OSPF authentication is a critical security feature that ensures only trusted routers participate in the OSPF routing process. For the CCNA 200-301 exam (objective 3.4), you must understand how to configure and verify both simple password (plaintext) and MD5 cryptographic authentication. In real networks, OSPF authentication prevents routing disruptions caused by unauthorized or misconfigured routers injecting false routes.
Jump to a section
Imagine a high-security conference room where executives discuss sensitive routing information. The room has a single door guarded by a receptionist. Each executive must provide a password to enter. There are two levels of security: Type 1 uses a simple password that is spoken aloud (anyone eavesdropping outside the door can hear it). Type 2 uses a secret handshake that changes with each meeting, verified by a cryptographic hash. The receptionist checks every person before entry. If the password is wrong, the person is denied entry and an alarm sounds (log message). If a person leaves the room and returns, they must re-authenticate (every OSPF packet is authenticated). The receptionist also ensures that only people from the same department (same area) can enter—this is like OSPF area-specific authentication. In a large building, different conference rooms (areas) may have different receptionists with different passwords. The key point: every single packet (every knock on the door) must be authenticated, not just the initial entry. This is exactly how OSPF authentication works—every OSPF packet (Hello, DBD, LSR, LSU, LSAck) carries authentication data, and if it fails, the packet is dropped and the neighbor relationship fails.
What is OSPF Authentication?
OSPF authentication is a mechanism that allows OSPF routers to verify the identity of neighboring routers before exchanging routing information. It ensures that only routers with a pre-shared key (password) can form adjacencies and exchange LSAs. Without authentication, an attacker could inject false LSAs, causing routing loops, black holes, or denial of service.
Why It Exists
OSPF is a link-state protocol that propagates LSAs throughout an area. If an unauthorized router connects to a network and sends malicious LSAs, all routers in the area will recalculate their routing tables based on false information. Authentication prevents this by requiring every OSPF packet to include a digital signature or password.
Types of OSPF Authentication
There are three types of OSPF authentication:
Type 0: No authentication (default)
Type 1: Simple password authentication (plaintext)
Type 3: Cryptographic authentication (MD5, now often SHA in newer IOS)
For CCNA 200-301, you only need to know Type 1 and Type 3. Type 0 is the default and offers no security.
Simple Password (Type 1): The password is sent in plaintext within the OSPF packet. Anyone with a packet sniffer can see the password. It is only useful for preventing accidental misconfiguration, not for security. The password must be identical on all routers in the same area or interface.
Cryptographic Authentication (Type 3): Uses MD5 (or SHA) to create a hash of the OSPF packet plus a key. The key is never sent; only the hash is included. The receiver computes its own hash using the same key and compares it. If they match, the packet is authenticated. This is secure against passive sniffing.
How It Works at the Packet Level
Every OSPF packet has an authentication type field and an authentication data field in the OSPF header. For Type 3, the authentication data field contains a message digest (hash) computed over the packet payload plus a shared secret key. The process:
The sending router constructs the OSPF packet (e.g., Hello).
It appends the authentication data field (initially zero) and the key ID.
It computes the MD5 hash of the packet plus the key.
It places the hash in the authentication data field and sends the packet.
The receiving router takes the received packet, removes the authentication data (sets it to zero), computes the hash using its own key (same key ID), and compares it to the received hash.
If they match, the packet is accepted; otherwise, it is dropped.
Key States, Timers, and Defaults
Authentication is per-interface or per-area: You can configure authentication on a per-interface basis or for an entire area using area authentication.
Key ID: A number from 1-255 used to identify which key is used. Multiple keys can be configured for key rollover.
MD5 (Type 3): Uses a 16-byte hash. The key string can be up to 16 characters (older IOS) or longer in newer versions.
Default: No authentication (Type 0).
IOS CLI Configuration and Verification
Per-Interface Configuration (Type 1 Simple Password):
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip ospf authentication
R1(config-if)# ip ospf authentication-key ciscoPer-Interface Configuration (Type 3 MD5):
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip ospf authentication message-digest
R1(config-if)# ip ospf message-digest-key 1 md5 cisco123Area-Level Authentication (Type 3 MD5):
R1(config)# router ospf 1
R1(config-router)# area 0 authentication message-digest
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip ospf message-digest-key 1 md5 cisco123Verification Commands:
R1# show ip ospf interface GigabitEthernet0/0
...
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Hello suppressed)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 00:00:34 10.1.1.2 GigabitEthernet0/0If authentication fails, the neighbor state will not progress beyond INIT or EXSTART, and you will see messages like:
%OSPF-4-ERRRCV: Received invalid packet: mismatched authentication key from 10.1.1.2, interface GigabitEthernet0/0Interaction with Related Protocols
OSPF authentication does not affect the OSPF state machine directly—it simply causes packets to be dropped if authentication fails. This prevents the neighbor relationship from forming. It works alongside other OSPF features like passive interfaces and default-information originate.
