How to configure EIGRP Authentication

Routing protocols can be configured to prevent receiving false routing  updates and EIGRP is no exception. If you don’t use authentication and you are  running EIGRP someone could try to form an EIGRP neighbor adjacency with one of  your routers and try to mess with your network…we don’t want that to happen  right?

EIGRP only offers MD5 authentication, there’s no plaintext  authentication.

What does authentication offer us?

  • Your router will authenticate the source of each routing update packet that  it will receive.
  • Prevents false routing updates from sources that are not approved.
  • Ignore malicious routing updates.

A potential hacker could be sitting on your network with a laptop running  GNS3 / Dynamips, boot up a Cisco router and try the following things:

  • Try to establish a neighbor adjacency with one of your routers and advertise  junk routes.
  • Send malicious packets and see if you can drop the neighbor adjacency of one  of your authorized routers.

In order to configure EIGRP authentication we need to do the following:

  • Configure a key-chain
    • Configure a key ID under the key-chain.
      • Specify a password for the key ID.
      • Optional: specify accept and expire lifetime for the key.

Let’s use two routers and see if we can configure EIGRP MD5  authentication:

EIGRP with keys The configuration for both routers is very  basic:

Jack(config)#interface fastEthernet 0/0
Jack(config-if)#ip address

Jack(config)#router eigrp 12
John(config)#interface fastEthernet 0/0
John(config-if)#ip address

John(config)#router eigrp 12

The first thing we need to configure is a key-chain:

EIGRP Keychain

I called mine “KingKong” but it can be different on both routers, it doesn’t  matter. The Key ID is a value that has to match on both routers and the  key-string is the password which has to match of course.

Jack(config)#key chain KingKong
Jack(config-keychain)#key 1
Jack(config-keychain-key)#key-string Banana
Jack(config)#interface fastEthernet 0/0
Jack(config-if)#ip authentication mode eigrp 12 md5 
Jack(config-if)#ip authentication key-chain eigrp 12 KingKong

First you have to create the keychain and then you need to activate it on the  interface. The “12” is the AS number of EIGRP. The configuration on router John  is exactly the same.

John#debug eigrp packets 
EIGRP Packets debugging is on

John# EIGRP: FastEthernet0/0: ignored packet from, opcode = 5 (authentication off or key-chain missing)

You can check if your configuration is correct by using debug eigrp  packets. You can see that we received a packet with MD5 authentication but I  didn’t enable MD5 authentication yet on router John.

Let’s fix it:

John(config)#key chain KingKong
John(config-keychain)#key 1
John(config-keychain-key)#key-string Banana

John(config)#interface fastEthernet 0/0
John(config-if)#ip authentication mode eigrp 12 md5
John(config-if)#ip authentication key-chain eigrp 12 KingKong

Right away I can see that the EIGRP neighbor adjacency is working:

John# %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor (FastEthernet0/0) is up: new adjacency

What if I entered a wrong key-string?

Jack(config)#key chain KingKong
Jack(config-keychain)#key 1
Jack(config-keychain-key)#key-string Apples

Let’s see if KingKong likes apples…

John# EIGRP: pkt key id = 1, authentication mismatch

You will see the message above in the debug output on router John. At least  it tells us that key 1 is the one with the error.

You will see the message above in the debug output on router John. At least  it tells us that key 1 is the one with the error.

If you want to spice it up a bit you can set an accept and expire lifetime on keys. The idea behind this is that you can have keys  that are only valid for a day, a week, a month or something else. Do you want to  use this in real life? It might enhance security but it also makes maintenance a  bit more complex…

Before you configure keys with a limited lifetime make sure you set the  correct time and date. You can do this manually on each router but it’s better  to use a NTP (Network Time Protocol) server so all the routers have the same  time/date.

Anyway that’s all I wanted to show you! If you have any more questions please  leave a comment!

Read more:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: