On Junos, it is generally accepted there are three authentication types for OSPF.
- None – no authentication is used.
- Simple – Clear text passwords are used.
- MD5 – An MD5 hash is used.
There is a fourth method, using IPSec, which we’ll demonstrate later in this post.
In all cases, the authentication is configured under the interface, under the protocols ospf stanza.
Lab Environment
This lab uses two vJunos Routers connected via ge-0/0/0.

- Interfaces are already configured.
- Basic OSPF is already configured.
The relevant baseline configuration from R1 is shown below. R2 is configured similarly.
lab@vRouter-1> show configuration interfaces ge-0/0/0
description "vQFX-1 xe-0/0/6";
unit 0 {
family inet {
address 172.16.0.1/24;
}
}
lab@vRouter-1> show configuration interfaces lo0
unit 0 {
family inet {
address 192.168.0.1/32;
}
}
lab@vRouter-1> show configuration routing-options
router-id 192.168.0.1;
lab@vRouter-1> show configuration protocols
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0;
}
reference-bandwidth 100g;
}
lab@vRouter-1>
Let’s check the neighbors and routes. In this case, we should have a route to R2’s loopback address.
lab@vRouter-1> show ospf neighbor
Address Interface State ID Pri Dead
172.16.0.2 ge-0/0/0.0 Full 192.168.0.2 128 38
lab@vRouter-1> show route protocol ospf
inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.0.2/32 *[OSPF/10] 00:02:59, metric 100
> to 172.16.0.2 via ge-0/0/0.0
224.0.0.5/32 *[OSPF/10] 00:05:29, metric 1
MultiRecv
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
lab@vRouter-1>
OSPF Simple Authentication Example
Simple authentication allows for the use of a single password, which is sent in clear text.
The basic format of the command is shown below.
set protocols ospf area <<area>> interface <<interface>> authentication simple-password <<Password>>
set protocols ospf area 0 interface ge-0/0/0.0 authentication simple-password Juniper
Let’s now configure this on R1.
lab@vRouter-1> edit
Entering configuration mode
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0;
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication simple-password Juniper
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
simple-password "$9$w92oZHqfn/tUj/tuOcSwYg"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# commit and-quit
commit complete
Exiting configuration mode
lab@vRouter-1>
R2 is configured the same as R1. We can now look at R1 to confirm the OSPF adjacency is up.
lab@vRouter-1> show ospf neighbor
Address Interface State ID Pri Dead
172.16.0.2 ge-0/0/0.0 Full 192.168.0.2 128 33
lab@vRouter-1>
Next, we can check the detailed output for the OSPF interface.
lab@vRouter-1> show ospf interface ge-0/0/0.0 detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/0.0 BDR 0.0.0.0 192.168.0.2 192.168.0.1 1
Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: Password
Protection type: None
Topology default (ID 0) -> Cost: 100
lab@vRouter-1
Notice the output shows the authentication type as password.
Packet Capture
Shown below is a capture of an OSPF hello packet. The authentication is carried in the OSPF header. The password is cleartext.

OSPF MD5 Authentication Example
The configuration for MD5 authentication is similar. Instead of just a password, we need to set a key id as well. We can set multiple MD5 passwords, and can optionally set a start time for when the key becomes valid. Note, that the time is taken from the local device, which has implications for timezones and daylight savings.
Both the key id and the password need to match between the two devices.
The general format of the command is:
set protocols ospf area <<area>> interface <<interface>> authentication md5 <<key-id>> key <<password>> start-time YYYY-MM-DD.HH:MM
set protocols ospf area 0 interface ge-0/0/0.0 authentication md5 1 key Juniper start-time 2024-01-01.00:01
Here is the configuration for R1.
lab@vRouter-1> edit
Entering configuration mode
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0;
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication md5 1 key Juniper
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
md5 1 key "$9$cuArKWNdsJGiLxGik.zFcyl"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# commit and-quit
commit complete
Exiting configuration mode
lab@vRouter-1>
We can now check the OSPF interface detail.
lab@vRouter-1> show ospf interface ge-0/0/0.0 detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/0.0 BDR 0.0.0.0 192.168.0.2 192.168.0.1 1
Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC
Protection type: None
Topology default (ID 0) -> Cost: 100
lab@vRouter-1>
The interface detailed output shows that we’re using MD5 authentication, which key is active, and what the valid start time of the key is. Because we didn’t specify a start time, it seems to use the UNIX epoch date – January 1st 1970.
Packet Capture
Shown below is a capture of an OSPF hello packet. The authentication is carried in the OSPF header. We can see the key id, and that the password is hashed and not in cleartext.

