Table Of Contents
IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
Contents
Prerequisites for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
Information About IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
IS-IS HMAC-MD5 Authentication
Benefits of IS-IS HMAC-MD5 Authentication
Benefits of IS-IS Clear Text Authentication
How to Configure IS-IS HMAC-MD5 Authentication or Enhanced Clear Text Authentication
Configuring HMAC-MD5 Authentication or Clear Text Authentication for the First Time
Configuring HMAC-MD5 or Clear Text Authentication for the IS-IS Instance
Configuring HMAC-MD5 or Clear Text Authentication for an IS-IS Interface
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication for the IS-IS Instance
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication for an IS-IS Interface
Migrating from Old Clear Text Authentication to the New Clear Text Authentication
Migrating from Old Clear Text Authentication to the New Clear Text Authentication for the IS-IS Instance
Migrating from Old Clear Text Authentication to the New Clear Text Authentication for an IS-IS Interface
Configuration Examples for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
Configuring IS-IS HMAC-MD5 Authentication Example
Configuring IS-IS Clear Text Authentication Example
Additional References
Related Documents
MIBs
RFCs
Technical Assistance
Command Reference
area-password
authentication key-chain
authentication mode
authentication send-only
debug isis authentication
domain-password
isis authentication key-chain
isis authentication mode
isis authentication send-only
IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
The IS-IS HMAC-MD5 authentication feature adds an HMAC-MD5 digest to each Intermediate System-to-Intermediate System (IS-IS) protocol data unit (PDU). The digest allows authentication at the IS-IS routing protocol level, which prevents unauthorized routing message from being injected into the network routing domain. IS-IS clear text (plain text) authentication is enhanced so that passwords are encrypted when the software configuration is displayed and passwords are easier to manage and change.
Feature Specifications for the IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication Feature
Feature History
|
|
Release
|
Modification
|
12.0(21)ST
|
This feature was introduced.
|
12.2(11)S
|
This feature was integrated into Cisco IOS Release 12.2(11)S.
|
12.0(22)S
|
This feature was integrated into Cisco IOS Release 12.0(22)S.
|
12.2(13)T
|
This feature was integrated into Cisco IOS Release 12.2(13)T.
|
Supported Platforms
|
Cisco 7200 series, Cisco 7500 series, Cisco 10000 series, Cisco 10720 Internet router, Cisco 12000 series
|
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
http://www.cisco.com/register
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
http://www.cisco.com/go/fn
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or Cisco Feature Navigator.
Contents
•
Prerequisites for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
•Information About IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
•How to Configure IS-IS HMAC-MD5 Authentication or Enhanced Clear Text Authentication
•Configuration Examples for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
•Additional References
•Command Reference
Prerequisites for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
In order to use HMAC-MD5 or clear text authentication with encrypted keys, the Integrated IS-IS routing protocol must be configured.
Information About IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
Before you configure IS-IS HMAC-MD5 authentication or clear text authentication, you should understand the following concepts:
•IS-IS HMAC-MD5 Authentication
•Benefits of IS-IS HMAC-MD5 Authentication
•Benefits of IS-IS Clear Text Authentication
IS-IS HMAC-MD5 Authentication
The IS-IS HMAC-MD5 authentication feature adds an HMAC-MD5 digest to each IS-IS PDU. HMAC is a mechanism for message authentication codes (MACs) using cyptographic hash functions. The digest allows authentication at the IS-IS routing protocol level, which prevents unauthorized routing messages from being injected into the network routing domain.
IS-IS has five packet types: link state packet (LSP), LAN Hello, Serial Hello, CSNP, and PSNP. The IS-IS HMAC-MD5 authentication or the clear text password authentication can be applied to all five types of PDU. The authentication can be enabled on different IS-IS levels independently. The interface-related PDUs (LAN Hello, Serial Hello, CSNP, and PSNP) can be enabled with authentication on different interfaces, with different levels and different passwords.
The HMAC-MD5 mode cannot be mixed with the clear text mode on the same authentication scope (LSP or interface). However, administrators can use one mode for LSP and another mode for some interfaces, for example. If mixed modes are intended, different keys should be used for different modes in order not to compromise the encrypted password in the PDUs.
Benefits of IS-IS HMAC-MD5 Authentication
•IS-IS now supports MD5 authentication, which is more secure than clear text authentication.
