OSPF Authentication Password and MD5 Explained
OSPF supports authentication. If enabled, OSPF exchanges routing information only after successful authentication has occurred. There are three types of OSPF authentication: none, simple, and MD5. The none method uses no authentication. It is the default method. It is also called Type 0 authentication.
The simple authentication method uses a password for authentication. Routers send the password in clear text over the network. It is also known as Type 1 authentication. The MD5 method uses an algorithm to authenticate routers. It does not exchange passwords over the network. It is known as Type 2 authentication. Among these types, it is the most secure authentication method.
OSPF Authentication (Packet Tracer Example)
Create a practice lab and assign an IP configuration as shown in the following image.

Download the Packet Tracer lab with IP configuration.
Enabling Type 0 OSPF authentication
Type 0 OSPF authentication uses a null (none) value for authentication. It is the default authentication method. It does not need any configuration. OSPF automatically enables it when you configure OSPF and uses it for authentication. The following commands configure OSPF on R1.
Router>enable Router#configure terminal Router(config)#router ospf 1 Router(config-router)#network 192.168.1.0 0.0.0.255 area 0 Router(config-router)#network 192.168.3.0 0.0.0.255 area 0 Router(config-router)#exit Router(config)#exit Router#

The following commands configure OSPF on R2.
Router>enable Router#configure terminal Router(config)#router ospf 1 Router(config-router)#network 192.168.1.0 0.0.0.255 area 0 Router(config-router)#network 192.168.2.0 0.0.0.255 area 0 Router(config-router)#exit Router(config)#exit Router#

The following commands configure OSPF on R3.
Router>enable Router#configure terminal Router(config)#router ospf 1 Router(config-router)#network 192.168.2.0 0.0.0.255 area 0 Router(config-router)#network 192.168.3.0 0.0.0.255 area 0 Router(config-router)#exit Router(config)#exit Router#

Download Packet Tracer LAB with Type 0 OSPF authentication.
Verifying Type 0 OSPF authentication
You can verify Type 0 OSPF authentication by viewing the configuration on OSPF running interfaces. The 'show ip ospf interface' command shows the OSPF configuration on all interfaces running an OSPF process. The following image shows the output of this command on R1.

As the above output shows, OSPF interfaces are running without authentication. They will build neighborship and exchange routing information. You can use the 'show ip route ospf' and 'show ip ospf neighbor' commands to verify OSPF neighborship and exchange of routing information. The following image shows the output of these commands on R1.

Enabling Type 1 OSPF authentication
Type 1 uses passwords for authentication. To enable it, use the following two commands:
- area area-id authentication (Run this command under router ospf [process-id])
- ip ospf authentication-key key (Run this command under the specific interface)
The first command enables Type 1 authentication. The second command configures a password. Interfaces having direct connectivity must use the same password.

The following command enables Type 1 OSPF authentication and configures passwords on R1.
Router(config)#router ospf 1 Router(config-router)#area 0 authentication Router(config-router)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip ospf authentication-key cisco Router(config-if)#exit Router(config)#interface fastethernet 0/1 Router(config-if)#ip ospf authentication-key ccna Router(config-if)#exit Router(config)#

The following command enables Type 1 OSPF authentication and configures passwords on R2.
Router(config)#router ospf 1 Router(config-router)#area 0 authentication Router(config-router)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip ospf authentication-key cisco Router(config-if)#exit Router(config)#interface fastethernet 0/1 Router(config-if)#ip ospf authentication-key ccnp Router(config-if)#exit Router(config)#

The following command enables Type 1 OSPF authentication and configures passwords on R3.
Router(config)#router ospf 1 Router(config-router)#area 0 authentication Router(config-router)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip ospf authentication-key ccnp Router(config-if)#exit Router(config)#interface fastethernet 0/1 Router(config-if)#ip ospf authentication-key ccna Router(config-if)#exit Router(config)#

Download Packet Tracer LAB with 1 OSPF authentication.
Verifying Type 1 OSPF authentication
The 'show ip ospf interface' command displays the OSPF configuration on all interfaces running an OSPF process. The output of this command includes the type of authentication configured on the interfaces. The following image shows the output of this command on R1.

You can also view the OSPF configuration to confirm the authentication.

