authentication-mode (OSPF area)
Function
The authentication-mode command sets an authentication mode and a password for an OSPF area.
The undo authentication-mode command cancels the authentication mode configured for an OSPF area.
By default, no authentication mode is configured.
Format
authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]
authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]
authentication-mode keychain keychain-name
undo authentication-mode
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the keychain keychain-name parameter.
Parameters
| Parameter | Description | Value |
|---|---|---|
simple |
Sets simple authentication. In simple authentication, the password type is cipher by default. NOTICE:
Simple authentication carries potential security risks. As such, HMAC-SHA256 authentication is recommended. |
- |
plain |
Sets a plaintext password. If this parameter is specified, you can only enter a plaintext password, which then is then displayed in plain text when the configuration file is viewed. NOTICE:
If plain is specified, the password is saved in the configuration file in plain text. This carries security risks. You are advised to specify cipher to save the password in cipher text. |
- |
plain-text |
Sets a plaintext password. |
The value is a string of case-sensitive characters that can be letters or digits without spaces. In simple authentication, the value is a string of 1 to 8 characters. In md5, hmac-md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters. |
cipher |
Sets a ciphertext password. Either a plaintext or ciphertext password can be entered, and cipher text is displayed when the configuration file is viewed. |
When cipher is configured, the password can only be entered in cipher text. Then, the password is displayed in cipher text in configuration files. MD5 authentication, HMAC-SHA256 authentication or HMAC-MD5 authentication defaults to use the password in cipher text. |
cipher-text |
Specifies the ciphertext password. |
The value is a string of case-sensitive characters that can be letters or digits without spaces. In simple authentication, the value is a string of 1 to 8 characters in plain text, or a string of 24 or 32 or 48 characters in cipher text. In md5, hmac-sha256 or hmac-md5 authentication, the value is a string of 1 to 255 characters in plain text, or a string of 20 to 392 characters in cipher text. |
md5 |
Indicates MD5 authentication using the ciphertext password. NOTICE:
MD5 authentication carries potential security risks. As such, HMAC-SHA256 authentication is recommended. |
- |
hmac-md5 |
Indicates HMAC MD5 authentication using the ciphertext password. NOTICE:
HMAC-MD5 authentication carries potential security risks. As such, HMAC-SHA256 authentication is recommended. |
- |
hmac-sha256 |
Indicates HMAC-SHA256 authentication. |
- |
key-id |
Specifies authentication key ID of the interface's cipher authentication. The key ID must be consistent with that of the peer. |
The value is an integer that ranges from 1 to 255. |
keychain |
Indicates keychain authentication. NOTE:
Before configuring this parameter, run the keychain command to create a keychain. Then, run the key-id, key-string, and algorithm commands to configure a key ID, a password, and an authentication algorithm for this keychain. Otherwise, OSPF authentication will fail. Currently, only the HMAC-MD5, SM3, and HMAC-SHA256 algorithms can be used in OSPF. |
- |
keychain-name |
Specifies the keychain name. |
The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
OSPF authentication can be configured to improve network security to meet high security demands. When area authentication is used, interfaces on all devices in an area must have the same area authentication mode and the password.
Precautions
The priority of area authentication is lower than the priority of interface identification. The ospf authentication-mode command can be used to change the priority of interface authentication.