/
Sign up to Ping Labz!
Already have an account? Sign in
OSPF

OSPF Authentication Configuration (Plain Text and MD5)

OSPF supports plain-text, MD5, and SHA authentication at the interface or area level. Here is how to configure each, why MD5 is the production default, and how to verify.
J
3 min read
OSPF Authentication Configuration (Plain Text and MD5)
Table of Contents
In: OSPF

Authentication Types

1. Plain Text (Type 1)

  • Password sent in clear text
  • ❌ Not secure (visible in packet captures)
  • Use only in lab environments

2. MD5 (Type 2)

  • Password hashed with MD5
  • ✅ More secure (password not visible)
  • ✅ Recommended for production

3. SHA (Newer IOS)

  • Available in newer IOS versions
  • Even more secure than MD5

Plain Text Authentication

Interface-Level Configuration

interface gi0/0
 ip ospf authentication
 ip ospf authentication-key MyPassword123

What this does:

  • Enables authentication on this interface
  • Sets password to "MyPassword123"
  • Sent in clear text with OSPF packets

Area-Level Configuration

router ospf 1
 area 0 authentication

interface gi0/0
 ip ospf authentication-key MyPassword123

What this does:

  • Enables authentication for all interfaces in Area 0
  • Each interface still needs password configured

Interface-Level Configuration

interface gi0/0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 SecurePassword456

Key components:

  • message-digest = MD5 authentication
  • 1 = Key ID (must match on both routers)
  • md5 = Hash type
  • SecurePassword456 = Actual password

Area-Level Configuration

router ospf 1
 area 0 authentication message-digest

interface gi0/0
 ip ospf message-digest-key 1 md5 SecurePassword456

Complete Configuration Example

R1 Configuration (MD5)

interface gi0/0
 description Link to R2
 ip address 10.1.1.1 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 MySecretPassword

router ospf 1
 router-id 1.1.1.1
 network 10.1.1.0 0.0.0.3 area 0

R2 Configuration (MD5 - Must Match!)

interface gi0/0
 description Link to R1
 ip address 10.1.1.2 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 MySecretPassword  ← Same password

router ospf 1
 router-id 2.2.2.2
 network 10.1.1.0 0.0.0.3 area 0

Verification

Check Authentication Status

R1# show ip ospf interface gi0/0 | include auth
  Simple password authentication enabled

or (for MD5):

R1# show ip ospf interface gi0/0 | include auth
  Message digest authentication enabled
    Youngest key id is 1

Check Neighbor Adjacency

R1# show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2         1     FULL/  -        00:00:35    10.1.1.2        Gi0/0

FULL state = Authentication successful

Changing Authentication Keys (Key Rollover)

Problem: Changing password breaks adjacencies

Solution: Key rollover (configure multiple keys)

Step 1: Add New Key (Both Routers)

R1(config-if)# ip ospf message-digest-key 2 md5 NewPassword
R2(config-if)# ip ospf message-digest-key 2 md5 NewPassword

Now both keys (1 and 2) are active

Step 2: Remove Old Key (Both Routers)

R1(config-if)# no ip ospf message-digest-key 1
R2(config-if)# no ip ospf message-digest-key 1

Adjacency never drops during this process

Troubleshooting Authentication Issues

Symptom: Neighbors Not Forming

Check authentication mismatch:

R1# debug ip ospf adj
*Mar 18 01:15:23: OSPF-1 ADJ Gi0/0: Rcv pkt from 10.1.1.2, area 0.0.0.0 : mismatched authentication type

Common causes:

  • One router has auth enabled, other doesn't
  • Different auth types (plain text vs MD5)
  • Different passwords
  • Different key IDs

Verify Authentication Config

R1# show run interface gi0/0 | include authentication
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 060506324F41584B56

Note: Password shown encrypted (type 7)

Check Packet Captures

Without auth: OSPF packets visible in plain text
With MD5: Authentication field populated, password hashed

Best Practices

1. Always Use MD5 (or SHA) in Production

interface gi0/0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 StrongPassword123!

2. Use Strong Passwords

  • ✅ 12+ characters
  • ✅ Mix of letters, numbers, symbols
  • ❌ Avoid "cisco", "password", etc.

3. Use Key Rollover for Password Changes

Never remove old key before adding new one

4. Document Key IDs

Maintain a spreadsheet:

1
LinkR1-R2
Password(secure vault)
Last Changed2026-03-18

5. Encrypt Passwords in Config

service password-encryption

Result: Passwords stored as type 7 (weak encryption, but better than plain text)

Summary

Now you know:

Why authenticate OSPF - Prevent rogue routers
Plain text vs MD5 - Use MD5 in production
Interface vs area-level - Both methods work
How to configure - message-digest-key command
Key rollover - Change passwords without downtime
Troubleshooting - Debug and verify commands

Next Step:
Authentication secures OSPF. For scalability, learn about OSPF Stub Areas next.

Internal Links:

Written by

J

View all posts
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.