OSPF Multiple MD5 Authentication Example
From Junos 22.4R1, we can configure the router to send two OSPF MD5 keys at once. This is another method to ease the transition from one OSPF password to another.
To do this, we use the multi-active-md5 configuration. This is mutually exclusive with md5 authentication.
To show this, first I’ll set a normal MD5 password, then set multi-active, and show how they overwrite one another.
lab@vRouter-1> edit
Entering configuration mode
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0;
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication md5 1 key Juniper
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
md5 1 key "$9$13AESl8X-24ZKM4ZUjPf1Rh"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication multi-active-md5 1 key Juniper2
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
multi-active-md5 1 key "$9$twiB01ElK8db2cyb24aiHtuOISr"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1#
Now, let’s set R1 with multi-active-md5 and R2 with a regular MD5 configuration to see how they work together.
lab@vRouter-1> edit
Entering configuration mode
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0;
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication multi-active-md5 1 key Juniper
[edit]
lab@vRouter-1# set protocols ospf area 0 interface ge-0/0/0.0 authentication multi-active-md5 2 key Juniper2
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
multi-active-md5 1 key "$9$iqPT69pRhrz3hrev7Nik."; ## SECRET-DATA
multi-active-md5 2 key "$9$6LFOCpOhSeX7V1R7VwYZG69AuIE"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# commit and-quit
commit complete
Exiting configuration mode
lab@vRouter-1>
R2’s OSPF configuration looks like this:
lab@vRouter-2> show configuration protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
md5 1 key "$9$RV6crKX7V4aUM8aUjH5TRhS"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
lab@vRouter-2>
Now, from R1 we can check the OSPF neighbor and interface detail.
lab@vRouter-1> show ospf neighbor
Address Interface State ID Pri Dead
172.16.0.2 ge-0/0/0.0 Full 192.168.0.2 128 33
lab@vRouter-1> show ospf interface ge-0/0/0.0 detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/0.0 BDR 0.0.0.0 192.168.0.2 192.168.0.1 1
Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: MD5, Active key ID: 2
, Active key ID: 1
Protection type: None
Topology default (ID 0) -> Cost: 100
lab@vRouter-1>
The auth type line shows two active keys.
Currently, R1 has two active keys, and R2 is using key 1 with the ‘Juniper’ password. Let’s update R2 to use the second key and see what happens.
lab@vRouter-2> edit
Entering configuration mode
[edit]
lab@vRouter-2# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
md5 1 key "$9$RV6crKX7V4aUM8aUjH5TRhS"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-2# delete protocols ospf area 0 interface ge-0/0/0.0 authentication md5 1
[edit]
lab@vRouter-2# set protocols ospf area 0 interface ge-0/0/0.0 authentication md5 2 key Juniper2
[edit]
lab@vRouter-2# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
md5 2 key "$9$9l5wt01Srv7-wRh-wYgUD9ApOEc"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-2# commit and-quit
commit complete
Exiting configuration mode
lab@vRouter-2> show ospf neighbor
Address Interface State ID Pri Dead
172.16.0.1 ge-0/0/0.0 Full 192.168.0.1 128 33
lab@vRouter-2> show ospf interface ge-0/0/0.0 detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/0.0 DR 0.0.0.0 192.168.0.2 192.168.0.1 1
Type: LAN, Address: 172.16.0.2, Mask: 255.255.255.0, MTU: 1500, Cost: 100
DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: MD5, Active key ID: 2, Start time: 1970 Jan 1 00:00:00 UTC
Protection type: None
Topology default (ID 0) -> Cost: 100
lab@vRouter-2>
Technically, the first MD5 key did not need to be deleted, it could have been left in place. Unless a start date and time is set, the highest key id will be the active authentication key.
From the OSPF interface output we can see R2 is now using key id 2.
On R1, what happens if we try to add a third key under the multi-active-md5 configuration?
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
multi-active-md5 1 key "$9$iqPT69pRhrz3hrev7Nik."; ## SECRET-DATA
multi-active-md5 2 key "$9$6LFOCpOhSeX7V1R7VwYZG69AuIE"; ## SECRET-DATA
multi-active-md5 3 key "$9$Q-523/ABIcvWxp0WxNdg4QFnC0B"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# commit check
[edit protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication]
'multi-active-md5 3'
Number of multi active MD5 keys exceeds limit of two per interface
error: configuration check-out failed
[edit]
lab@vRouter-1#
We can delete one of the previous keys to fix this issue.
Packet Capture
Since the OSPF header is a fixed format, what we observe is R1 sending two OSPF packets at a time, one with each key id and hashed password. We do not see a packet with two keys in the OSPF header, which might be what you would expect to see.
If you look at the following packet capture and the times of the packets, you’ll see that R1 (172.16.0.1) seems to be sending two packets at nearly the same time, to every packet that R2 seems to be sending.

