EIGRP Authentication using multiple keys problem

CaptainLCaptainL Member Posts: 78 ■■□□□□□□□□
My objective was to use authentication using multiple key and key-strings. From my understanding the sending router will use the lowest key and the key-string that is associated with it, and compare that key-string to any valid key in the receiving router. If it found a match then my neighbors will be reformed my question is, why does my neighbor relationship doesn't come up? what is my mistake?



Comments

  • bobfromfplbobfromfpl Member Posts: 104
    I believe the problem is because the keys are mismatched. Key1 has to be the same across all routers using authentication within the same AS. WHen the rcving router receives the EIGRP packet, it will compare the neighbor Key1 to the local Key1 and find a mismatch, thus denying the neighbor relationship. You should be able to see this using the debug eigrp packet output
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    Firstly as pointed out your keystrings dont match, your understanding isn't 100% correct.
    The sending router will use the lowest key-id, an md5 hash of the eigrp payload along with the shared key is calculated, attached to the eigrp header and sent along with the key id. When received on the remote neighbor, the key id is used to find the matching shared-key.

    RTA

    key chain TEST
    key 1
    key-string juniper
    key 10
    key-string cisco

    RTB

    key chain TEST
    key 10
    key-string cisco


    In the above example, RTA would use key 1 to send eigrp hello's, RTB doesn't have key 1 so RTB has authentication mismatch. RTB sends hello's with key 10, RTA has key 10, the key-strings match so authentication succeeds. But you only have peering in one direction, RTB is still down.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • CaptainLCaptainL Member Posts: 78 ■■□□□□□□□□
    Does it mean that both the Key and Key-string must match? because on the OCG, eigrp section, it says that "the key numbers do not have to match on the neighboring routers"
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    Yes, they have to match, the OCG is wrong. This is why you need to lab things up.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • bobfromfplbobfromfpl Member Posts: 104
    Which page are you seeing that on?

    In the OCG on Pg 43 it states that Key number & Key string must match on neighbor routers.

    However, right above that exact line it does say that the key chain name does NOT have to match.


    Ok, I see what you're seeing. On Page 40 Step 1.b is incorrect, it does say that key numbers don't have to match on neighbor routers. But as we see from your example that the book is wrong in that particular section.
  • IStudyCiscoIStudyCisco Member Posts: 4 ■■■□□□□□□□
    OP, please check the Cisco Press website for the errata sheet for this guide. This and much more has been identified and corrected. BTW it's a good idea to always check the website for additions and corrections. I'd hate for someone to fail a test because of a printing error. Or worse, bring down an operational network because of a faulty premise. Good luck with your studies.
  • CaptainLCaptainL Member Posts: 78 ■■□□□□□□□□
    bobfromfpl wrote: »
    Which page are you seeing that on?

    In the OCG on Pg 43 it states that Key number & Key string must match on neighbor routers.

    However, right above that exact line it does say that the key chain name does NOT have to match.


    Ok, I see what you're seeing. On Page 40 Step 1.b is incorrect, it does say that key numbers don't have to match on neighbor routers. But as we see from your example that the book is wrong in that particular section.

    on page 43, 2nd bullet says that "the key chain name and KEY number used on the two routers do NOT have to match". these is where all the confusion started. -.-
    OP, please check the Cisco Press website for the errata sheet for this guide. This and much more has been identified and corrected. BTW it's a good idea to always check the website for additions and corrections. I'd hate for someone to fail a test because of a printing error. Or worse, bring down an operational network because of a faulty premise. Good luck with your studies.

    thank you for the recommendation, I'm surprised that it has a lot of errors -.-

    @all thank you for the reply. I really appreciate it.
Sign In or Register to comment.