Authentication

Load isis.inter.area.cfg

#IOS-XE
config replace flash:isis.inter.area.cfg

#IOS-XR
configure
load bootflash:isis.inter.area.cfg
commit replace
y

Configure area 49.1234 as follows:

  • R1-R2 should use HELLO123 as the hello password using the legacy syntax

  • R2-R3-R4 should all use HELLO234 as the password using MD5

  • The area should authenticate L1 LSPs and SNPs using “AREA1234” in clear text, but they should all be accepted if they do not contain authentication. Use the legacy syntax for this.

Configure area 49.0056 as follows:

  • R5-R6 should use HELLO56 as the hello password in plain text using the new syntax. Allow received Hellos to not contain authentication, or to contain wrong authentication.

  • The area should authenticate L1 LSPs and SNPs using “AREA56” in clear text. LSPs and SNPs should be accepted without authentication. Use the new syntax for this.

Configure area 49.1920 as follows:

  • XR1-XR2 should use HELLO1920 as the hello password using MD5.

  • The area should authenticate L1 LSPs and SNPs using “AREA1920” with MD5.

Configure authentication the entire domain as follows:

  • All inter-area L2 adjacencies should use the password “LEVEL2” with MD5

  • All L2 LSPs/SNPs shoud use the password “LEVEL2” with MD5, but all LSPs/SNPs should be accepted without authentication.

Answer

#R1
int Gi2.12
 isis password HELLO123
!
router isis
 area-password AREA1234 authenticate snp send-only

#R2
int Gi2.12
 isis password HELLO123
!
int Gi2.23
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO
!
int Gi2.24
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO
!
router isis
 area-password AREA1234 authenticate snp send-only
!
key chain ISIS_HELLO
 key 1
  key-string HELLO234

#R3
int Gi2.23
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO
!
int Gi2.34
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO
!
int Gi2.36
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO_L2
!
router isis
 area-password AREA1234 authenticate snp send-only
 authentication mode md5 level-2
 authentication key-chain ISIS_DOMAIN_AUTH level-2
 authentication send-only level-2
!
key chain ISIS_HELLO
 key 1
  key-string HELLO234
!
key chain ISIS_HELLO_L2
 key 1
  key-string LEVEL2
!
key chain ISIS_DOMAIN_AUTH
 key 1
  key-string LEVEL2

#R4
int Gi2.24
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO
!
int Gi2.34
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO
!
int Gi2.46
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO_L2
!
int Gi2.45
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO_L2
!
router isis
 area-password AREA1234 authenticate snp send-only
 authentication mode md5 level-2
 authentication key-chain ISIS_DOMAIN_AUTH level-2
 authentication send-only level-2
!
key chain ISIS_HELLO
 key 1
  key-string HELLO234
!
key chain ISIS_HELLO_L2
 key 1
  key-string LEVEL2
!
key chain ISIS_DOMAIN_AUTH
 key 1
  key-string LEVEL2

#R5
key chain ISIS_HELLO
 key 1
  key-string HELLO56
!
key chain ISIS_AREA
 key 1
  key-string AREA56
!
key chain ISIS_HELLO_L2
 key 1
  key-string LEVEL2
!
key chain ISIS_DOMAIN_AUTH
 key 1
  key-string LEVEL2
!
int Gi2.56
 isis authentication mode text
 isis authentication key-chain ISIS_HELLO
 isis authentication send-only
!
int Gi2.45
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO_L2
!
int Gi2.519
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO_L2
!
router isis
 authentication mode text level-1
 authentication send-only level-1
 authentication key-chain ISIS_AREA level-1
 authentication mode md5 level-2
 authentication key-chain ISIS_DOMAIN_AUTH level-2
 authentication send-only level-2

#R6
key chain ISIS_HELLO
 key 1
  key-string HELLO56
!
key chain ISIS_AREA
 key 1
  key-string AREA56
!
key chain ISIS_HELLO_L2
 key 1
  key-string LEVEL2
!
key chain ISIS_DOMAIN_AUTH
 key 1
  key-string LEVEL2
!
int Gi2.56
 isis authentication mode text
 isis authentication key-chain ISIS_HELLO
 isis authentication send-only
!
int Gi2.36
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO_L2
!
int Gi2.46
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO_L2
!
int Gi2.619
 isis authentication mode md5
 isis authentication key-chain ISIS_HELLO_L2
!
router isis
 authentication mode text level-1
 authentication send-only level-1
 authentication key-chain ISIS_AREA level-1
 authentication mode md5 level-2
 authentication key-chain ISIS_DOMAIN_AUTH level-2
 authentication send-only level-2

#XR1
router isis 1
 lsp-password hmac-md5 AREA1920 level 1
 lsp-password hmac-md5 LEVEL2 level 2 send-only
 !
 int gi0/0/0/0.1920
  hello-password hmac-md5 HELLO1920
 !
 int gi0/0/0/0.619
  hello-password hmac-md5 LEVEL2
 !
 int gi0/0/0/0.519
  hello-password hmac-md5 LEVEL2

#XR2
router isis 1
 lsp-password hmac-md5 AREA1920 level 1
 !
 int gi0/0/0/0.1920
  hello-password hmac-md5 HELLO1920

Explanation

Authentication for ISIS can be quite configuration intensive. We’ll first go over authentication on IOS-XE.

IOS-XE Authentication

To set the hello password using the legacy method, use the following command. This does not support MD5.

#R1
int Gi2.12
 isis password HELLO123

To set the hello password using the new syntax, use the following commands. This requires a key chain. It also supports MD5. Optionally, you can enable “send-only” which does not require the other side’s authentication to match or exist. You can also specify the level for each command. By default, both levels are used.

int Gi2.24
 isis authentication mode text|md5
 isis authentication key-chain ISIS_HELLO
 isis authentication send-only

To set the authentication for L1 LSPs and SNPs, you can use the following legacy method. By default, only LSPs are authenticated. You use the snp command to enable SNP authentication, and use send-only or validate for the SNPs. LSPs will always be “validate” mode.

router isis
 area-password AREA1234 [authenticate snp send-only|validate]

To set the authentication for L2 LSPs and SNPs using the legacy method, you essentially use the same command but with domain-password.

router isis
 domain-password AREA1234 [authenticate snp send-only|validate]

The newer syntax looks like the authentication for interfaces. You associate a key chain, and have the option of doing “send-only” for both LSPs and SNPs. You use level-1 for area authentication, and level-2 for domain authentication. It appears that both LSPs and SNPs are authenticated, and you cannot separate them (authenticating one but not the other).

router isis
 authentication mode text|md5 [level-1|level-2]
 authentication key-chain name [level-1|level-2]
 authentication send-only [level-1|level-2]

IOS-XR Authentication

Authentication on IOS-XR is a bit more simple. You configure a hello-password as follows. The accept keyword is used to only accept incoming Hellos with that password, but not send Hellos with that password.

router isis 1
 int gi0/0/0/0
  hello-password text|keychain|hmac-md5|accept [send-only]

Area and Domain authentication work similarly to the new syntax for IOS-XE. Except you can authenticate LSPs without SNPs (which is the default choice). If you authenticate SNPs, it appears you must use the send-only keyword. Level 1 is used for area password, and level 2 is used for domain password.

router isis 1
 lsp-password text|keychain|hmac-md5|accept [snp] [send-only] [level 1|2]
PreviousMulti AreaNextConditional ATT Bit

Last updated