•MD5 authentication or clear text authentication can be enabled on Level 1 or Level 2 independently.
•Passwords can be rolled over to new passwords without disrupting routing messages.
•For the purpose of network transition, you can configure the networking device to accept PDUs without authentication or with wrong authentication information, yet send PDUs with authentication. Such transition might be because you are migrating from no authentication to some type of authentication, you are changing authentication type, or you are changing keys.
Benefits of IS-IS Clear Text Authentication
IS-IS clear text (plain text) authentication was formerly configured only by using the area-password or domain-password command. Clear text authentication can now be configured using new commands that cause passwords to be encrypted when the software configuration is displayed and make passwords easier to manage and change.
How to Configure IS-IS HMAC-MD5 Authentication or Enhanced Clear Text Authentication
The following sections describe configuration tasks for IS-IS authentication. The task you perform depends on whether you are introducing authentication or migrating from an existing authentication scheme.
•Configuring HMAC-MD5 Authentication or Clear Text Authentication for the First Time (optional)
•Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication (optional)
•Migrating from Old Clear Text Authentication to the New Clear Text Authentication (optional)
Configuring HMAC-MD5 Authentication or Clear Text Authentication for the First Time
Before you can configure authentication, you must make the following decisions:
•Whether to configure authentication for the IS-IS instance or for individual IS-IS interfaces (both tasks are included in this section)
•Whether to configure HMAC-MD5 authentication or clear text authentication (this decision is made with the authentication mode command if you are configuring an IS-IS instance, or with the isis authentication mode command if you are configuring an IS-IS interface)
Configuring HMAC-MD5 or Clear Text Authentication for the IS-IS Instance
To achieve a smooth transition to authenticating IS-IS packets, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string text
6. exit
7. router isis area-tag
8. authentication send-only [level-1 | level-2]
9. Repeat Steps 1 through 8 on each router that will communicate.
10. authentication mode {md5 | text }[level-1 | level-2]
11. authentication key-chain name-of-chain [level-1 | level-2]
12. Repeat Steps 10 and 11 on each router that will communicate.
13. no authentication send-only
14. Repeat Step 13 on each router that will communicate.
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables higher privilege levels, such as privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
key chain name-of-chain
Example:
Router(config)# key chain remote3754
|
Enables authentication for routing protocols and identifies a group of authentication keys.
|
Step 4
|
key key-id
Example:
Router(config-keychain)# key 100
|
Identifies an authentication key on a key chain.
•The key-id must be a number.
|
Step 5
|
key-string text
Example:
Router(config-keychain-key)# key-string mno172
|
Specifies the authentication string for a key.
•The text can be 1 to 80 uppercase or lowercase alphanumeric characters; the first character cannot be a number.
|
Step 6
|
exit
Example:
Router(config-keychain-key)# exit
|
Returns to global configuration mode.
|
Step 7
|
router isis area-tag
Example:
Router(config)# router isis 1
|
Enables the IS-IS routing protocol and specifies an IS-IS process.
|
Step 8
|
authentication send-only [level-1 | level-2]
Example:
Router(config-router)# authentication send-only
|
Specifies for the IS-IS instance that MD5 authentication is performed only on IS-IS packets being sent (not received).
|
Step 9
|
Repeat Steps 1 through 8 on each router that will communicate.
|
Use the same key-string on each router.
|
Step 10
|
authentication mode {md5 | text} [level-1 | level-2]
Example:
Router(config-router)# authentication mode md5
|
Specifies the type of authentication used in IS-IS packets for the IS-IS instance.
•Specify md5 for MD5 authentication.
•Specify text for clear text authentication.
|
Step 11
|
authentication key-chain name-of-chain [level-1 |
level-2]
Example:
Router(config-router)# authentication key-chain
remote3754
|
Enables MD5 authentication for the IS-IS instance.
|
Step 12
|
Repeat Steps 10 and 11 on each router that will communicate.
|
—
|
Step 13
|
no authentication send-only
Example:
Router(config-router)# no authentication send-only
|
Specifies for the IS-IS instance that MD5 authentication is performed on IS-IS packets being sent and received.
|
Step 14
|
Repeat Step 13 on each router that will communicate.
|
—
|
Configuring HMAC-MD5 or Clear Text Authentication for an IS-IS Interface
To achieve a smooth transition to authenticating IS-IS packets, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string text
6. exit
7. interface type number
8. isis authentication send-only [level-1 | level-2]
9. Repeat Steps 1 through 8 on each router that will communicate.
10. isis authentication mode {md5 | text }[level-1 | level-2]
11. isis authentication key-chain name-of-chain [level-1 | level-2]
12. Repeat Steps 10 and 11 on each router that will communicate.
13. no isis authentication send-only
14. Repeat Step 13 on each router that will communicate.
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables higher privilege levels, such as privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
key chain name-of-chain
Example:
Router(config)# key chain multistate87723
|
Enables authentication for routing protocols and identifies a group of authentication keys.
|
Step 4
|
key key-id
Example:
Router(config-keychain)# key 201
|
Identifies an authentication key on a key chain.
•The key-id must be a number.
|
Step 5
|
key-string text
Example:
Router(config-keychain-key)# key-string idaho
|
Specifies the authentication string for a key.
•The text can be 1 to 80 uppercase or lowercase alphanumeric characters; the first character cannot be a number.
|
Step 6
|
exit
Example:
Router(config-keychain-key)# exit
|
Returns to global configuration mode.
|
Step 7
|
interface type number
Example:
Router(config)# interface ethernet 0
|
Configures an interface.
|
Step 8
|
isis authentication send-only [level-1 | level-2]
Example:
Router(config-if)# isis authentication send-only
|
Specifies that MD5 authentication is performed only on packets being sent (not received) on a specified IS-IS interface.
|
Step 9
|
Repeat Steps 1 through 8 on each router that will communicate.
|
Use the same key-string on each router.
|
Step 10
|
isis authentication mode {md5 | text} [level-1 |
level-2]
Example:
Router(config-if)# isis authentication mode md5
|
Specifies the type of authentication used for an IS-IS interface.
|
Step 11
|
isis authentication key-chain name-of-chain [level-1 |
level-2]
Example:
Router(config-if)# isis authentication key-chain
multistate87723
|
Enables MD5 authentication for an IS-IS interface.
•Refer to the key management feature, which is referenced in the "Related Documents" section.
|
Step 12
|
Repeat Steps 10 and 11 on each router that will communicate.
|
—
|
Step 13
|
Router(config-if)# no isis authentication send-only
Example:
Router(config-if)# no isis authentication send-only
|
Specifies that MD5 authentication is performed on packets being sent and received on a specified IS-IS interface.
|
Step 14
|
Repeat Step 13 on each router that will communicate.
|
—
|
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication
When you are migrating from the old clear text authentication to HMAC-MD5 authentication, after you load the first router with an image that includes this feature, the router will continue to use the old clear text authentication with other routers on the network.
Note If you want HMAC-MD5 authentication, all routers in the authentication scope must have the new image before HMAC-MD5 can be configured. The scope can be either a Level 1 or Level 2 domain.
Before you can configure authentication, you must decide whether to configure authentication for the IS-IS instance or for individual IS-IS interfaces (both tasks are in this section).
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication for the IS-IS Instance
To achieve a smooth transition to authenticating IS-IS packets, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
When you configure the MD5 authentication, the area-password and domain-password command settings will be overridden automatically with the new authentication commands.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string text
6. exit
7. router isis area-tag
8. authentication send-only [level-1 | level-2]
9. Repeat Steps 1 through 8 on each router that will communicate.
10. authentication mode md5 [level-1 | level-2]
11. authentication key-chain name-of-chain [level-1 | level-2]
12. Repeat Steps 10 and 11 on each router that will communicate.
13. no authentication send-only
14. Repeat Step13 on each router that will communicate.
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables higher privilege levels, such as privileged EXEC mode.
Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
key chain name-of-chain
Example:
Router(config)# key chain dinosaur
|
Enables authentication for routing protocols and identifies a group of authentication keys.
|
Step 4
|
key key-id
Example:
Router(config-keychain)# key 301
|
Identifies an authentication key on a key chain.
•The key-id must be a number.
|
Step 5
|
key-string text
Example:
Router(config-keychain-key)# key-string pterodactyl
|
Specifies the authentication string for a key.
•The text can be 1 to 80 uppercase or lowercase alphanumeric characters; the first character cannot be a number.
|
Step 6
|
exit
Example:
Router(config-keychain-key)# exit
|
Returns to global configuration mode.
|
Step 7
|
router isis area-tag
Example:
Router(config)# router isis 1
|
Enables the IS-IS routing protocol and specifies an IS-IS process.
|
Step 8
|
authentication send-only [level-1 | level-2]
Example:
Router(config-router)# authentication send-only
|
Specifies for the IS-IS instance that MD5 authentication is performed only on IS-IS packets being sent (not received).
|
Step 9
|
Repeat Steps 1 through 8 on each router that will communicate.
|
Use the same key-string on each router.
|
Step 10
|
authentication mode md5 [level-1 | level-2]
Example:
Router(config-router)# authentication mode md5
|
Specifies the type of authentication used in IS-IS packets for the IS-IS instance.
|
Step 11
|
authentication key-chain name-of-chain [level-1 |
level-2]
Example:
Router(config-router)# authentication key-chain
remote3754
|
Enables MD5 authentication for the IS-IS instance.
|
Step 12
|
Repeat Steps 10 and 11 on each router that will communicate.
|
—
|
Step 13
|
no authentication send-only
Example:
Router(config-router)# no authentication send-only
|
Specifies for the IS-IS instance that MD5 authentication is performed on IS-IS packets being sent and received.
|
Step 14
|
Repeat Step13 on each router that will communicate.
|
—
|
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication for an IS-IS Interface
Prerequisites
Before you can migrate from the old method of clear text authentication to HMAC-MD5 authentication at the interface level, you must upgrade all the routers associated with the media of the interfaces to the new image containing the HMAC-MD5 feature.
To achieve a smooth transition to authenticating IS-IS packets, it is important to perform the steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
When you configure the MD5 authentication, the isis password command setting will be overridden automatically with the new authentication commands.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string text
6. exit
7. interface type number
8. isis authentication send-only [level-1 | level-2]
9. Repeat Steps 1 through 8 on each router that will communicate.
10. isis authentication mode md5 [level-1 | level-2]
11. isis authentication key-chain name-of-chain [level-1 | level-2]
12. Repeat Steps 10 and 11 on each router that will communicate.
13. no isis authentication send-only
14. Repeat Step 13 on each router that will communicate.
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables higher privilege levels, such as privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
key chain name-of-chain
Example:
Router(config)# key chain dinosaur
|
Enables authentication for routing protocols and identifies a group of authentication keys.
|
Step 4
|
key key-id
Example:
Router(config-keychain)# key 301
|
Identifies an authentication key on a key chain.
•The key-id must be a number.
|
Step 5
|
key-string text
Example:
Router(config-keychain-key)# key-string pterodactyl
|
Specifies the authentication string for a key.
•The text can be 1 to 80 uppercase or lowercase alphanumeric characters; the first character cannot be a number.
|
Step 6
|
exit
Example:
Router(config-keychain-key)# exit
|
Returns to global configuration mode.
|
Step 7
|
interface type number
Example:
Router(config)# interface ethernet 0
|
Configures an interface.
|
Step 8
|
isis authentication send-only [level-1 | level-2]
Example:
Router(config-if)# isis authentication send-only
|
Specifies that MD5 authentication is performed only on packets being sent (not received) on a specified IS-IS interface.
|
Step 9
|
Repeat Steps 1 through 8 on each router that will communicate.
|
Use the same key-string on each router.
|
Step 10
|
isis authentication mode md5 [level-1 | level-2]
Example:
Router(config-if)# isis authentication mode md5
|
Specifies the type of authentication used for an IS-IS interface.
|
Step 11
|
isis authentication key-chain name-of-chain [level-1 |
level-2]
Example:
Router(config-if)# isis authentication key-chain
multistate87723
|
Enables MD5 authentication for an IS-IS interface.
•Refer to the key management feature, which is referenced in the "Related Documents" section.
|
Step 12
|
Repeat Steps 10 and 11 on each router that will communicate.
|
—
|
Step 13
|
Router(config-if)# no isis authentication send-only
Example:
Router(config-if)# no isis authentication send-only
|
Specifies that MD5 authentication is performed on packets being sent and received on a specified IS-IS interface.
|
Step 14
|
Repeat Step13 on each router that will communicate.
|
—
|
Migrating from Old Clear Text Authentication to the New Clear Text Authentication
The benefits of migrating from the old method of clear text authentication to the new method of clear text authentication are as follows:
•Passwords are easier to change and maintain.
•Passwords can be encrypted when the system configuration is being displayed (if you use key management).
Before you can configure authentication, you must decide whether to configure authentication for the IS-IS instance or for individual IS-IS interfaces (both tasks are in this section).
Migrating from Old Clear Text Authentication to the New Clear Text Authentication for the IS-IS Instance
To achieve a smooth transition to authenticating LSPs, perform the following steps in the order shown, which requires moving from router to router doing certain steps before all the steps are performed on any one router.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string text
6. exit
7. router isis area-tag
8. authentication send-only [level-1 | level-2]
9. Repeat Steps 1 through 8 on each router that will communicate.
10. authentication mode text [level-1 | level-2]
11. authentication key-chain name-of-chain [level-1 | level-2]
12. Repeat Steps 10 and 11 on each router that will communicate.
13. no authentication send-only
14. Repeat Step 13 on each router that will communicate.
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables higher privilege levels, such as privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
key chain name-of-chain
Example:
Router(config)# key chain dinosaur
|
Enables authentication for routing protocols and identifies a group of authentication keys.
|
Step 4
|
key key-id
Example:
Router(config-keychain)# key 301
|
Identifies an authentication key on a key chain.
•The key-id must be a number.
|
Step 5
|
key-string text
Example:
Router(config-keychain-key)# key-string pterodactyl
|
Specifies the authentication string for a key.
•The text can be 1 to 80 uppercase or lowercase alphanumeric characters; the first character cannot be a number.
|
Step 6
|
exit
Example:
Router(config-keychain-key)# exit
|
Returns to global configuration mode.
|
Step 7
|
router isis area-tag
Example:
Router(config)# router isis 1
|
Enables the IS-IS routing protocol and specifies an IS-IS process.
|
Step 8
|
authentication send-only [level-1 | level-2]
Example:
Router(config-router)# authentication send-only
|
Specifies for the IS-IS instance that MD5 authentication is performed only on IS-IS packets being sent (not received).
|
Step 9
|
Repeat Steps 1 through 8 on each router that will communicate.
|
Use the same key-string on each router.
|
Step 10
|
authentication mode text [level-1 | level-2]
Example:
Router(config-router)# authentication mode text
|
Specifies the type of authentication used in IS-IS packets for the IS-IS instance.
|
Step 11
|
authentication key-chain name-of-chain [level-1 |
level-2]
Example:
Router(config-router)# authentication key-chain
remote3754
|
Enables MD5 authentication for the IS-IS instance.
|
Step 12
|
Repeat Steps 10 and 11 on each router that will communicate.
|
—
|
Step 13
|
no authentication send-only
Example:
Router(config-router)# no authentication send-only
|
Specifies for the IS-IS instance that MD5 authentication is performed on IS-IS packets being sent and received.
Note Do not perform this step if some of the routers sharing the media on the interface do not run the new image. In software releases prior to those on which this feature runs, authentication is not applied to SNP packets. If the router runs the new image without the authentication send-only command configured and with the new clear text password scheme, it will fail to authenticate the SNP packets from the router with old images.
|
Step 14
|
Repeat Step 13 on each router that will communicate.
|
—
|
Migrating from Old Clear Text Authentication to the New Clear Text Authentication for an IS-IS Interface
This section describes how to configure authentication on interface-related PDUs.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string text
6. exit
7. interface type number
8. isis authentication send-only [level-1 | level-2]
9. Repeat Steps 1 through 8 on each router that will communicate.
10. isis authentication mode text [level-1 | level-2]
11. isis authentication key-chain name-of-chain [level-1 | level-2]
12. Repeat Steps 10 and 11 on each router that will communicate.
13. Load the new image on all the other routers that share the media that the interface uses.
14. no isis authentication send-only
15. Repeat Step 14 on each interface.
DETAILED STEPS
| |
Command
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables higher privilege levels, such as privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
key chain name-of-chain
Example:
Router(config)# key chain dinosaur
|
Enables authentication for routing protocols and identifies a group of authentication keys.
|
Step 4
|
key key-id
Example:
Router(config-keychain)# key 301
|
Identifies an authentication key on a key chain.
•The key-id must be a number.
|
Step 5
|
key-string text
Example:
Router(config-keychain-key)# key-string pterodactyl
|
Specifies the authentication string for a key.
