Dec 13 2008
ISIS Security
ISIS uses four types of packets they are, hello, LSPs, CSNPs and PSNPs. The different authentication methods insert passwords into different packets. Some of the security methods allow MD5 as well as clear text authentication. The 5 password configuration options for ISIS are as follows:-
1-area-password
2-domain-password
3-authentication key-chain
4-isis authentication key-chain
5-isis password
Both the area-password and domain-password options will insert a clear text password into LSPs, CSNPs and PSNPs. However the area-password will only insert a password in level-1 LSPs, CSNPs and PSNPs and the domain-password will only insert a password into level-2 LSPs, CSNPs and PSNPs. Both commands are applied at the router configuration mode. Both commands do NOT insert a password into the ISIS hello packet.
Click here to see a Level-1 capture using the area-password
Click here to see a Level-2 capture using the domain-password
Options 3 and 4 above ie authentication key-chain and isis authentication key-chain give the user the option of using either clear text or MD5 authentication. The fundamental difference between authentication key-chain and isis authentication key-chain is that the former is applied at router configuration mode and inserts a password into all LSPs, CSNPs and PSNPs whereas the latter is applied at the interface level and only applies a password into hello packets.
Click here to see a capture using a clear text authenication key (router configuration mode)
Click here to see a capture using a MD5 authenication key (router configuration mode)
Click here to see a capture using a clear text isis authenication key (interface configuration mode)
Option 5 ie the isis password only provides for clear text authentication and is applied at the interface configuration level.
Click here to see a capture using the clear text isis password (interface configuration mode)
Now lets see what happens if we configure an MD5 authentication key under the router configuration mode and a clear text password under the interface configuration mode using the isis authentication key.
We will use the syntax below.
authentication key under router configuration mode
key chain ZARAR
key 1
key-string ZARAR
router isis
authentication mode md5
authentication key-chain ZARAR
isis authentication key under interface configuration mode
key chain ZARAR-OVERRIDE
key 1
key-string ZARAR-OVERRIDE
interface FastEthernet1/0
isis authentication mode text
isis authentication key-chain ZARAR-OVERRIDE
As you can see from the capture using wireshark, all the level-1 LSPs, CSNPs are using MD5 authentication and all Level-1 hellos are using a clear text password ZARAR-OVERRIDE
Click here to see wireshark capture of the above configuration.
To summarize
|
Method |
Clear Text |
MD5 |
Password inserted into |
Password inserted into |
Password inserted into |
Password inserted into |
|
area-password |
yes |
no |
yes |
yes |
yes |
no |
|
domain-password |
yes |
no |
yes |
yes |
yes |
no |
|
authentication-key |
yes |
yes |
yes |
yes |
yes |
no |
|
isis authentication-key |
yes |
yes |
no |
no |
no |
yes |
|
isis password |
yes |
no |
no |
no |
no |
yes |
For further information please click the link below.
http://www.cisco.com/en/US/partner/docs/ios/iproute/command/reference/irp_is1.html#wp1012820
Oct 28, 2009 @ 14:46:45
Best site for ISIS authentication 101. Thanks!