Identify interfaces needing authentication
Determine which OSPF-enabled interfaces require authentication. Typically, this includes all interfaces that form OSPF adjacencies, especially in backbone area 0 and between areas. Use 'show ip ospf interface brief' to list all OSPF-enabled interfaces. Note that authentication must match on both ends; otherwise, the neighbor relationship will fail.
Choose authentication type
Decide between Type 1 (simple password) and Type 3 (MD5). For CCNA, Type 3 is more common. Simple password is only used in lab or low-security environments. Consider using area-level authentication if all routers in an area need the same authentication; otherwise, use per-interface.
Configure the authentication key
Under the interface, configure the key. For Type 1: 'ip ospf authentication-key <password>'. For Type 3: 'ip ospf message-digest-key <key-id> md5 <key>'. The key-id must match on both sides. Use a key-id between 1 and 255. The key string can be up to 16 characters (older IOS) or longer in newer versions.
Enable authentication on the interface
For Type 1: 'ip ospf authentication'. For Type 3: 'ip ospf authentication message-digest'. This command tells OSPF to include authentication in packets. If you configured area-level authentication, you do not need this per-interface command; the area command enables it on all interfaces in the area.
Configure area-level authentication (optional)
Instead of configuring per-interface, you can enable authentication for an entire area under router OSPF: 'area <area-id> authentication' (Type 1) or 'area <area-id> authentication message-digest' (Type 3). Then, on each interface in that area, you only need to configure the key (the authentication is already enabled). This simplifies configuration in large networks.
Verify authentication and neighbor state
Use 'show ip ospf interface <interface>' to verify authentication is enabled and the key ID. Use 'show ip ospf neighbor' to confirm the neighbor state is FULL. If authentication fails, the neighbor state will be stuck in INIT or EXSTART. Check logs with 'show logging' for authentication error messages. Also, use 'debug ip ospf packet' to see authentication failures (use with caution in production).
In enterprise networks, OSPF authentication is a fundamental security practice. Consider a large financial institution with multiple branch offices connected via MPLS. Each branch runs OSPF with the headquarters. Without authentication, an attacker who gains physical access to a branch router could plug in a rogue router and inject false LSAs, potentially rerouting traffic through their device for eavesdropping or causing a denial of service. By enabling MD5 authentication on all WAN interfaces, the network engineer ensures that only authorized OSPF routers participate.
Another scenario is during network mergers or acquisitions. Two companies merge and need to interconnect their OSPF domains. Authentication keys must be coordinated between the two teams. If one side misconfigures the key (e.g., a typo in the password), the OSPF adjacency will not form. Network engineers use a phased approach: first, configure a new key ID with a temporary password, then roll over to the permanent key after verifying connectivity. This is done by configuring multiple key IDs with different passwords; OSPF will use the youngest key (highest key ID) for sending, but accept any valid key for receiving. This allows a seamless transition without downtime.
Performance considerations: MD5 authentication adds a small CPU overhead for hashing each OSPF packet. On modern routers, this is negligible. However, in very large networks with hundreds of OSPF neighbors (e.g., a service provider core), the cumulative CPU load can be significant. In such cases, engineers may use SHA instead of MD5 (if supported) or consider other authentication methods.
Misconfiguration scenarios: The most common mistake is mismatched authentication types—one router configured for Type 1 and the other for Type 3. Another is mismatched key IDs or passwords. Also, forgetting to configure the key on a new interface added to an area with area-level authentication will cause the adjacency to fail. Always verify with 'show ip ospf interface' and check for error messages.
For CCNA 200-301, exam objective 3.4 covers OSPF authentication as part of IP connectivity. The exam expects you to know:
The difference between Type 0 (none), Type 1 (simple password), and Type 3 (MD5).
The configuration commands for per-interface and area-level authentication.
How to verify authentication using 'show ip ospf interface' and 'show ip ospf neighbor'.
The impact of authentication failure on neighbor state (stuck in INIT/EXSTART).
Common wrong answers:
"OSPF authentication uses an encrypted password." → Wrong: Type 1 sends the password in plaintext. Only Type 3 uses a hash.
"Authentication is configured only under router ospf." → Wrong: You must also configure the key on the interface.
"If authentication fails, the neighbor state goes to DOWN." → Wrong: It stays in INIT or EXSTART; it never reaches FULL.
"Simple password authentication is secure." → Wrong: It is plaintext and easily sniffed.
Specific values: The key ID range is 1-255. The default authentication type is 0 (none). The 'ip ospf authentication' command enables Type 1; 'ip ospf authentication message-digest' enables Type 3.
