IS-IS Authentication

Lesson Contents

Like any other routing protocol, IS-IS supports authentication. You can choose between plain text or HMAC-MD5 authentication, and there are some different options that define which packets will be authenticated. In this lesson, I’ll walk you through the different options.

Configuration

Here’s the topology I will use:

We have two routers in the same area. Both routers are configured as level 1-2 routers (the default).

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

hostname R1
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
 ip router isis 
!
router isis
 net 49.0012.0000.0000.0001.00
 log-adjacency-changes
!
end

hostname R2
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
 ip router isis 
!
router isis
 net 49.0012.0000.0000.0002.00
 log-adjacency-changes
!
end

Clear Text Authentication

Let’s start with clear text (plain text) authentication. There are three options to choose from:

Interface authentication
Area authentication
Domain authentication

As the names imply, you can enable authentication on the interface level, per area or domain. However, these three options also define which packets will be authenticated! These commands that I’m about to show you are the “old” method of configuring IS-IS authentication.

Let’s take a look at each authentication method, and you will see what I’m talking about.

Interface Authentication

Let’s go to the interface. We use the isis password command here to set a password for authentication:

R1(config)#interface GigabitEthernet 0/1
R1(config-if)#isis password MY_PASSWORD ?

  level-1  Specify password for level-1 PDUs
  level-2  Specify password for level-2 PDUs
  <cr>

Optionally, you can choose for which level you want to enable authentication. If you don’t add this, then it will be applied to both level 1 and 2 neighbor adjacencies. Let’s do this on both routers:

R1(config)#interface GigabitEthernet 0/1
R1(config-if)#isis password MY_PASSWORD

R2(config)#interface GigabitEthernet 0/1
R2(config-if)#isis password MY_PASSWORD

Once you enable this, authentication is only enabled for hello packets. LSPs and SNPs are still unauthenticated. Here’s an example of an authenticated hello packet:

As you can see above, the password is sent in clear text.

Packet Capture: IS-IS Plain Text Authentication Hello Packet

There is no command that shows you whether authentication is enabled or not. You can, however, use the debug isis adj-packets and debug isis update-packets commands to quickly catch authentication errors.

Area Authentication

This enabled authentication for the area. In my example, R1 and R2 are in area 0012. This option will authenticate LSPs that are exchanged and optionally, SNPs. Hello packets are not authenticated.

Here’s how to configure it:

R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD ?
  authenticate  Authentication
  <cr>

Above you can see that I have set a password. The authenticate parameter has one option:

R1(config-router)#area-password MY_PASSWORD authenticate ?
  snp  SNP PDUs

This is how you can include SNPs. I’ll stick to LSPs for now. Let’s configure this on both routers:

R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD

R2(config)#router isis
R2(config-router)#area-password MY_PASSWORD

After enabling area authentication, you will see that LSPs are now authenticated:

As expected, the password shows up in clear text.

IS-IS plain text authentication LSP

If you want your SNPs to be authenticated as well, then we can enable that extra parameter. There is one more option, however:

R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD authenticate snp ?
  send-only  Send but do not check PDUs on receiving
  validate   Send and check PDUs on receiving

You can choose if you want to send authenticated packets but accept unauthenticated packets. This can be useful if you are migrating from a non-authenticated scenario to an authenticated scenario. In our lab, we’ll validate everything right away:

R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD authenticate snp validate

R2(config)#router isis
R2(config-router)#area-password MY_PASSWORD authenticate snp validate

From now on, SNPs will be authenticated. Here’s an example of a CSNP:

Packet Capture: IS-IS Plain Text Authentication CSNP

Domain Authentication

The last option for plain text authentication is domain authentication. This works similar to area authentication expect it is all applied to all routers in the same IS-IS domain. In my case, I’m using the private domain 49. If you do this, authentication will be applied to all routers in the 49 domain. Let’s try this:

R1(config)#router isis
R1(config-router)#domain-password MY_PASSWORD

R2(config)#router isis
R2(config-router)#domain-password MY_PASSWORD

The behavior is the same as area authentication. Hello packets are unauthenticated, LSPs will be authenticated. If you also want to authenticate SNPs, you’ll have to include the authenticate snp validate parameter.

