OSPF Authentication: MD5 and Plain Text Configuration Guide

Authentication Types

1. Plain Text (Type 1)

Password sent in clear text
❌ Not secure (visible in packet captures)
Use only in lab environments

2. MD5 (Type 2)

Password hashed with MD5
✅ More secure (password not visible)
✅ Recommended for production

3. SHA (Newer IOS)

Available in newer IOS versions
Even more secure than MD5

Plain Text Authentication

Interface-Level Configuration

interface gi0/0
 ip ospf authentication
 ip ospf authentication-key MyPassword123

What this does:

Enables authentication on this interface
Sets password to "MyPassword123"
Sent in clear text with OSPF packets

Area-Level Configuration

router ospf 1
 area 0 authentication

interface gi0/0
 ip ospf authentication-key MyPassword123

What this does:

Enables authentication for all interfaces in Area 0
Each interface still needs password configured

MD5 Authentication (Recommended)

Interface-Level Configuration

interface gi0/0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 SecurePassword456

Key components:

message-digest = MD5 authentication
1 = Key ID (must match on both routers)
md5 = Hash type
SecurePassword456 = Actual password

Area-Level Configuration

router ospf 1
 area 0 authentication message-digest

interface gi0/0
 ip ospf message-digest-key 1 md5 SecurePassword456

Complete Configuration Example

R1 Configuration (MD5)

interface gi0/0
 description Link to R2
 ip address 10.1.1.1 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 MySecretPassword

router ospf 1
 router-id 1.1.1.1
 network 10.1.1.0 0.0.0.3 area 0

R2 Configuration (MD5 - Must Match!)

interface gi0/0
 description Link to R1
 ip address 10.1.1.2 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 MySecretPassword  ← Same password

router ospf 1
 router-id 2.2.2.2
 network 10.1.1.0 0.0.0.3 area 0

Verification

Check Authentication Status

R1# show ip ospf interface gi0/0 | include auth
  Simple password authentication enabled

or (for MD5):

R1# show ip ospf interface gi0/0 | include auth
  Message digest authentication enabled
    Youngest key id is 1

Check Neighbor Adjacency

R1# show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2         1     FULL/  -        00:00:35    10.1.1.2        Gi0/0

✅ FULL state = Authentication successful

Changing Authentication Keys (Key Rollover)

Problem: Changing password breaks adjacencies

Solution: Key rollover (configure multiple keys)

Step 1: Add New Key (Both Routers)

R1(config-if)# ip ospf message-digest-key 2 md5 NewPassword
R2(config-if)# ip ospf message-digest-key 2 md5 NewPassword

Now both keys (1 and 2) are active

Step 2: Remove Old Key (Both Routers)

R1(config-if)# no ip ospf message-digest-key 1
R2(config-if)# no ip ospf message-digest-key 1

Adjacency never drops during this process

Troubleshooting Authentication Issues

Symptom: Neighbors Not Forming

Check authentication mismatch:

R1# debug ip ospf adj
*Mar 18 01:15:23: OSPF-1 ADJ Gi0/0: Rcv pkt from 10.1.1.2, area 0.0.0.0 : mismatched authentication type

Common causes:

One router has auth enabled, other doesn't
Different auth types (plain text vs MD5)
Different passwords
Different key IDs

Verify Authentication Config

R1# show run interface gi0/0 | include authentication
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 060506324F41584B56

Note: Password shown encrypted (type 7)

Check Packet Captures

Without auth: OSPF packets visible in plain text
With MD5: Authentication field populated, password hashed

Best Practices

1. Always Use MD5 (or SHA) in Production

interface gi0/0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 StrongPassword123!

2. Use Strong Passwords

✅ 12+ characters
✅ Mix of letters, numbers, symbols
❌ Avoid "cisco", "password", etc.

3. Use Key Rollover for Password Changes

Never remove old key before adding new one

4. Document Key IDs

Maintain a spreadsheet:

Link	Key ID	Password	Last Changed
R1-R2	1	(secure vault)	2026-03-18

5. Encrypt Passwords in Config

service password-encryption

Result: Passwords stored as type 7 (weak encryption, but better than plain text)

Summary

Now you know:

✅ Why authenticate OSPF — Prevent rogue routers
✅ Plain text vs MD5 — Use MD5 in production
✅ Interface vs area-level — Both methods work
✅ How to configure — message-digest-key command
✅ Key rollover — Change passwords without downtime
✅ Troubleshooting — Debug and verify commands

Next Step:
Authentication secures OSPF. For scalability, learn about OSPF Stub Areas next.

Internal Links:

← Multi-Area OSPF (Article 12)
→ OSPF Stub Areas (Article 14)
→ Authentication Mismatch Troubleshooting (Article 21)

OSPF Authentication Configuration (Plain Text and MD5)

Authentication Types

1. Plain Text (Type 1)

2. MD5 (Type 2)

3. SHA (Newer IOS)

Plain Text Authentication

Interface-Level Configuration

Area-Level Configuration

MD5 Authentication (Recommended)

Interface-Level Configuration

Area-Level Configuration

Complete Configuration Example

R1 Configuration (MD5)

R2 Configuration (MD5 - Must Match!)

Verification

Check Authentication Status

Check Neighbor Adjacency

Changing Authentication Keys (Key Rollover)

Step 1: Add New Key (Both Routers)

Step 2: Remove Old Key (Both Routers)

Troubleshooting Authentication Issues

Symptom: Neighbors Not Forming

Verify Authentication Config

Check Packet Captures

Best Practices

1. Always Use MD5 (or SHA) in Production

2. Use Strong Passwords

3. Use Key Rollover for Password Changes

4. Document Key IDs

5. Encrypt Passwords in Config

Summary

Read next

OSPF DR and BDR: What They Are and Why They Matter

OSPF Areas Explained: Why and How to Use Them

OSPF Neighbor States Explained (With Packet Exchange Examples)