HOW TO: EIGRP Authentication configuration & Verification

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/eigrp-authentication-configuration-verification/
RSS
Follow by Email

This article demonstrates the EIGRP authentication configuration and verification on Cisco IOS-based routers.

Concepts
  • EIGRP supports two kinds of authentication; MD5 based and SHA-256 based.
  • EIGRP supports MD5 authentication in Classic (Autonomous System) Mode, and both MD5 and SHA-256 in Multi-AF (Named) Mode.
  • In Classic Mode, the authentication is applied at the interface directly, whereas in Named Mode it is applied at the af-interface mode under the sub-AFI of an address-family.
  • To configure MD5 authentication either in Classic or in Named modes, the key chain MUST be defined first and then the key chain is applied to the af-interface. For SHA-256 pre-shared-key is configured directly at the af-interface and hence key chain is NOT required.
  • NOTE: As of 15.4 code, SHA-256 based authentication does not support key chain or key IDs hence, multiple keys or automatic key rotation is not supported with SHA-256 based authentication.
Example

To best describe, I am using the simple topology as shown in the above-mentioned diagram. Here, R1 and R2 are running EIGRP AS 1000 using Multi-AF mode of EIGRP and R3 is running EIGRP AS 1000 using classic mode of EIGRP as shown in the diagram. Here are the initial configuration of all 3 routers.

Click here →

To view Initial configuration of routers for this article lab

R1

R1’s initial configuration
  • R1’s Ethernet0/0 interface has been assigned an IP address of 10.10.10.1/24.
  • R1 is running EIGRP process named as MULTI-AF-MODE using AS 1000.
interface Ethernet0/0
 ip address 10.10.10.1 255.255.255.0
 no shut
end
!
router eigrp MULTI-AF-MODE
 !
 address-family ipv4 unicast autonomous-system 1000
 !
 topology base
 exit-af-topology
  network 10.10.10.0 255.255.255.0
 exit-address-family

R2

R2’s initial configuration
  • R2’s Ethernet0/0 interface has been assigned an IP address of 10.10.10.2/24.
  • R2’s Ethernet0/1 interface has been assigned an IP address of 10.20.20.2/24.
  • R2 is running EIGRP process named as MULTI-AF-MODE using AS 1000.
interface Ethernet0/0
 ip address 10.10.10.2 255.255.255.0
 no shut
end
!
interface Ethernet0/1
 ip address 10.20.20.2 255.255.255.0
 no shut
end
!
router eigrp MULTI-AF-MODE
 !
 address-family ipv4 unicast autonomous-system 1000
 !
 topology base
 exit-af-topology
  network 10.10.10.0 255.255.255.0
  network 10.20.20.0 255.255.255.0
 exit-address-family

R3

R3’s initial configuration
  • R3’s Ethernet0/1 interface has been assigned an IP address of 10.20.20.3/24.
  • R3 is running classic mode EIGRP using AS 1000.
interface Ethernet0/1
 ip address 10.20.20.3 255.255.255.0
 no shut
end
!
router eigrp 1000
 network 10.20.20.0 255.255.255.0
Configuration

Now let’s configure SHA-256 based authentication between R1-R2 on their ethernet0/0 interface and MD5 based authentication between R2-R3 on their ethernet0/1 interface as shown in the above-mentioned diagram.

R1

router eigrp MULTI-AF-MODE
 !
 address-family ipv4 unicast autonomous-system 1000
 !
 af-interface Ethernet0/0
  authentication mode hmac-sha-256 $H@_256_KeY
 exit-af-interface

R2

key chain MD5_KEYCHAIN
 key 1
 key-string MD5_P@$$W0RD
!
!
router eigrp MULTI-AF-MODE
 !
 address-family ipv4 unicast autonomous-system 1000
 !
 af-interface Ethernet0/0
  authentication mode hmac-sha-256 $H@_256_KeY
 exit-af-interface
 !
 af-interface Ethernet0/1
  authentication mode md5
  authentication key-chain MD5_KEYCHAIN
 exit-af-interface

NOTE: The key chain can contain multiple keys, but only the lowest active key number will be exchanged in EIGRP packets. The key ID must match for authentication to occur because this number is exchanged in the hello packets.

R3

key chain MD5_KEYCHAIN
 key 1
 key-string MD5_P@$$W0RD
!
!
interface Ethernet0/1
 ip authentication mode eigrp 1000 md5
 ip authentication key-chain eigrp 1000 MD5_KEYCHAIN

NOTE: The key chain can contain multiple keys, but only the lowest active key number will be exchanged in EIGRP packets. The key ID must match for authentication to occur because this number is exchanged in the hello packets.

Verifications

Make sure, key IDs are matching and accept & send lifetimes are valid.

R2#show key chain 
Key-chain MD5_KEYCHAIN:
    key 1 -- text "MD5_P@$$W0RD"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]


R3#show key chain 
Key-chain MD5_KEYCHAIN:
    key 1 -- text "MD5_P@$$W0RD"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

Make sure, correct authentication mode and key chain are applied to the desired interfaces.

R1#show ip eigrp interface detail | i Et|Auth 
Et0/0                    1        0/0       0/0          15       0/2           68           0
  Authentication mode is HMAC-SHA-256, key-chain is not set


R2#show ip eigrp interface detail | i Et|Auth 
Et0/0                    1        0/0       0/0           9       0/2           50           0
  Authentication mode is HMAC-SHA-256, key-chain is not set
Et0/1                    1        0/0       0/0           1       0/2           50           0
  Authentication mode is md5,  key-chain is "MD5_KEYCHAIN"


R3#show ip eigrp interface detail | i Et|Auth 
Et0/1                    1        0/0       0/0          15       0/2           72           0
  Authentication mode is md5,  key-chain is "MD5_KEYCHAIN"

Authenticated packets can be captured using debug as well.

R2#debug eigrp packet
(UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R2#
*Sep 26 23:00:11.853: EIGRP: Sending HELLO on Et0/0 - paklen 76
*Sep 26 23:00:11.853: AS 1000, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Sep 26 23:00:12.000: EIGRP: received packet with HMAC-SHA-256 authentication
*Sep 26 23:00:12.000: EIGRP: Received HELLO on Et0/0 - paklen 76 nbr 10.10.10.1
*Sep 26 23:00:12.000: AS 1000, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Sep 26 23:00:12.367: EIGRP: received packet with MD5 authentication, key id = 1
*Sep 26 23:00:12.367: EIGRP: Received HELLO on Et0/1 - paklen 60 nbr 10.20.20.3
*Sep 26 23:00:12.367: AS 1000, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
R2#

I hope you enjoyed this article. Please feel free to leave a comment or feedback.

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/eigrp-authentication-configuration-verification/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)