# Authentication
Load **isis.inter.area.cfg**
```
#IOS-XE
config replace flash:isis.inter.area.cfg
#IOS-XR
configure
load bootflash:isis.inter.area.cfg
commit replace
y
```
Configure area 49.1234 as follows:
* R1-R2 should use HELLO123 as the hello password using the legacy syntax
* R2-R3-R4 should all use HELLO234 as the password using MD5
* The area should authenticate L1 LSPs and SNPs using “AREA1234” in clear text, but they should all be accepted if they do not contain authentication. Use the legacy syntax for this.
Configure area 49.0056 as follows:
* R5-R6 should use HELLO56 as the hello password in plain text using the new syntax. Allow received Hellos to not contain authentication, or to contain wrong authentication.
* The area should authenticate L1 LSPs and SNPs using “AREA56” in clear text. LSPs and SNPs should be accepted without authentication. Use the new syntax for this.
Configure area 49.1920 as follows:
* XR1-XR2 should use HELLO1920 as the hello password using MD5.
* The area should authenticate L1 LSPs and SNPs using “AREA1920” with MD5.
Configure authentication the entire domain as follows:
* All inter-area L2 adjacencies should use the password “LEVEL2” with MD5
* All L2 LSPs/SNPs shoud use the password “LEVEL2” with MD5, but all LSPs/SNPs should be accepted without authentication.
## Answer
```
#R1
int Gi2.12
isis password HELLO123
!
router isis
area-password AREA1234 authenticate snp send-only
#R2
int Gi2.12
isis password HELLO123
!
int Gi2.23
isis authentication mode md5
isis authentication key-chain ISIS_HELLO
!
int Gi2.24
isis authentication mode md5
isis authentication key-chain ISIS_HELLO
!
router isis
area-password AREA1234 authenticate snp send-only
!
key chain ISIS_HELLO
key 1
key-string HELLO234
#R3
int Gi2.23
isis authentication mode md5
isis authentication key-chain ISIS_HELLO
!
int Gi2.34
isis authentication mode md5
isis authentication key-chain ISIS_HELLO
!
int Gi2.36
isis authentication mode md5
isis authentication key-chain ISIS_HELLO_L2
!
router isis
area-password AREA1234 authenticate snp send-only
authentication mode md5 level-2
authentication key-chain ISIS_DOMAIN_AUTH level-2
authentication send-only level-2
!
key chain ISIS_HELLO
key 1
key-string HELLO234
!
key chain ISIS_HELLO_L2
key 1
key-string LEVEL2
!
key chain ISIS_DOMAIN_AUTH
key 1
key-string LEVEL2
#R4
int Gi2.24
isis authentication mode md5
isis authentication key-chain ISIS_HELLO
!
int Gi2.34
isis authentication mode md5
isis authentication key-chain ISIS_HELLO
!
int Gi2.46
isis authentication mode md5
isis authentication key-chain ISIS_HELLO_L2
!
int Gi2.45
isis authentication mode md5
isis authentication key-chain ISIS_HELLO_L2
!
router isis
area-password AREA1234 authenticate snp send-only
authentication mode md5 level-2
authentication key-chain ISIS_DOMAIN_AUTH level-2
authentication send-only level-2
!
key chain ISIS_HELLO
key 1
key-string HELLO234
!
key chain ISIS_HELLO_L2
key 1
key-string LEVEL2
!
key chain ISIS_DOMAIN_AUTH
key 1
key-string LEVEL2
#R5
key chain ISIS_HELLO
key 1
key-string HELLO56
!
key chain ISIS_AREA
key 1
key-string AREA56
!
key chain ISIS_HELLO_L2
key 1
key-string LEVEL2
!
key chain ISIS_DOMAIN_AUTH
key 1
key-string LEVEL2
!
int Gi2.56
isis authentication mode text
isis authentication key-chain ISIS_HELLO
isis authentication send-only
!
int Gi2.45
isis authentication mode md5
isis authentication key-chain ISIS_HELLO_L2
!
int Gi2.519
isis authentication mode md5
isis authentication key-chain ISIS_HELLO_L2
!