Use the same commands on R2 and R3 to verify OSPF authentication and configuration.
Enabling Type 2 OSPF authentication
Type 1 authentication sends passwords in clear text over the network. An adversary can use a wire sniffer to capture packets from the network and then a protocol analyzer to read the passwords from the captured packets. OSPF supports Type 2 authentication to overcome this security issue.
Type 2 authentication uses the MD5 algorithm to compute a hash value from the outgoing OSPF packet's contents and the password configured on the interface. It transmits the hash value in the packet with a key ID and a non-decreasing sequence number. The receiver, which knows the same password, calculates its hash value and compares it with the hash value stored inside the packet. If the packet is intact, both hash values match. If both hash values do not match, it indicates the packet has been tampered with in the middle. The receiver does not process the tempered packet. The following commands enable Type 2 OSPF authentication.
- area area-id authentication message-digest (Run this command under router ospf [process-id])
- ip ospf message-digest-key key-id md5 password (Run this command under the interface)
The key ID allows the routers to use multiple passwords. It makes changing passwords easy and secure. For example, you can configure the new password under a different key ID and remove the first key ID.
Same as Type 1, you can use different passwords on interfaces. However, the directly connected interfaces need the same password. The following commands enable Type 2 OSPF authentication on R1.
Router(config)#router ospf 1 Router(config-router)#area 0 authentication message-digest Router(config-router)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip ospf message-digest-key 1 md5 cisco Router(config-if)#exit Router(config)#interface fastethernet 0/1 Router(config-if)#ip ospf message-digest-key 3 md5 ccna Router(config-if)#exit Router(config)#

The following commands enable Type 2 OSPF authentication on R2.
Router(config)#router ospf 1 Router(config-router)#area 0 authentication message-digest Router(config-router)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip ospf message-digest-key 1 md5 cisco Router(config-if)#exit Router(config)#interface fastethernet 0/1 Router(config-if)#ip ospf message-digest-key 2 md5 ccnp Router(config-if)#exit Router(config)#

The following commands enable Type 2 OSPF authentication on R3.
Router(config)#router ospf 1 Router(config-router)#area 0 authentication message-digest Router(config-router)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip ospf message-digest-key 2 md5 ccnp Router(config-if)#exit Router(config)#interface fastethernet 0/1 Router(config-if)#ip ospf message-digest-key 3 md5 ccna Router(config-if)#exit Router(config)#

Download Packet Tracer LAB with Type 2 OSPF authentication.
Verifying Type 2 OSPF authentication
You can use the same commands to verify Type 2 authentication that you used to verify Type 1 authentication. The following image shows the output of the 'show ip ospf interface' command on R2.

The following image shows the output of the 'show ip route ospf' and 'show ip ospf neighbor' commands on R2.

Use the same commands on R1 and R3 to verify OSPF authentication.
Key points:-
- OSPF supports three types of authentication: null, password, and MD5.
- The null method is the default. It uses no password.
- The password method exchanges passwords in clear text over the network.
- The MD5 method exchanges a hash value generated by the MD5 algorithm over the network.
- You must configure the same type of authentication under the same OSPF area.
- You can use different passwords on different interfaces.
- You must use the same password on the directly connected interfaces.
This tutorial is part of the tutorial "OSPF Configuration and Concepts Explained.". Other parts of this tutorial are as follows:
Chapter 01 OSPF (Open Shortest Path First) Protocol
Chapter 02 RIP V/s OSPF | Differences between RIP and OSPF
Chapter 03 IGP, EGP, and Autonomous System Explained
Chapter 04 OSPF Features, Advantages, Disadvantages
Chapter 05 OSPF Fundamental Terminology Explained
Chapter 06 OSPF LSA Types and LSA Flooding Explained
Chapter 07 OSPF Area Types and Concept Explained
Chapter 08 OSPF Hello Protocol and Packets Explained
Chapter 09 OSPF RID (Router ID) Explained
Chapter 10 OSPF Neighborship Condition and Requirement
Chapter 11 OSPF DR BDR Selection Process Explained
Chapter 12 How OSPF Routers Build Adjacency Explained
Chapter 13 Shortest Path First (SPF) Algorithm Explained
Chapter 14 OSPF Single-Area Configuration Explained
Chapter 15 OSPF Stub area, Totally Stub area, NSSA, and Totally NSSA
Chapter 16 OSPF Virtual Links Explained
Chapter 17 OSPF Authentication Password and MD5 Explained
Chapter 18 OSPF Multi-Area Configuration Explained
Conclusion
OSPF authentication is a critical component for ensuring secure communication between routers in a network. There are three types of OSPF authentications: none (Type 0), simple (Type 1), and MD5 (Type 2). Type 0 requires no authentication and is the default method. It poses security risks in environments where data integrity is crucial. Type 1 employs clear-text passwords. It provides basic authentication. It is vulnerable to interception. Type 2 (MD5) is the most secure option. It uses a cryptographic algorithm and avoids transmitting passwords over the network.
Author Laxmi Goswami Updated on 2026-05-14