EIGRP SHA Authentication

This topic is to discuss the following lesson:

@ReneMolenaar @lagapides

Do any of you guys know why you to have to specify a SHA-256 password as well when using the key chain for the key chain method to work?

I understand you have two elements to this:
The authentication mode: MD5/SHA 256
The authentication method: key-chain/password

But the key chain method wont work until the mode is specified and the only way you can specify the sha256 mode is by using a password as well, this makes no sense to me as when you view the authentication being used with the show commands it even states the keychain is being used.

R4#show eigrp address-family ipv4 1 interfaces detail | inc Auth
Authentication mode is HMAC-SHA-256, key-chain is “EIGRP”

But it has to have a password as well to work:

af-interface Ethernet0/0
authentication mode hmac-sha-256 EIGRP
authentication key-chain EIGRP

This to me makes no sense…

Hello Matthew

What you state is very logical, it seems redundant to need to specify a password for the SHA-256 and then to need to specify a keychain password as well. However, this is the methodology used to configure SHA-256.

In order to specify a key-chain, you must first specify the authentication mode. And in order to specify the hmac-sha-256 mode, you must specify a password. (If you choose the MD5 method, you don’t specify a password, but you must employ the key-chain). If you choose to use the key-chain method, then once that is configured, the key-chain password supersedes the hmac-sha-256 password.

It’s just the way that the SHA-256 authentication has been designed. Cisco documentation actually seems to support not using the key-chain method, as the SHA-256 password is considered equally secure:

I hope this has been helpful!


1 Like

Hi Guys,

Why is it that you use unicast in this both Password Authentication and Key-Chain for SHA-256 and not for MD5?

Also why is it that you use unicast command in R1 but not R2?

Hello Joseph

When configuring the address family of the named EIGRP configuration, the unicast keyword is actually optional. If it is not specified, the unicast address family is used by default. So in the configuration, whether you use the keyword or not, the resulting configuration remains the same.

For consistency, I will ask Rene to take a look and change the configs for the lesson.

I hope this has been helpful!


That’s all good Laz, thank you. I’m glad it was there so that I could ask you about it, and now know that it is the default.

1 Like