ISIS Authentication

IOS2JUNOSIOS2JUNOS Member Posts: 56 ■■□□□□□□□□
Working through the case study- The task for authentication says
"All areas must use hello authentication based on md5 with a secret of jnx. The backbone area must also authenticate LSPs using a simple password of jnx"
The solution for this shows this config on R5
level 2 {
authentication-key "$9$jEkmTOBEhrv"; # SECRET-DATA
authentication-type simple; # SECRET-DATA

There's also interface config

interface all {
level 1 disable;
level 2 {
hello-authentication-key "$9$5znCyrvMX-"; # SECRET-DATA
hello-authentication-type md5; # SECRET-DATA

i configured r3 with only interface config and left out to Level2 simple auth and adjacency with R5 still shows up

interface t1-5/0/0.0 {
level 1 disable;
level 2 {
hello-authentication-key "$9$IuEhyKsYoaUH"; ## SECRET-DATA
hello-authentication-type md5; ## SECRET-DATA
}
}

..so what's the purpose on doing L2 simple auth at the global level and do md5 at the interface level. it seems to work just fine without the global l2 simple config


Comments

  • IOS2JUNOSIOS2JUNOS Member Posts: 56 ■■□□□□□□□□
    even though 'show isis adj' show adjacency up, no routes are passing from r3 and r4 to r5..once i added the level2 simple-auth to r3 and r4 routes are passing again..
  • AldurAldur Member Posts: 1,460
    This is a difference between LSP auth and hello auth. By applying the auth at the interface level you are doing hello auth which is used to form ISIS neighbors. The auth outside of the interface, for instance at the level config, is LSP auth which will authenticate your LS PDUs which has all your IP route info.

    So what you saw is expected behavior in that your authentication at the hello level allowed the neighborship to form but the auth failure at the LSP level caused no IP info to be passed.

    HTH
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • IOS2JUNOSIOS2JUNOS Member Posts: 56 ■■□□□□□□□□
    Aldur wrote: »
    This is a difference between LSP auth and hello auth. By applying the auth at the interface level you are doing hello auth which is used to form ISIS neighbors. The auth outside of the interface, for instance at the level config, is LSP auth which will authenticate your LS PDUs which has all your IP route info.

    So what you saw is expected behavior in that your authentication at the hello level allowed the neighborship to form but the auth failure at the LSP level caused no IP info to be passed.

    HTH

    thanks for explanation!!
  • cluedclued Registered Users Posts: 5 ■□□□□□□□□□
    a bit different question on the same topic. JNCIP book, ISIS chapter,

    the task is to "Backbone area authenticates both hello and LSP exchanges using MD5 with a key value of jni."

    Then the author provides configs where he adds both level2 authentication and interface hello authentication on L2 routers. I just cannot understand why would I want to configure both while level-wide authentication completely satisfy the requirements, all hello TLVs are being authenticated with the same TLV#10 among with all other ISIS PDUs. So am I missing something or there is a misconception in the book?
Sign In or Register to comment.