hmac-sha-256 SHA_KEY
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family


R5:
key chain MD5_KEYS
 key 1
   key-string MD5_PASS
!
router eigrp MULTI-AF
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   authentication mode hmac-sha-256 SHA_DEFAULT
  exit-af-interface
  !
  af-interface Tunnel0
   authentication mode hmac-sha-256 SHA_KEY
   no split-horizon
  exit-af-interface
  !
  af-interface GigabitEthernet1.58
   authentication mode md5
   authentication key-chain MD5_KEYS
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family


R6:
key chain MD5_KEYS
 key 1
  key-string MD5_PASS
!
interface GigabitEthernet1.67
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MD5_KEYS
!
interface GigabitEthernet1.146
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MD5_KEYS
!
router eigrp 100
 network 150.1.0.0 0.0.255.255
 network 155.1.0.0 0.0.255.255


R7:
key chain MD5_KEYS
 key 1
  key-string MD5_PASS
!
interface GigabitEthernet1.37
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MD5_KEYS
!
interface GigabitEthernet1.67
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MD5_KEYS
!
interface GigabitEthernet1.79
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MD5_KEYS
!
router eigrp 100
 network 150.1.0.0 0.0.255.255
 network 155.1.0.0 0.0.255.255


R8:
key chain MD5_KEYS
 key 1
  key-string MD5_PASS
!
interface GigabitEthernet1.58
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MD5_KEYS
!
interface GigabitEthernet1.108
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MD5_KEYS
!
router eigrp 100
 network 150.1.0.0 0.0.255.255
 network 155.1.0.0 0.0.255.255


R9:
key chain MD5_KEYS
 key 1
  key-string MD5_PASS
!
interface GigabitEthernet1.79
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MD5_KEYS
!
router eigrp 100
 network 150.1.0.0 0.0.255.255
 network 155.1.0.0 0.0.255.255


R10:
key chain MD5_KEYS
 key 1
  key-string MD5_PASS
!
interface GigabitEthernet1.108
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 MD5_KEYS
!
router eigrp 100
 network 150.1.0.0 0.0.255.255
 network 155.1.0.0 0.0.255.255

Verification

EIGRP supports MD5 authentication in Classic (Autonomous System) Mode, and both MD5 and SHA-256 in Multi-AF (Named) Mode. For MD5 authentication in both Classic and Named modes, the key chain is defined globally. The key chain can contain multiple keys, but only the lowest active key number will be exchanged in EIGRP packets. Note that the key ID must match for authentication to occur, because this number is exchanged in the hello packets. In Classic Mode, the authentication is applied at the link level, whereas in Named Mode it is applied at the af-interface mode under the SAFI. In either case, the authentication can be verified as seen below:

R6#show ip eigrp interface detail GigabitEthernet1.146
EIGRP-IPv4 Interfaces for AS(100)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi1.146                  1        0/0       0/0           1       0/0           50           0
  Hello-interval is 5, Hold-time is 15
  Split-horizon is enabled
  Next xmit serial <none>
  Packetized sent/expedited: 3/0
  Hello's sent/expedited: 535/2
  Un/reliable mcasts: 0/4  Un/reliable ucasts: 4/1
  Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
  Retransmissions sent: 0  Out-of-sequence rcvd: 1
  Topology-ids on interface - 0 
  Authentication mode is md5,  key-chain is "MD5_KEYS"
! 
R1#show eigrp address-family ipv4 100 interfaces detail GigabitEthernet1.146
EIGRP-IPv4 VR(MULTI-AF) Address-Family Interfaces for AS(100)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi1.146                  1        0/0       0/0           1       0/0           50           0
  Hello-interval is 5, Hold-time is 15
  Split-horizon is enabled
  Next xmit serial <none>
  Packetized sent/expedited: 4/1
  Hello's sent/expedited: 526/2
  Un/reliable mcasts: 0/4  Un/reliable ucasts: 5/2
  Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
  Retransmissions sent: 1  Out-of-sequence rcvd: 0
  Topology-ids on interface - 0 
  Authentication mode is md5,  key-chain is "MD5_KEYS"
!
R6#debug eigrp packet
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on

EIGRP: Sending HELLO on Gi1.146 - paklen 60
  AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
EIGRP: received packet with MD5 authentication, key id = 1
EIGRP: Received HELLO on Gi1.146 - paklen 60 nbr 155.1.146.1
  AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

If authentication were failing, the debug output would indicate this:

R6#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R6(config)#interface GigabitEthernet1.146
R6(config-subif)#no ip authentication mode eigrp 100 md5 
R6(config-subif)#do debug eigrp packet
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on

EIGRP: Gi1.146: ignored packet from 155.1.146.1, opcode = 5 (authentication off)
EIGRP: Dropping peer, invalid authentication
EIGRP: Sending HELLO on Gi1.146 - paklen 20
  AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.146.1 (GigabitEthernet1.146) is down: Auth failure

Likewise, a missing or invalid key would be indicated in this debug output:

R6(config-subif)#ip authentication mode eigrp 100 md5   
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.146.1 (GigabitEthernet1.146) is up: new adjacency
R6(config-subif)#no  ip authentication key-chain eigrp 100 MD5_KEYS
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.146.1 (GigabitEthernet1.146) is down: keychain changed
R6(config-subif)#do debug eigrp packet
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
EIGRP: Gi1.146: ignored packet from 155.1.146.1, opcode = 5 (invalid authentication or key-chain missing)
EIGRP: Sending TIDLIST on GigabitEthernet1.146 - 1 items
EIGRP: Sending HELLO on Gi1.146 - paklen 30
  AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

In Named Mode, SHA-256 authentication can be configured at the af-interface mode. The current implementation does not support key-chains or key IDs, which means it supports neither multiple keys nor automatic key rotation. Another useful feature of the new EIGRP Named Mode is that options can be configured at the af-interface default, which applies to all links at the same time. Within the scope of authentication, this can be used to configure a default key for all interfaces, or a default fallback key for interfaces that do not have a specific key applied:

R5#debug eigrp packet
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R5#
EIGRP: received packet with HMAC-SHA-256 authentication
EIGRP: Received HELLO on Tu0 - paklen 76 nbr 155.1.0.4
  AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
EIGRP: received packet with HMAC-SHA-256 authentication
EIGRP: Received HELLO on Gi1.45 - paklen 76 nbr 155.1.45.4
  AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
EIGRP: Sending HELLO on Gi1.58 - paklen 60
  AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
EIGRP: received packet with MD5 authentication, key id = 1
EIGRP: Received HELLO on Gi1.58 - paklen 60 nbr 155.1.58.8
  AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Pitfall

Like RIP, a white space in the key-string can cause authentication failure:

R6#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R6(config)#key chain MD5_KEYS
R6(config-keychain)#key 1
R6(config-keychain-key)#key-string CISCO ?
LINE    <cr>
!
R6#show key chain
Key-chain MD5_KEYS:
    key 1 -- text "CISCO "
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]
^ back to top