router isis
authentication mode text level-1
authentication send-only level-1
authentication key-chain ISIS_AREA level-1
authentication mode md5 level-2
authentication key-chain ISIS_DOMAIN_AUTH level-2
authentication send-only level-2
#R6
key chain ISIS_HELLO
key 1
key-string HELLO56
!
key chain ISIS_AREA
key 1
key-string AREA56
!
key chain ISIS_HELLO_L2
key 1
key-string LEVEL2
!
key chain ISIS_DOMAIN_AUTH
key 1
key-string LEVEL2
!
int Gi2.56
isis authentication mode text
isis authentication key-chain ISIS_HELLO
isis authentication send-only
!
int Gi2.36
isis authentication mode md5
isis authentication key-chain ISIS_HELLO_L2
!
int Gi2.46
isis authentication mode md5
isis authentication key-chain ISIS_HELLO_L2
!
int Gi2.619
isis authentication mode md5
isis authentication key-chain ISIS_HELLO_L2
!
router isis
authentication mode text level-1
authentication send-only level-1
authentication key-chain ISIS_AREA level-1
authentication mode md5 level-2
authentication key-chain ISIS_DOMAIN_AUTH level-2
authentication send-only level-2
#XR1
router isis 1
lsp-password hmac-md5 AREA1920 level 1
lsp-password hmac-md5 LEVEL2 level 2 send-only
!
int gi0/0/0/0.1920
hello-password hmac-md5 HELLO1920
!
int gi0/0/0/0.619
hello-password hmac-md5 LEVEL2
!
int gi0/0/0/0.519
hello-password hmac-md5 LEVEL2
#XR2
router isis 1
lsp-password hmac-md5 AREA1920 level 1
!
int gi0/0/0/0.1920
hello-password hmac-md5 HELLO1920
```
## Explanation
Authentication for ISIS can be quite configuration intensive. We’ll first go over authentication on IOS-XE.
### IOS-XE Authentication
To set the hello password using the legacy method, use the following command. This does not support MD5.
```
#R1
int Gi2.12
isis password HELLO123
```
To set the hello password using the new syntax, use the following commands. This requires a key chain. It also supports MD5. Optionally, you can enable “send-only” which does not require the other side’s authentication to match or exist. You can also specify the level for each command. By default, both levels are used.
```
int Gi2.24
isis authentication mode text|md5
isis authentication key-chain ISIS_HELLO
isis authentication send-only
```
To set the authentication for L1 LSPs and SNPs, you can use the following legacy method. By default, only LSPs are authenticated. You use the **snp** command to enable SNP authentication, and use **send-only** or **validate** for the SNPs. LSPs will always be “validate” mode.
```
router isis
area-password AREA1234 [authenticate snp send-only|validate]
```
To set the authentication for L2 LSPs and SNPs using the legacy method, you essentially use the same command but with **domain-password**.
```
router isis
domain-password AREA1234 [authenticate snp send-only|validate]
```
The newer syntax looks like the authentication for interfaces. You associate a key chain, and have the option of doing “send-only” for both LSPs and SNPs. You use **level-1** for area authentication, and **level-2** for domain authentication. It appears that both LSPs and SNPs are authenticated, and you cannot separate them (authenticating one but not the other).
```
router isis
authentication mode text|md5 [level-1|level-2]
authentication key-chain name [level-1|level-2]
authentication send-only [level-1|level-2]
```
### IOS-XR Authentication
Authentication on IOS-XR is a bit more simple. You configure a hello-password as follows. The **accept** keyword is used to only accept incoming Hellos with that password, but not send Hellos with that password.
```
router isis 1
int gi0/0/0/0
hello-password text|keychain|hmac-md5|accept [send-only]
```
Area and Domain authentication work similarly to the new syntax for IOS-XE. Except you can authenticate LSPs without SNPs (which is the default choice). If you authenticate SNPs, it appears you must use the **send-only** keyword. Level 1 is used for area password, and level 2 is used for domain password.
```
router isis 1
lsp-password text|keychain|hmac-md5|accept [snp] [send-only] [level 1|2]
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ccie-sp.gitbook.io/ccie-spv5.1-labs/labs/isis/authentication.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.