< Home

Configuring an Area Authentication Mode

Context

In area authentication, all switches in an area must use the same area authentication mode and password. For example, all switches in Area 0 are configured to use the simple authentication mode and a password of abc.

If plain is selected in the area authentication configuration, the password is stored in plaintext in the configuration file. For security purposes, you are advised to select cipher to store the password in ciphertext.

Simple authentication, MD5 authentication, and HMAC-MD5 ciphertext authentication have potential security risks. HMAC-SHA256 ciphertext authentication is recommended.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ospf [ process-id ]

    The OSPF process view is displayed.

  3. Run area area-id

    The OSPF area view is displayed.

  4. Run any of the following commands to configure an authentication mode for the OSPF area as required:

    • Run authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]

      Simple authentication is configured for the OSPF area.

      • plain: indicates that the password is stored in plaintext.
      • cipher: indicates that the password is stored in ciphertext. For MD5 authentication or HMAC-MD5 authentication, the password is stored in ciphertext by default.

    • Run authentication-mode { md5 | hmac-md5 | hmac-sha256 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]

      An authentication mode is configured for the OSPF area.

      • md5: indicates that MD5 ciphertext authentication is used.

      • hmac-md5: indicates that HMAC-MD5 ciphertext authentication is used.
      • hmac-sha256: indicates that HMAC-SHA256 ciphertext authentication is used.
      • key-id: specifies the authentication key ID in ciphertext authentication.

    • Run authentication-mode keychain keychain-name

      Keychain authentication is configured for the OSPF area.

      Before using Keychain authentication, you need to configure Keychain information in the system view. To enable switches to successfully establish an OSPF neighbor relationship, ensure that key-id, algorithm, and key-string in the local ActiveSendKey are the same as those in the remote ActiveRecvKey.

      Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support keychain keychain-name.

Parent Topic: Improving the Security of an OSPF Network
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >