[c-nsp] Finding source of ISIS authentication failure

Adam Vitkovsky adam.vitkovsky at swan.sk
Tue Jul 2 04:41:39 EDT 2013


Old shool way:
link authentication
area authentication
domain authentication

interface level auth:
int f0/0
 isis password <string>
-inserts Type 10 (auth) TLV into: L1&L2 IIH PDUs. 

area-level auth:
router isis
 area-password (string>
-inserts Type 10 (auth) TLV to: level 1 LSP, CSNP, PSNP PDUs. 

domain-level auth:
router isis
 domain-password <string>
-inserts Type 10 (auth) TLV to: level 2 LSP, CSNP, PSNP PDUs. 



IS-IS HMAC-MD5 Authentication. 
interface level
process level

interface level:
int f0/0
 isis authentication mode md5
 isis authentication key-chain test
- inserts type 10 (auth) TLV to L1&L2 IIH PDUs. 

process level:
router isis 1
 isis authentication mode md5
 isis authentication key-chain test
- inserts Type 10 (auth)TLV to: level 1&2 LSP, CSNP, PSNP PDUs. 

same applies for Enhanced Clear Text Authentication
cmd: isis authentication mode text


adam
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John
Neiberger
Sent: Monday, July 01, 2013 11:28 PM
To: daniel.dib at reaper.nu
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Finding source of ISIS authentication failure

Thanks!

On a related note, I'm stumped by the bewildering array of authentication
options and commands in 12.2. We know that some authentication problem
exists between this 7600 and another device but I don't know exactly what it
is.

We have the following on our interfaces:

isis authentication mode md5
isis authentication key-chain OurChain

It is my understanding that in IOS, this enables hello authentication only.
Not sure if that is even remotely correct.

We have the same thing under router isis:

router isis
 authentication mode md5
 authentication key-chain OurChain

I thought that this enabled area authentication in IOS, but I'm reading a
12.2 ISIS configuration guide that seems to indicate otherwise. So, I'm
confused. What exactly are we authenticating as currently configured? We do
not have an explicit area password or domain password set. It was my
assumption that the current config was doing hello and area authentication,
but the more I read, the more I realize that I don't know what IOS is doing
here.

Thanks!
John



On Mon, Jul 1, 2013 at 12:07 PM, <daniel.dib at reaper.nu> wrote:

>
>
> As pointed out to me by Ytti I was doing interface authentication and 
> you are doing LSP autentication. I changed my lab and got the 
> following debug from debug isis update-packets:
>
> ISIS-Upd: Rec L1 LSP
> 0000.0000.0002.00-00, seq 4, ht 1199,
> ISIS-Upd: from SNPA c201.22dc.0000
> (FastEthernet0/0)
> %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
>
>
> So there you have the system ID which was 000.0000.0002 for my NET 
> which was 49.0001.0000.0000.0002
>
> This URL seems to explain it pretty
> well:
>
>
>
> http://www.cisco.com/en/US/tech/tk365/technologies_configuration_examp
> le09186a0080093f36.shtml#tshoot
> [3]
>
> Best regards,
>
> Daniel Dib
>
> CCIE #37149
>
> 2013-07-01 19:33 skrev
> daniel.dib at reaper.nu:
>
> > When testing on 12.4 code I get the following
> from debug isis
> > adj-packets and debug isis authentication information:
>
> >
> > ISIS-Adj: Rec
> > L2 IIH from c201.0d84.0000 (FastEthernet0/0), cir
> type L1L2, cir id
> > 0000.0000.0002.01, length 1497
> > ISIS-AuthInfo:
> Packet failed the md5
> > check, 1497 bytes, type 16
> > ISIS-Adj:
> Authentication failed
> >
> > So the MAC
> > address and interface is
> recorded. Don't you have these debugs or do
> > your debugs not show this
> information?
> >
> > Best regards,
> >
> > Daniel Dib
> >
> > CCIE #37149
> >
> >
> 2013-07-01 18:31 skrev John Neiberger:
> >
> >> This box is
> >
> > running
> 12.2(33)SRC code. The TAC engineer and I haven't really
> >
> >> found
> >
> >
> a good way to find what we're looking for. I have found some 
> debugsthat confirm that we're having an authentication problem but 
> they alsodon't show the source of the problem. Not even an interface.
>
>
>
>
> Links:
> ------
> [1] http://puck.nether.net/pipermail/cisco-nsp/
> [2]
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> [3]
>
> http://www.cisco.com/en/US/tech/tk365/technologies_configuration_examp
> le09186a0080093f36.shtml#tshoot 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list