The area-authentication-mode command configures IS-IS to authenticate the received Level-1 packets (LSPs and SNPs), according to the pre-defined authentication mode and password. You can also use this command to configure IS-IS to add authentication information to the Level-1 packets to be sent.
The undo area-authentication-mode command cancels the preceding configuration.
By default, the system neither encapsulates the generated Level-1 packets with authentication information nor authenticates the received Level-1 packets. Configuring authentication is recommended to ensure system security.
area-authentication-mode { simple { plain explicit-text | [ cipher ] explicit-cipher-text } | md5 { [ cipher ] explicit-cipher-text | plain explicit-text } } [ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-send-only ]
area-authentication-mode keychain keychain-name [ snp-packet { authentication-avoid | send-only } | all-send-only ]
area-authentication-mode hmac-sha256 key-id key-id { plain explicit-text | [ cipher ] explicit-cipher-text } [ snp-packet { authentication-avoid | send-only } | all-send-only ]
undo area-authentication-mode
| Parameter | Description | Value |
|---|---|---|
| simple | Specifies the password transmission mode as plain text. |
- |
| plain | Indicates the password in explicit text. Only the explicit text password can be entered. The password in the configuration file is displayed in explicit text. NOTICE:
If this parameter is set, the password is saved in the configuration file in plaintext, which brings security risks. Using the ciphertext mode is recommended. Change the password on a regular basis. |
- |
| explicit-text | Specifies the authentication password in explicit text. |
The value is a string of case-sensitive characters that can be letters or numbers. In simple authentication, the value is a string of 1 to 16 characters. In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters. |
| cipher | Indicates the password in ciphertext. The explicit text password or the ciphertext password can be entered. The password in the configuration file is displayed in ciphertext. IS-IS authentication is in ciphertext by default. |
- |
| explicit-cipher-text | Specifies the authentication password in explicit text or ciphertext. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext password is used for configuration restoration. The parameter value must be the same as the ciphertext password in the configuration file. |
The value is a string of case-sensitive characters that can be letters or numbers. In simple authentication, the value is a string of 1 to 16 characters in explicit text, or a string of 32 or 48 characters in ciphertext. In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters in explicit text, or a string of 20 to 392 characters in ciphertext. |
| md5 | Indicates that the password is transmitted after being encrypted using MD5. |
- |
| ip | Indicates the IP authentication password. | - |
| osi | Indicates the OSI authentication password. | - |
| snp-packet | Authenticates SNP packets. | - |
| authentication-avoid | Neither encapsulates the generated SNP packet with authentication information nor authenticates the received SNP packet. It encapsulates only the generated LSP packet with authentication information and authenticates the received LSP packet. | - |
| send-only | Encapsulates the generated LSP and SNP packet with authentication information, and authenticates the received LSP packet instead of the SNP packet. | - |
| all-send-only | Encapsulates authentication information to the generated LSP and SNP packet but does not check authentication information in the received LSP or SNP packet. | - |
| keychain keychain-name | Specifies the keychain that changes with time and is transmitted after being encrypted using MD5. | The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string. |
| hmac-sha256 | Encapsulates generated packets with the HMAC-SHA256 authentication and a password encrypted by the HMAC-SHA256 algorithm and authenticates received packets. |
- |
| key-id key-id | Indicates key ID of the HMAC-SHA256 algorithm. |
It is an integer ranging from 0 to 65535. |
Usage Scenario
The area-authentication-mode command is valid only on Level-1 or Level-1-2 routers.
You can select ip authentication password or osi authentication password according to the real network environment.
Configuration Impact
After the area-authentication-mode command is run, IS-IS does not process the Level-1 LSPs in the local LSDB that fail to be authenticated or new Level-1 LSPs and SNPs that fail to be authenticated but discards them after they age.
Precautions
If the password is set and osi and ip are not specified, the default parameter is osi.
The authentication takes effect only on the peer configured with authentication. The peer with no authentication configured can still receive the LSP and SNP packet with the password.
If hmac-sha256 is specified, packets can be authenticated only when the key-id and password carried by the packet are the same as those configured on the remote end.
Characters %#%# are used as the prefix and suffix of existing passwords with variable lengths. Therefore, characters %#%# cannot be configured together at the beginning or end of a explicit text password.
# Set the area authentication password as Admin-123 and the authentication mode as MD5.
<sysname> system-view
[sysname] isis 1
[sysname-isis-1] area-authentication-mode md5 Admin-123
# Set the area authentication password as Admin-123 and the authentication mode as HMAC-SHA256.
<sysname> system-view
[sysname] isis 1
[sysname-isis-1] area-authentication-mode hmac-sha256 key-id 2 Admin-123
# Set the area authentication mode to keychain which name is Admin-123.
<sysname> system-view
[sysname] isis 1
[sysname-isis-1] area-authentication-mode keychain Admin-123