Solved: Re: Cisco IOS-XR IS-IS Authentication

ThomasCampbell64 · ‎07-28-2024

Trying to setup with Segment Routing running IS-IS, wondering is it possible to setup authentication for IS-IS neighbors

balaji.bandi · ‎07-29-2024

Last time i tested it was working in My Lab for authetication below syntax :

Configure Authentication for IS-IS

This task explains how to configure authentication for IS-IS. This task is optional.
SUMMARY STEPS

    configure
    router isis instance-id
    lsp-password { hmac-md5 | text } { clear | encrypted } password [ level { 1 | 2 }] [ send-only ] [ snp send-only ]
    interface type interface-path-id
    hello-password { hmac-md5 | text } { clear | encrypted } password [ level { 1 | 2 }] [ send-only ]
    Use the commit or end command.

Note : - not tested Segment routing config using password. check should work, but let us know your testing inputs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

M02@rt37 · ‎07-29-2024

Hello @ThomasCampbell64

Look about domain password. It is used to authenticate IS-IS control plane messages to ensure that only authorized devices can participate in the IS-IS routing domain. This helps in protecting the network from unauthorized devices and potential routing attacks...

This works similar to area authentication expect it is all applied to all routers in the same IS-IS domain. If you do this, authentication will be applied to all routers in the same ID domain. The behavior is the same as area authentication. Hello packets are unauthenticated, LSPs will be authenticated. If you also want to authenticate SNPs, you’ll have to include the authenticate snp validate parameter.

--

R1(config)#router isis
R1(config-router)#domain-password MY_PASSWORD

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_isis/configuration/15-sy/irs-15-sy-book/irs-scty.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎07-29-2024

@ThomasCampbell64

While MD5 has been shown to be vulnerable to collision attacks, HMAC-MD5 Hash is still considered secure for message authentication. However, it is recommended to use stronger cryptographic hash functions like SHA-256 or SHA-512 for new applications.

Note that Hashing and encryption are different cryptographic techniques used for different purposes.

HMAC-MD5: HMAC combined with MD5 provides a way to use a secret key with a hash function to ensure data integrity and authenticity. It uses a cryptographic key to produce a hash that is more secure than the hash alone.
Encrypted Password: Cisco's Type-6 encryption uses AES to encrypt the password. This provides strong encryption for the password itself but is different from how the passwords are used for IS-IS authentication, which typically relies on hashing for verifying the integrity and authenticity of the data.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎07-29-2024

@ThomasCampbell64

do show configuration failed when you have this error message. Share the output.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

balaji.bandi · ‎07-29-2024

Last time i tested it was working in My Lab for authetication below syntax :

Configure Authentication for IS-IS

This task explains how to configure authentication for IS-IS. This task is optional.
SUMMARY STEPS

    configure
    router isis instance-id
    lsp-password { hmac-md5 | text } { clear | encrypted } password [ level { 1 | 2 }] [ send-only ] [ snp send-only ]
    interface type interface-path-id
    hello-password { hmac-md5 | text } { clear | encrypted } password [ level { 1 | 2 }] [ send-only ]
    Use the commit or end command.

Note : - not tested Segment routing config using password. check should work, but let us know your testing inputs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ThomasCampbell64 · ‎07-29-2024

What is the strongest encryption for password authentication? "hmac-md5" or "encrypted"? I heard MD5 encryption has been broken...

M02@rt37 · ‎07-29-2024

@ThomasCampbell64

While MD5 has been shown to be vulnerable to collision attacks, HMAC-MD5 Hash is still considered secure for message authentication. However, it is recommended to use stronger cryptographic hash functions like SHA-256 or SHA-512 for new applications.

Note that Hashing and encryption are different cryptographic techniques used for different purposes.

HMAC-MD5: HMAC combined with MD5 provides a way to use a secret key with a hash function to ensure data integrity and authenticity. It uses a cryptographic key to produce a hash that is more secure than the hash alone.
Encrypted Password: Cisco's Type-6 encryption uses AES to encrypt the password. This provides strong encryption for the password itself but is different from how the passwords are used for IS-IS authentication, which typically relies on hashing for verifying the integrity and authenticity of the data.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M02@rt37 · ‎07-29-2024

Hello @ThomasCampbell64

Look about domain password. It is used to authenticate IS-IS control plane messages to ensure that only authorized devices can participate in the IS-IS routing domain. This helps in protecting the network from unauthorized devices and potential routing attacks...

This works similar to area authentication expect it is all applied to all routers in the same IS-IS domain. If you do this, authentication will be applied to all routers in the same ID domain. The behavior is the same as area authentication. Hello packets are unauthenticated, LSPs will be authenticated. If you also want to authenticate SNPs, you’ll have to include the authenticate snp validate parameter.

--

R1(config)#router isis
R1(config-router)#domain-password MY_PASSWORD

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_isis/configuration/15-sy/irs-15-sy-book/irs-scty.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ThomasCampbell64 · ‎07-29-2024

I found this article:

Trying to set a key-string for IS-IS using HMAC-SHA256 but keep getting an error...

https://media.defense.gov/2022/Feb/17/2002940795/-1/-1/1/CSI_CISCO_PASSWORD_TYPES_BEST_PRACTICES_20220217.PDF

M02@rt37 · ‎07-29-2024

@ThomasCampbell64

do show configuration failed when you have this error message. Share the output.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ThomasCampbell64 · ‎07-29-2024

Not too sure must of been a bug in the software running in one EVE-NG

Working now!

Cheers!

Tom

balaji.bandi · ‎07-29-2024

Check the version of code running (the one not working vs working)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎07-29-2024

the screenshot show something failed, so either come out and look for the command as suggested to see what is wrong.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help