Tuesday, May 10, 2011

EIGRP Authentication

EIGRP allows the use of a pre-shared key (or PSK) to create an MD5 digest for each message sent and received. This prevents denial-of-service attacks by refusing neighbor-ship of unauthorized routers, but does not provide any privacy. Because EIGRP multicasts to 224.0.0.10, any router can joint that multicast group and read the messages but won't be able to establish itself as a neighbor. Essentially, they are allowed to look at the Country Club through the gates but not allowed to golf...

Anyhow...

Configuration contains a few commands requiring special attention to detail. It's important to note that the name of the key-chain and the number of the key-chain *do not* need to match between all neighboring routers. All that is important to match is the key-string used to hash the PSK.

To configure:

key chain <name_of_keychain>
key <#>
key-string <string_used_for_PSK>
!Optional - set lifetime
accept-lifetime <start_date> <end_date>
send-lifetime <start_date> <end_date>

After configuring the key chain and PSKs, we enter interface configuration mode and execute the following sub-commands:

ip authentication mode eigrp <asn> md5
ip key-chain eigrp <asn> <name_of_chain>

Time-based logic for EIGRP authentication allows some rotation of keys and provides a higher level of security. The basic rules are:
  • EIGRP will send messages using the lowest-numbered valid key
  • EIGRP will receive messages using any valid key
So, if there are 4 keys in a router's key chain, and the 1st key has expired while the 4th has not yet reached its valid date, the router will *always* send using the 2nd key, but will accept messages using keys 2 or 3.

To verify that EIGRP authentication is working properly, three commands are used:

show ip eigrp neighbors

This will show that neighboring routers are still up and that everything is working correctly. However, for the rare instance when that doesn't "just work" it's best to use:

show key chain

This command lists the valid keychain configuration and valid keys. If your keys aren't valid between all routers, it's not going to send or receive, and if your keys are valid, use:

debug eigrp packet

This command will list messages about why the intended neighbor routers did not authenticate. Typically, you will see messages that state "authentication mismatch" and then one of two reasons, either "invalid authentication" or "missing authentication". Both are relatively self-explanatory, don't you think?

Notes for troubleshooting EIGRP Authentication:
  • make sure your time is accurate and matched using "show clock" and use NTP to sync time on all routers
  • Key chain name and number do not need to match on all routers, *only the PSK (or key-string) needs to match*
  • use show key chain to list which keys are valid
  • Each interface must have EIGRP authentication configured on it (ip authentication mode eigrp md5) and the key chain assigned to it (ip authentication key-chain eigrp ) or authentication will fail with an invalid or missing authentication message in the EIGRP debug
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)