Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
6
Helpful
2
Replies

isis area authentication v/s domain authentication on CSR

sachin30720041
Level 1
Level 1

‎09-21-2021 12:50 AM

Hello,

 

How to configure area authentication and domain authentication on cisco CSR?

I am using the following commands under "router isis" to configure authentication.

 

router isis 1

 net 49.0001.2222.2222.2222.00

 is-type level-1

 authentication mode text

 authentication key-chain key1

 metric-style narrow

 

Authentication is working. But I do not know if authentication is happening at the area level or at the domain level.

I tried using area-password and domain password commands but I got the following errors.

--------------------------

r2(config)#router isis 1

r2(config-router)#area-password s

%Please configure password using authentication command

---------------------------------------

r2(config)#router isis 1

r2(config-router)#domain-password s

%Please configure password using authentication command

 

Thanks

 

Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎09-21-2021 01:17 AM

Hello,

A few things to remember.

First, authentication configured inside router isis affects the LSP, CSNP and PSNP packet types but not Hellos (IIHs). IIH authentication is configured on interfaces. If you didn't configure any authentication on the interfaces, IIHs are not authenticated.

Second, authentication configured with area-password affected only Level-1 LSP, CSNP and PSNP, not their Level-2 counterparts. The corresponding new style of the configuration is authentication mode { text | md5 } level-1 and authentication key-chain key-chain-name level-1. In a similar way, authentication configured with domain-password affected only Level-2 LSP, CSNP and PSNP, and its current commands to configure are authentication mode { text | md5 } level-2 and authentication key-chain key-chain-name level-2.

Third, if you use the authentication mode and authentication key-chain commands without specifying the level, they will automatically expand into both level-1 and level-2 counterparts, thereby enabling the authentication for both levels.

Fourth, you have forced your IS-IS process to operate on Level-1 only so any authentication that is occurring is only happening on Level-1 since you do not operate at Level-2 at all.

Best regards,
Peter

 

Georg Pauwen
VIP
VIP

‎09-21-2021 01:21 AM

Hello,

 

you currently have clear text authentication configured. This (and HMAC-MD5) are only available at the instance (this is what you currently have) and interface level. It does not differentiate between area and domain.

 

If you want interface/area/domain authentication, use the 'old', legacy way (which is obviously less secure), and don't configure the 'authentication mode text' and 'authentication key-chain key1'.

 

Interface Authentication

 

interface ethernet 0
ip address 192.168.1.1 255.255.255.0
ip router isis
isis password interface_password

 

Area Authentication

 

router isis
net 49.1234.1111.1111.1111.00
area-password area_password

 

Domain Authentication

 

router isis
net 49.1234.1111.1111.1111.00
domain-password domain_password

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card