Looking at packet 10 in more detail, we see it has key id 2 in the OSPF header.

Looking at packet 11, we see key id 1.

OSPF with IPSec SA
We can use the same method we used for OSPFv3 authentication.
The configuration for R1 and R2 is the same. R1 is shown below. I’m using the AH protocol instead of ESP, so the traffic is authenticated but not encrypted. This allows us to see what is happening in a packet capture.
[edit]
lab@vRouter-1# show security
ipsec {
security-association sa-for-ospf {
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha-256-128;
key ascii-text "$9$9TKNCORKvLxNbKMYoJG.mBIEheWXxd2gJN-HqPfn68X7Ns4UDkPT3mPSrleW8JGUimfz36t0Bn6vWxNbwz3n/0B1RhSlK0O"; ## SECRET-DATA
}
}
}
}
}
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
ipsec-sa sa-for-ospf;
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1#
The OSPF neighbor and interface output looks like this:
lab@vRouter-1> show ospf neighbor
Address Interface State ID Pri Dead
172.16.0.2 ge-0/0/0.0 Full 192.168.0.2 128 39
lab@vRouter-1> show ospf interface ge-0/0/0.0 detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/0.0 BDR 0.0.0.0 192.168.0.2 192.168.0.1 1
Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
IPSec SA name: sa-for-ospf
Auth type: None
Protection type: None
Topology default (ID 0) -> Cost: 100
lab@vRouter-1>
Packet Capture
Looking at the detail of just one packet, there is an authentication header, and the OSPF header has an auth type of null.

OSPF with IPSec SA And OSPF Authentication
We can combine the IPSec security association and OSPF authentication.
We update R1 so the OSPF stanza now looks like this:
[edit]
lab@vRouter-1# show protocols ospf
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
authentication {
md5 1 key "$9$D/H.f36A1RSTzRSreXxDik"; ## SECRET-DATA
}
ipsec-sa sa-for-ospf;
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1# commit
commit complete
[edit]
lab@vRouter-1#
The detailed OSPF interface output shows the use of both the IPSec SA and authentication.
lab@vRouter-1> show ospf neighbor
Address Interface State ID Pri Dead
172.16.0.2 ge-0/0/0.0 Full 192.168.0.2 128 32
lab@vRouter-1> show ospf interface ge-0/0/0.0 detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/0.0 BDR 0.0.0.0 192.168.0.2 192.168.0.1 1
Type: LAN, Address: 172.16.0.1, Mask: 255.255.255.0, MTU: 1500, Cost: 100
DR addr: 172.16.0.2, BDR addr: 172.16.0.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
IPSec SA name: sa-for-ospf
Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC
Protection type: None
Topology default (ID 0) -> Cost: 100
lab@vRouter-1>
Packet Capture
This time we see both an authentication header for the packet and authentication in the OSPF header.

OSPF Authentication With Apply Groups Example
To make applying authentication easier, we can use apply groups. This allows us to configure the authentication once, and have it applied to many interfaces.
To start with, we’ll create and show the group.
[edit]
lab@vRouter-1# set groups group-ospf-auth protocols ospf area <*> interface <ge-*> authentication md5 1 key Juniper
[edit]
lab@vRouter-1# show groups
group-ospf-auth {
protocols {
ospf {
area <*> {
interface <ge-*> {
authentication {
md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
}
}
}
}
}
}
[edit]
lab@vRouter-1#
The wildcards for the area, <*>, and interface, <ge-*>, match any area, and any interface that starts with ge.
After we create the configuration group, we need to apply it. In this case, we’ll apply it at the ospf level.
[edit]
lab@vRouter-1# set protocols ospf apply-groups group-ospf-auth
[edit]
lab@vRouter-1# show protocols ospf
apply-groups group-ospf-auth;
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface ge-0/0/2.0;
interface ge-0/0/3.0;
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1#
Initially, the configuration does not look that different. We need to use display inheritance to see the effect of the applied configuration group.
[edit]
lab@vRouter-1# show protocols ospf | display inheritance
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface ge-0/0/0.0 {
##
## 'authentication' was inherited from group 'group-ospf-auth'
##
authentication {
##
## '1' was inherited from group 'group-ospf-auth'
## '$9$gVaGjmfzCtOHqtO1RlegoJ' was inherited from group 'group-ospf-auth'
##
md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
}
}
interface ge-0/0/1.0 {
##
## 'authentication' was inherited from group 'group-ospf-auth'
##
authentication {
##
## '1' was inherited from group 'group-ospf-auth'
## '$9$gVaGjmfzCtOHqtO1RlegoJ' was inherited from group 'group-ospf-auth'
##
md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
}
}
interface ge-0/0/2.0 {
##
## 'authentication' was inherited from group 'group-ospf-auth'
##
authentication {
##
## '1' was inherited from group 'group-ospf-auth'
## '$9$gVaGjmfzCtOHqtO1RlegoJ' was inherited from group 'group-ospf-auth'
##
md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
}
}
interface ge-0/0/3.0 {
##
## 'authentication' was inherited from group 'group-ospf-auth'
##
authentication {
##
## '1' was inherited from group 'group-ospf-auth'
## '$9$gVaGjmfzCtOHqtO1RlegoJ' was inherited from group 'group-ospf-auth'
##
md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"; ## SECRET-DATA
}
}
}
reference-bandwidth 100g;
[edit]
lab@vRouter-1#
Normally I would use ‘| except ##’ to exclude the lines telling me where the config was inherited from, but that also excludes the line with the md5 key, due to the ## SECRET-DATA at the end of the line. Let’s use display set instead.
[edit]
lab@vRouter-1# show protocols ospf | display inheritance | display set
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 authentication md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0 authentication md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"
set protocols ospf area 0.0.0.0 interface ge-0/0/3.0 authentication md5 1 key "$9$gVaGjmfzCtOHqtO1RlegoJ"
set protocols ospf reference-bandwidth 100g
[edit]
lab@vRouter-1#
Don’t forget to commit the config when you’re done so it all takes effect.
As you can see, the configuration group makes it very easy to set the same password across many interfaces. It also makes rolling the key over easier as you only have to change it once, rather than under each interface.
Summary
Junos offers three main ways of authentication OSPF – none, simple, or MD5. You can also use IPSec security associations, similar to OSPFv3.
Later versions of Junos support having two MD5 keys active by using the multi-active-md5 command.
The packet captures showed what each method looks like as it traverses over the network.
Finally, we looked at how configuration or apply groups can simplify setting authentication on many interfaces.