[c-nsp] Finding source of ISIS authentication failure

[daniel.dib at reaper.nu]

2013-07-01 23:27 skrev John Neiberger: 

> Thanks! 
> 
> On a
related note, I'm stumped by the bewildering array of authentication
options and commands in 12.2. We know that some authentication problem
exists between this 7600 and another device but I don't know exactly
what it is. 
> 
> We have the following on our interfaces: 
> 
> isis
authentication mode md5 
> isis authentication key-chain OurChain 
> 
>
It is my understanding that in IOS, this enables hello authentication
only. Not sure if that is even remotely correct. 
> 
> We have the same
thing under router isis: 
> 
> router isis 
> authentication mode md5 
>
authentication key-chain OurChain 
> 
> I thought that this enabled area
authentication in IOS, but I'm reading a 12.2 ISIS configuration guide
that seems to indicate otherwise. So, I'm confused. What exactly are we
authenticating as currently configured? We do not have an explicit area
password or domain password set. It was my assumption that the current
config was doing hello and area authentication, but the more I read, the
more I realize that I don't know what IOS is doing here. 
> 
> Thanks!

> John

Hi, 

Authentication configured under interface authenticates
the hello packets only. If you configure area-password that will
authenticate LSPs but not CSNP and PSNP by default unless you use
authenticate snp option. This only works for level 1 PDUs. The
equivalent for level 2 seems to be domain-password where you have the
same options. Note that both area-password and domain-password is sent
in clear text. 

When you use authentication key-chain you are
authenticating both LSPs and SNPs and this seems to be the only valid
option if you want to use MD5. It will authenticate both at level 1 and
2. So your configuration seems correct. So in summary right now you are
authenticating hello packets and LSPs and SNPs at all levels. 

Best
regards, 
Daniel Dib 
CCIE #37149