HMAC-MD5 Authentication

Clear text authentication is fun but not very safe. A quick Wireshark capture shows us the password. Instead, we can use HMAC-MD5 authentication. It is similar to clear text authentication, but there are only two options:

Interface authentication
Instance authentication

There is no area or domain authentication. Instead, authentication can be applied to the IS-IS routing instance. The password is not configured directly, but we use a key-chain instead. I’ll create one on both routers:

R1 & R2
(config)#key chain ISIS_AUTH          
(config-keychain)#key 1
(config-keychain-key)#key-string MY_PASSWORD

The name of the keychain and key number can be different (unlike most protocols, the key number is not checked in IS-IS). The key string has to match on both ends.

Interface Authentication

Let’s start with interface authentication. We have to use the isis authentication mode command:

R1(config)#interface GigabitEthernet 0/1
R1(config-if)#isis authentication mode ?
  md5   Keyed message digest
  text  Clear text password

As you can see above, this command is the “new” way of configuring authentication, and it also supports clear text authentication. We are going to use HDMAC-MD5 however:

R1(config-if)#isis authentication mode md5

The next thing we have to do is to tell the router which keychain we want to use. Optionally, you can decide if you want to use HMAC-MD5 authentication for level 1, level 2 or both:

R1(config-if)#isis authentication key-chain ISIS_AUTH ?
  level-1  ISIS authentication for level-1 PDUs
  level-2  ISIS authentication for level-2 PDUs
  <cr>

I’ll go for the default option which means authentication is enabled for both level 1 and level 2 adjacencies:

R1(config-if)#isis authentication key-chain ISIS_AUTH

Let’s do the same thing on R2:

R2(config)#interface GigabitEthernet 0/1
R2(config-if)#isis authentication mode md5
R2(config-if)#isis authentication key-chain ISIS_AUTH

Once you configure this, only hello packets will be authenticated. Here’s a capture of an authenticated hello packet:

Packet Capture: IS-IS HMAC MD5 Authentication Hello Packet

Instance Authentication

The second option is instance authentication. Here’s how to configure this:

R1(config)#router isis
R1(config-router)#authentication mode md5 
R1(config-router)#authentication key-chain ISIS_AUTH

R2(config)#router isis
R2(config-router)#authentication mode md5         
R2(config-router)#authentication key-chain ISIS_AUTH

The authentication key-chain command allows you to choose if you want to activate this for level 1, level 2 or both. If you don’t supply it as I did, then it will be applied to both levels.

Once you enable this, your LSPs and SNPs will be authenticated. Not your hello packets! Here’s an example of a CSNP that is now authenticated:

Packet Capture: IS-IS HMAC MD5 Authentication CSNP

If you want all packets to be authenticated, you should combine interface and instance authentication.

Conclusion

In this lesson, you have learned how to authenticate IS-IS packets:

IS-IS supports plain/clear text authentication and HMAC-MD5 authentication.
Clear text authentication has three options:
- Interface authentication: authenticates hello packets.
- Area authentication: applies to the area (for example 0012) and authenticates LSPs and optionally SNPs.
- Domain authentication: applies to the domain (for example 49) and authenticates LSPs and optionally SNPs.
HMAC-MD5 authentication has two options:
- Interface authentication: authenticates hello packets.
- Instance authentication: applies to the IS-IS instance and authenticates LSPs and SNPs.
The default behavior is to authentication both level 1 and level 2 packets.
The most secure option is to enable MD5 interface + instance authentication. This authenticates hello packets, LSPs, and SNPs.

Forum Replies

Zaman.rubd says:

Thx Rene. Clear & Concise …

I tried the instance authentication but I keep seeing this message:

*Mar 1 00:07:13.255: %CLNS-4-AUTH_FAIL: ISIS: CSNP authentication failed

what could be missing in my configuration?

ip router isis
router isis
 net 49.0012.0000.0000.0001.00
 authentication mode md5
 authentication key-chain cisco@123
 log-adjacency-changes


interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 ip router isis
 duplex auto
 speed auto
end

lagapidis says:

Hello Kacem

If you’re running this on GNS3 it could be an issue with the resources being allocated to dynamips. It has been known to create such error messages when the PC doesn’t have sufficient resources to provide for the emulator. This is especially the case when using MD5 as this takes up more resources.

Despite the error, is everything else working correctly? Are you getting a neighbor relationship and is the routing table being populated? If so, this seems to indicate that the issue is with resources.

If you’re sure your configs are correct, try to re
... Continue reading in our forum

Ask a question or join the discussion by visiting our Community Forum