一、路由器认证
支持简单明文认证的:
IS-ISOSPFRIPv2
支持MD5 认证的路由协议:
OSPFRIPv2BGPEIGRP
二、简单密码认证与MD5 认证对比
简单密码认证(可读性密码):
路由器发出路由包以及key.
邻居检查key是不是和它自己的配置key匹配(共享密钥).
处理不会加密(可有破解软件查看).
MD5 认证(不可读密码,类似乱码):
配置key (密码) 和 key ID; router对key和key id进行一个
hash的计算,生成一个值,这个值就是一个消息摘要,消息摘
要随EIGRP报文一起发送,但是key(密码)不发送.
处理会加密,理论上哈希算法是不可破解的,也是不可逆的算法。
11(key)+22(key id) 哈希计算 形成一个值=cisco
三、EIGRP MD5 认证原理
路由器根据key,key ID以及信息产生消息的哈希值
EIGRP 通过Key链来管理所有的.
指定 key ID (号码), key和key的生命周期.
首先使用第一个有效的 key, 然后依key的号码顺序使用。.
四、EIGRP MD5 认证配置步骤
1、创建一个密钥链;
2、创建key-id来表示不同的密钥;
3、创建密钥;
4、设置密钥验证的寿命(存活)时间;(可选)
5、在接口上启用MD5身份验证;
6、指定接口在身份验证时使用哪一个密钥链。
五、配置 EIGRP MD5 认证
Router(config)#key chain name-of-chain
Router(config-keychain)#key key-id
Router(config-keychain-key)#key-string text
Router(config-keychain-key)#accept-lifetime start-time {infinite | end-time | duration seconds} 可选项: 指定对接收到的包什么时候采用这个key
Router(config-keychain-key)#send-lifetime start-time {infinite | end-time | duration seconds} 可选项: 指定对发出去的包什么时候采用这个key
Router(config-if)#ip authentication mode eigrp autonomous-system md5 指定EIGRP的包采用 MD5 认证
Router(config-if)#ip authentication key-chain eigrp autonomous-system name-of-chain 允许 EIGRP 的包通过 keychain 中指定的key进行认证
六、配置实例
R1#
key chain R1chain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.101 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 R1chain
!
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.1.0
auto-summary
R2#
key chain R2chain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
interface FastEthernet0/0
ip address 172.17.2.2 255.255.255.0
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.102 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 R2chain
!
router eigrp 100
network 172.17.2.0 0.0.0.255
network 192.168.1.0
auto-summary
校验 MD5 认证
R1#
*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.102 (Serial0/0/1) is up: new adjacency
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14
R1#show ip route
<output omitted>
Gateway of last resort is not set
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:31:31, Null0
C 172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.96/27 is directly connected, Serial0/0/1
D 192.168.1.0/24 is a summary, 00:31:31, Null0
R1#ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
MD5 认证排错
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP收到一个具有MD5认证的包,key ID为1
*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
R2#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2# EIGRP:收到一个具有MD5认证的包,key ID为2
*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2
*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101
*Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/993181
