Core Issue

Authentication of routing updates exchanged between routers is necessary to prevent the routers from accepting malicious routing information. Intermediate System-to-Intermediate System (IS-IS) routers configured for authentication do not form an adjacency unless they are able to authenticate to each other successfully. IS-IS supports clear text authentication that uses a plain text password. Clear text authentication can be configured on an interface, for an area or through a domain.

Note: In addition to clear text authentication, IS-IS also supports IS-IS HMAC-MD5 authentication and enhanced clear text authentication. For more information, refer to IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication.

Resolution

To configure IS-IS clear text authentication on an interface, issue the isis password command in interface configuration mode. The configured password is sent in the hello packets that the routers exchange, and it has to match between the neighbors on the same segment. 

To configure IS-IS authentication for an area, issue the area-password command in router configuration mode. The password configured with this command is exchanged in the Level 1 (L1) Line-State Packets (LSPs), Complete Sequence Number PDUs (CSNPs) and Partial Sequence Number PDUs (PSNPs), and has to match on all Level 1/Level 2 (L1/L2) and L1 routers within the same area.

To configure IS-IS authentication throughout a domain, issue the domain-password command in router configuration mode. This is exchanged in the L2 LSPs, CSNPs and PSNPs, and it must match on all L1/L2 and L2 routers within the domain.

For more information on IS-IS authentication and authentication problems, refer to Configuring IS-IS Authentication.