Tuesday, December 20, 2011

EIGRP AUTHENTICATION AND TIME BASED AUTH

Ok the next thing i looked at was eigrp authentication.
Eigrp supports md5 authentication only
uses a key chain like ripv2
 - white spaces count as charachter
 - key number must match (md5 hash uses key id)
 - there is support for automatic key rotation time based
You configure the key in global config and apply it on interface config.
Neighbor relationship will go down if the other side
is not configured for md5 authentication
has  mismatch key id
has the mismatch key string
FOr the automatic rotation
This is time based 
you specify an accept-lifetime and send lifetime
accept is how long you will accept a particular key for authentication
send is how long you will send a particular key for authentication
The automatic rotation is whereby you specify rotating validity times
for example you may say 1st Jan - 31st Jan use key 1
                        1st Feb - 28th feb use key 2
When you are doing this the major thing is that the routers running the neighbor
relationship need to have the same time best pratice would to use ntp. IF neighbors
have mismatch time the relationship could potentially be pulled as of mismatch key id
It is good idea to give leeway and do overlap like the above example you may continue
to accesspt key 1 for the 1st day of feb in case of missynch issues this would be
fairly large mis synch time but it is just for example
When you define your key chain and validity times you should always end the key chain
with a infinite
so send-lifetime infinite
recieve-lifetime infinite.
If your validity was not specified like that and you came out of the dates specfied
in your last key accepting-lifetime sending lifetime. The neighbor relationship would
be pulled down as of invalid authentication.
show key-chain is good for seeing validity values
LAB
----
ok for the lab we will configure authentication between r2 and r4. Just do a few
different scenerios.


on s1
------
so first thing is to define a key-chain
key chain CISCO
 key 1
  key-string CISCO

now under the interface specify you want to use eigrp authentication with md5 and
define the key chain
switch1(config)#int po2
switch1(config-if)#ip authentication mode eigrp 1 md5
switch1(config-if)#ip authentication key-chain eigrp 1 CISCO

my neighbor relationships have gone down
switch1#sh ip eigrp nei
IP-EIGRP neighbors for process 1
switch1#
ok on switch 1 from the debug we reject packets from r2 and r4 with error missing
authentication
switch1#debug eigrp pack
EIGRP Packets debugging is on
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
switch1#
01:57:16: EIGRP: Port-channel2: ignored packet from 10.229.254.2, opcode = 5 (missing
authentication)
01:57:18: EIGRP: Sending HELLO on Port-channel2
01:57:18:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
01:57:18: EIGRP: Port-channel2: ignored packet from 10.229.254.4, opcode = 5 (missing
authentication)
01:57:21: EIGRP: Port-channel2: ignored packet from 10.229.254.2, opcode = 5 (missing
authentication)
on r4 we get the message authentication off or key-chain missing
r4#debug eigrp pack
EIGRP Packets debugging is on
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
r4#
*Dec 20 22:24:19.159: EIGRP: Sending HELLO on FastEthernet0/0
*Dec 20 22:24:19.159:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Dec 20 22:24:20.555: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.229.254.2
*Dec 20 22:24:20.555:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ
un/rely 0/0
*Dec 20 22:24:22.351: EIGRP: FastEthernet0/0: ignored packet from 10.229.254.1,
opcode = 5 (authentication off or key-chain missing)

on r4
------
i am going configure an incorrect password ont he keychain to see if we get a
different error
r4(config)#key chain EOGHAN
r4(config-keychain)#key 1
r4(config-keychain-key)#key-string EOGHAN

int fa0/0
r4(config-if)#ip authentication key-chain eigrp 1 EOGHAN
r4(config-if)#ip authentication mode eigrp 1 md5

from s1 we are getting the message
*Dec 20 22:30:41.127: EIGRP: FastEthernet0/0: ignored packet from 10.229.254.1,
opcode = 5 (invalid authentication)
so it has changed from missing authentication to invalid authentication
ok i will correct the key-string on r4 but i will change the key id to 2
r4(config)#key chain EOGHAN
r4(config-keychain)#no key 1
r4(config)#key chain EOGHAN
r4(config-keychain)#key 2
r4(config-keychain-key)#key-string CISCO
r4(config-keychain-key)#
i am getting the same debug invalid authentication
so now i will correct
r4(config)#key chain EOGHAN
r4(config-keychain)#no key id 2
                           ^
% Invalid input detected at '^' marker.
r4(config-keychain)#no key 2
r4(config)#key chain EOGHAN
r4(config-keychain)#key 1
r4(config-keychain-key)#key-string CISCO
r4(config-keychain-key)#
*Dec 20 22:35:10.351: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.229.254.1
(FastEthernet0/0) is up: new adjacency

notice the adjacency has comeup all is good
ok we will look at time based key changing
r4
---
key chain EOGHAN
 key 1
  key-string CISCO1
  accept-lifetime 22:50:00 Dec 20 2011 23:00:00 Dec 20 2011
  send-lifetime 22:50:00 Dec 20 2011 23:00:00 Dec 20 2011
 key 2
  key-string CISCO2
  accept-lifetime 22:57:00 Dec 20 2011 23:05:00 Dec 20 2011
  send-lifetime 22:59:00 Dec 20 2011 23:05:00 Dec 20 2011

notice i have done some overlap just in case  i will copy this config to s1

we have an issue switch 1 is
*02:32:27.827 UTC Mon Mar 1 1993
switch1#

I will update the clock

switch1#clock set 23:00:00 20 DEC 2011
switch1#
02:34:50: %SYS-6-CLOCKUPDATE: System clock has been updated from 02:34:50 UTC Mon Mar
1 1993 to 23:00:00 UTC Tue Dec 20 2011, configured from console by console.
02:34:51: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.229.254.4 (Port-channel2) is
up: new adjacency
We have got our adjacency
switch1#sh key chain
Key-chain CISCO:
    key 1 -- text "CISCO1"
        accept lifetime (22:50:00 UTC Dec 20 2011) - (23:00:00 UTC Dec 20 2011)
        send lifetime (22:50:00 UTC Dec 20 2011) - (23:00:00 UTC Dec 20 2011)
    key 2 -- text "CISCO2"
        accept lifetime (22:57:00 UTC Dec 20 2011) - (23:05:00 UTC Dec 20 2011)
[valid now]
        send lifetime (22:59:00 UTC Dec 20 2011) - (23:05:00 UTC Dec 20 2011) [valid
now]
switch1#

we are now using key id 2 as if the time 23:00 it is valid and up
switch1#sh ip eigrp neigh
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq Type
                                            (sec)         (ms)       Cnt Num
0   10.229.254.4            Po2               33 00:01:49    9   200  0  44
switch1#
i have a active adjacency we will just wait to see what happens at 23:05 there is not
other key set

switch1#
02:39:24: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.229.254.4 (Port-channel2) is down: Auth failuresh clock
23:04:38.342 UTC Tue Dec 20 2011

i got authentication failure as it has mismatch key as it no longer any valid keys to the neighbor relationship has gone down
switch1#sh ip eigrp nei
IP-EIGRP neighbors for process 1
switch1#
toget around
this we should always set the last key send-lifetime and recieve lifetime to infinite

No comments:

Post a Comment