IS-IS Authentication

Like any other routing protocol, IS-IS supports authentication. You can choose between plain text or HMAC-MD5 authentication, and there are some different options that define which packets will be authenticated. In this lesson, I’ll walk you through the different options.

Configuration

Here’s the topology I will use:

is-is authentication topology

We have two routers in the same area. Both routers are configured as level 1-2 routers (the default).

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

R1

hostname R1
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
 ip router isis 
!
router isis
 net 49.0012.0000.0000.0001.00
 log-adjacency-changes
!
end

R2

hostname R2
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
 ip router isis 
!
router isis
 net 49.0012.0000.0000.0002.00
 log-adjacency-changes
!
end

Clear Text Authentication

Let’s start with clear text (plain text) authentication. There are three options to choose from:

  • Interface authentication
  • Area authentication
  • Domain authentication

As the names imply, you can enable authentication on the interface level, per area or domain. However, these three options also define which packets will be authenticated! These commands that I’m about to show you are the “old” method of configuring IS-IS authentication.

Let’s take a look at each authentication method, and you will see what I’m talking about.

Interface Authentication

Let’s go to the interface. We use the isis password command here to set a password for authentication:

R1(config)#interface GigabitEthernet 0/1
R1(config-if)#isis password MY_PASSWORD ?
  level-1  Specify password for level-1 PDUs
  level-2  Specify password for level-2 PDUs
  <cr>

Optionally, you can choose for which level you want to enable authentication. If you don’t add this, then it will be applied to both level 1 and 2 neighbor adjacencies. Let’s do this on both routers:

R1(config)#interface GigabitEthernet 0/1
R1(config-if)#isis password MY_PASSWORD

R2(config)#interface GigabitEthernet 0/1
R2(config-if)#isis password MY_PASSWORD

Once you enable this, authentication is only enabled for hello packets. LSPs and SNPs are still unauthenticated. Here’s an example of an authenticated hello packet:

is-is plain text authentication hello packet

As you can see above, the password is sent in clear text.

IS-IS plain text authentication hello packet

There is no command that shows you whether authentication is enabled or not. You can, however, use the debug isis adj-packets and debug isis update-packets commands to quickly catch authentication errors.

Area Authentication

This enabled authentication for the area. In my example, R1 and R2 are in area 0012. This option will authenticate LSPs that are exchanged and optionally, SNPs. Hello packets are not authenticated.

Here’s how to configure it:

R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD ?
  authenticate  Authentication
  <cr>

Above you can see that I have set a password. The authenticate parameter has one option:

R1(config-router)#area-password MY_PASSWORD authenticate ?
  snp  SNP PDUs

This is how you can include SNPs. I’ll stick to LSPs for now. Let’s configure this on both routers:

R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD
R2(config)#router isis
R2(config-router)#area-password MY_PASSWORD

After enabling area authentication, you will see that LSPs are now authenticated:

is-is plain text authentication lsp

As expected, the password shows up in clear text.

IS-IS plain text authentication LSP

If you want your SNPs to be authenticated as well, then we can enable that extra parameter. There is one more option, however:

R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD authenticate snp ?
  send-only  Send but do not check PDUs on receiving
  validate   Send and check PDUs on receiving

You can choose if you want to send authenticated packets but accept unauthenticated packets. This can be useful if you are migrating from a non-authenticated scenario to an authenticated scenario. In our lab, we’ll validate everything right away:

R1(config)#router isis
R1(config-router)#area-password MY_PASSWORD authenticate snp validate
R2(config)#router isis
R2(config-router)#area-password MY_PASSWORD authenticate snp validate

From now on, SNPs will be authenticated. Here’s an example of a CSNP:

is-is plain text authentication csnp

IS-IS plain text authentication CSNP

Domain Authentication

The last option for plain text authentication is domain authentication. This works similar to area authentication expect it is all applied to all routers in the same IS-IS domain. In my case, I’m using the private domain 49. If you do this, authentication will be applied to all routers in the 49 domain. Let’s try this:

R1(config)#router isis
R1(config-router)#domain-password MY_PASSWORD
R2(config)#router isis
R2(config-router)#domain-password MY_PASSWORD

The behavior is the same as area authentication. Hello packets are unauthenticated, LSPs will be authenticated. If you also want to authenticate SNPs, you’ll have to include the authenticate snp validate parameter.

HMAC-MD5 Authentication

Clear text authentication is fun but not very safe. A quick Wireshark capture shows us the password. Instead, we can use HMAC-MD5 authentication. It is similar to clear text authentication, but there are only two options:

  • Interface authentication
  • Instance authentication

There is no area or domain authentication. Instead, authentication can be applied to the IS-IS routing instance. The password is not configured directly, but we use a key-chain instead. I’ll create one on both routers:

R1 & R2
(config)#key chain ISIS_AUTH          
(config-keychain)#key 1
(config-keychain-key)#key-string MY_PASSWORD

The name of the keychain and key number can be different (unlike most protocols, the key number is not checked in IS-IS). The key string has to match on both ends.

Interface Authentication

Let’s start with interface authentication. We have to use the isis authentication mode command:

R1(config)#interface GigabitEthernet 0/1
R1(config-if)#isis authentication mode ?
  md5   Keyed message digest
  text  Clear text password

As you can see above, this command is the “new” way of configuring authentication, and it also supports clear text authentication. We are going to use HDMAC-MD5 however:

R1(config-if)#isis authentication mode md5

The next thing we have to do is to tell the router which keychain we want to use. Optionally, you can decide if you want to use HMAC-MD5 authentication for level 1, level 2 or both:

R1(config-if)#isis authentication key-chain ISIS_AUTH ?
  level-1  ISIS authentication for level-1 PDUs
  level-2  ISIS authentication for level-2 PDUs
  <cr>

I’ll go for the default option which means authentication is enabled for both level 1 and level 2 adjacencies:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 803 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
480 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: ,


Forum Replies

  1. Hello Kacem

    If you’re running this on GNS3 it could be an issue with the resources being allocated to dynamips. It has been known to create such error messages when the PC doesn’t have sufficient resources to provide for the emulator. This is especially the case when using MD5 as this takes up more resources.

    Despite the error, is everything else working correctly? Are you getting a neighbor relationship and is the routing table being populated? If so, this seems to indicate that the issue is with resources.

    If you’re sure your configs are correct, try to re

    ... Continue reading in our forum

1 more reply! Ask a question or join the discussion by visiting our Community Forum