•The text can be 1 to 80 uppercase or lowercase alphanumeric characters; the first character cannot be a number.
|
Step 6
|
exit
Example:
Router(config-keychain-key)# exit
|
Returns to global configuration mode.
|
Step 7
|
interface type number
Example:
Router(config)# interface ethernet 0
|
Configures an interface.
|
Step 8
|
isis authentication send-only [level-1 | level-2]
Example:
Router(config-if)# isis authentication send-only
|
Specifies that MD5 authentication is performed only on packets being sent (not received) on a specified IS-IS interface.
|
Step 9
|
Repeat Steps 1 through 8 on each router that will communicate.
|
Use the same key-string on each router.
|
Step 10
|
isis authentication mode text [level-1 | level-2]
Example:
Router(config-if)# isis authentication mode text
|
Specifies the type of authentication used for an IS-IS interface.
|
Step 11
|
isis authentication key-chain name-of-chain [level-1 |
level-2]
Example:
Router(config-if)# isis authentication key-chain
multistate87723
|
Enables MD5 authentication for an IS-IS interface.
•Refer to the key management feature, which is referenced in the "Related Documents" section.
|
Step 12
|
Repeat Steps 10 and 11 on each router that will communicate.
|
—
|
Step 13
|
Load the new image on all the other routers that share the media that the interface uses.
|
—
|
Step 14
|
Router(config-if)# no isis authentication send-only
Example:
Router(config-if)# no isis authentication send-only
|
Specifies that MD5 authentication is performed on packets being sent and received on a specified IS-IS interface.
|
Step 15
|
Repeat Step 14 on each interface.
|
—
|
Configuration Examples for IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
This section provides the following configuration examples:
•Configuring IS-IS HMAC-MD5 Authentication Example
•Configuring IS-IS Clear Text Authentication Example
Configuring IS-IS HMAC-MD5 Authentication Example
The following example configures a key chain and key for IS-IS HMAC-MD5 authentication for Ethernet interface 3 (on Hello packets) and for the IS-IS instance (on LSP, CSNP, and PSNP packets):
ip address 10.1.1.1 255.255.255.252
ip router isis real_secure_network
isis authentication mode md5 level-1
isis authentication key-chain cisco level-1
router isis real_secure_network
net 49.0000.0101.0101.0101.00
authentication mode md5 level-1
authentication key-chain cisco level-1
Configuring IS-IS Clear Text Authentication Example
The following example configures a key chain and key for IS-IS clear text authentication for Ethernet interface 3 (on Hello packets) and for the IS-IS instance (on LSP, CSNP, and PSNP packets):
ip address 10.1.1.1 255.255.255.252
ip router isis real_secure_network
isis authentication mode text level-1
isis authentication key-chain cisco level-1
router isis real_secure_network
net 49.0000.0101.0101.0101.00
authentication mode text level-1
authentication key-chain cisco level-1
Additional References
For additional information related to IS-IS HMAC-MD5 authentication and clear text authentication, refer to the following references:
•Related Documents
•MIBs
•RFCs
•Technical Assistance
Related Documents
Related Topic
|
Document Title
|
Key chains and key management
|
•"IP Routing Protocol-Independent Commands" chapter in the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2
•"Configuring IP Routing Protocol-Independent Features" chapter in the Cisco IOS IP Configuration Guide, Release 12.2
|
IS-IS routing protocol
|
•"Integrated IS-IS Commands" chapter in the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2
•"Configuring Integrated IS-IS" chapter in the Cisco IOS IP Configuration Guide, Release 12.2
|
MIBs
|
|
MIBs Link
|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.
|
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
http://www.cisco.com/register
RFCs
|
|
Title
|
draft-ietf-isis-hmac-03.txt
|
IS-IS Cryptographic Authentication
|
RFC 1321
|
The MD5 Message-Digest Algorithm
|
RFC 2104
|
HMAC: Keyed-Hashing for Message Authentication
|
Technical Assistance
Description
|
Link
|
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, tools, and lots more. Registered Cisco.com users can log in from this page to access even more content.
|
http://www.cisco.com/public/support/tac/home.shtml
|
Command Reference
This section documents the following new commands related to IS-IS HMAC-MD5 authentication. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•authentication key-chain
•authentication mode
•authentication send-only
•debug isis authentication
•isis authentication key-chain
•isis authentication mode
•isis authentication send-only
This section also documents the following revised commands related to clear text authentication. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•
