<b>一、路由器認證</b>
支援簡單明文認證的:
IS-IS OSPF RIPv2
支援MD5 認證的路由協定:
RIPv2 BGP EIGRP
<b>二、簡單密碼認證與MD5 認證對比</b>
簡單密碼認證(可讀性密碼):
路由器發出路由包以及key.
鄰居檢查key是不是和它自己的配置key比對(共享密鑰).
處理不會加密(可有破解軟體檢視).
MD5 認證(不可讀密碼,類似亂碼):
配置key (密碼) 和 key ID; router對key和key id進行一個
hash的計算,生成一個值,這個值就是一個消息摘要,消息摘
要随EIGRP封包一起發送,但是key(密碼)不發送.
處理會加密,理論上雜湊演算法是不可破解的,也是不可逆的算法。
11(key)+22(key id) 哈希計算 形成一個值=cisco
三、EIGRP MD5 認證原理
路由器根據key,key ID以及資訊産生消息的哈希值
EIGRP 通過Key鍊來管理所有的.
指定 key ID (号碼), key和key的生命周期.
首先使用第一個有效的 key, 然後依key的号碼順序使用。.
四、EIGRP MD5 認證配置步驟
1、建立一個密鑰鍊;
2、建立key-id來表示不同的密鑰;
3、建立密鑰;
4、設定密鑰驗證的壽命(存活)時間;(可選)
5、在接口上啟用MD5身份驗證;
6、指定接口在身份驗證時使用哪一個密鑰鍊。
五、配置 EIGRP MD5 認證
Router(config)#key chain name-of-chain
Router(config-keychain)#key key-id
Router(config-keychain-key)#key-string text
Router(config-keychain-key)#accept-lifetime start-time {infinite | end-time | duration seconds} 可選項: 指定對接收到的包什麼時候采用這個key
Router(config-keychain-key)#send-lifetime start-time {infinite | end-time | duration seconds} 可選項: 指定對發出去的包什麼時候采用這個key
Router(config-if)#ip authentication mode eigrp autonomous-system md5 指定EIGRP的包采用 MD5 認證
Router(config-if)#ip authentication key-chain eigrp autonomous-system name-of-chain 允許 EIGRP 的包通過 keychain 中指定的key進行認證
六、配置執行個體
R1#
key chain R1chain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006
key 2
key-string secondkey
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.101 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 R1chain
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.1.0
auto-summary
R2#
key chain R2chain
send-lifetime 04:00:00 Jan 1 2006 infinite
ip address 172.17.2.2 255.255.255.0
ip address 192.168.1.102 255.255.255.224
ip authentication key-chain eigrp 100 R2chain
network 172.17.2.0 0.0.0.255
校驗 MD5 認證
*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.102 (Serial0/0/1) is up: new adjacency
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14
R1#show ip route
<output omitted>
Gateway of last resort is not set
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:31:31, Null0
C 172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.96/27 is directly connected, Serial0/0/1
D 192.168.1.0/24 is a summary, 00:31:31, Null0
R1#ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
MD5 認證排錯
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) EIGRP收到一個具有MD5認證的包,key ID為1
*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
R2#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2# EIGRP:收到一個具有MD5認證的包,key ID為2
*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2
*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101
*Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
本文轉自zcm8483 51CTO部落格,原文連結:http://blog.51cto.com/haolun/993181