Calculation traps: None for authentication, but be careful with key rollover: the youngest key (highest key ID) is used for sending, but all configured keys are accepted for receiving. This is a common exam scenario where you have to configure a new key without breaking the adjacency.
Decision rule: If a question describes a scenario where OSPF neighbors are not forming and the show command indicates "authentication mismatch" or similar, look for mismatched authentication type, key ID, or password. Also, if the question says "simple password" and "plaintext", that's Type 1.
OSPF authentication types: 0 (none), 1 (simple password), 3 (cryptographic MD5).
Simple password (Type 1) sends password in plaintext – not secure.
Cryptographic authentication (Type 3) uses MD5 hash – never sends the key.
Configuration per interface: 'ip ospf authentication' or 'ip ospf authentication message-digest' plus 'ip ospf authentication-key' or 'ip ospf message-digest-key'.
Area-level authentication: 'area <area-id> authentication [message-digest]' under router OSPF.
Key ID range: 1-255; highest key ID is used for sending, all keys accepted for receiving.
Authentication failure causes neighbor state to stay in INIT or EXSTART – never reaches FULL.
Verification: 'show ip ospf interface' shows authentication type and key ID; 'show ip ospf neighbor' shows state.
These come up on the exam all the time. Here's how to tell them apart.
Simple Password (Type 1)
Password sent in plaintext
No encryption or hashing
Config: ip ospf authentication-key
Low CPU overhead
Not secure
MD5 Cryptographic (Type 3)
Password never sent; only hash
Uses MD5 (or SHA) hash
Config: ip ospf message-digest-key
Slightly higher CPU overhead
Secure against sniffing
Mistake
OSPF authentication encrypts the password.
Correct
Only Type 3 (MD5) uses a hash; Type 1 sends the password in plaintext.
Candidates confuse authentication with encryption; authentication only verifies identity.
Mistake
Configuring 'area authentication' alone is enough; no need to configure keys on interfaces.
Correct
Area authentication enables authentication on all interfaces in that area, but you still must configure the key on each interface with 'ip ospf message-digest-key' or 'ip ospf authentication-key'.
The area command sets the authentication type, but the key must be configured per interface.
Mistake
If authentication fails, the neighbor state goes to DOWN.
Correct
The neighbor state will not progress beyond INIT or EXSTART; it never reaches FULL, but it is not marked as DOWN unless the dead timer expires.
Candidates think of authentication failure as a link failure; actually, packets are dropped, so the neighbor stays in an intermediate state.
Mistake
Simple password authentication is secure enough for production.
Correct
Simple password is plaintext and can be sniffed; it only prevents accidental misconfiguration, not malicious attacks.
Some candidates think any password provides security; they underestimate the risk of packet sniffing.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Type 1 is simple password authentication, where the password is sent in plaintext in the OSPF packet. It provides minimal security, only preventing accidental misconfiguration. Type 3 is cryptographic authentication using MD5 (or SHA in newer IOS). The key is never sent; instead, a hash of the packet and key is sent. Type 3 is secure against passive sniffing and is recommended for production networks.
For simple password (Type 1): enter interface configuration mode and use 'ip ospf authentication' followed by 'ip ospf authentication-key <password>'. For MD5 (Type 3): use 'ip ospf authentication message-digest' followed by 'ip ospf message-digest-key <key-id> md5 <key>'. The key ID must match on both sides. You can also enable authentication for the entire area with 'area <area-id> authentication [message-digest]' under router OSPF, but you still need to configure the key on each interface.
This usually indicates an authentication mismatch. The router received a Hello packet but the authentication information (type, key ID, or password) does not match what it expects. Check the authentication type (both must be the same), the key ID (must match), and the password (must match). Use 'show ip ospf interface' to verify the configuration on both sides. Also check logs for error messages.
Yes, you can configure different authentication keys per area or per interface. If you use area-level authentication, all interfaces in that area will have the same authentication type, but you can still configure different keys per interface. For example, area 0 could use MD5 with key 1, and area 1 could use MD5 with a different key. This is common in multi-area OSPF networks.
The default is Type 0, meaning no authentication. OSPF packets are sent without any authentication data. To enable authentication, you must explicitly configure it. Type 0 is used by default on all Cisco routers.
Use 'show ip ospf interface <interface>' to see if authentication is enabled and the key ID. For example, look for 'Message digest authentication enabled' or 'Simple password authentication enabled'. Also check that the neighbor state is FULL with 'show ip ospf neighbor'. If authentication fails, the neighbor state will not reach FULL. You can also use 'debug ip ospf packet' to see authentication failures, but use with caution.
Key rollover is the process of changing the authentication key without disrupting the OSPF adjacency. You configure a new key with a higher key ID while keeping the old key. OSPF uses the highest key ID for sending packets, but accepts any configured key for receiving. After both routers have the new key, you can remove the old key. This allows a seamless transition.
You've just covered OSPF Authentication — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?