09-21-2021 12:50 AM
Hello,
How to configure area authentication and domain authentication on cisco CSR?
I am using the following commands under "router isis" to configure authentication.
router isis 1
net 49.0001.2222.2222.2222.00
is-type level-1
authentication mode text
authentication key-chain key1
metric-style narrow
Authentication is working. But I do not know if authentication is happening at the area level or at the domain level.
I tried using area-password and domain password commands but I got the following errors.
--------------------------
r2(config)#router isis 1
r2(config-router)#area-password s
%Please configure password using authentication command
---------------------------------------
r2(config)#router isis 1
r2(config-router)#domain-password s
%Please configure password using authentication command
Thanks
09-21-2021 01:17 AM
Hello,
A few things to remember.
First, authentication configured inside router isis affects the LSP, CSNP and PSNP packet types but not Hellos (IIHs). IIH authentication is configured on interfaces. If you didn't configure any authentication on the interfaces, IIHs are not authenticated.
Second, authentication configured with area-password affected only Level-1 LSP, CSNP and PSNP, not their Level-2 counterparts. The corresponding new style of the configuration is authentication mode { text | md5 } level-1 and authentication key-chain key-chain-name level-1. In a similar way, authentication configured with domain-password affected only Level-2 LSP, CSNP and PSNP, and its current commands to configure are authentication mode { text | md5 } level-2 and authentication key-chain key-chain-name level-2.
Third, if you use the authentication mode and authentication key-chain commands without specifying the level, they will automatically expand into both level-1 and level-2 counterparts, thereby enabling the authentication for both levels.
Fourth, you have forced your IS-IS process to operate on Level-1 only so any authentication that is occurring is only happening on Level-1 since you do not operate at Level-2 at all.
Best regards,
Peter
09-21-2021 01:21 AM
Hello,
you currently have clear text authentication configured. This (and HMAC-MD5) are only available at the instance (this is what you currently have) and interface level. It does not differentiate between area and domain.
If you want interface/area/domain authentication, use the 'old', legacy way (which is obviously less secure), and don't configure the 'authentication mode text' and 'authentication key-chain key1'.
Interface Authentication
interface ethernet 0
ip address 192.168.1.1 255.255.255.0
ip router isis
isis password interface_password
Area Authentication
router isis
net 49.1234.1111.1111.1111.00
area-password area_password
Domain Authentication
router isis
net 49.1234.1111.1111.1111.00
domain-password domain_password
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide