The isis authentication-mode command configures the IS-IS interface to authenticate the Hello packets with the specified mode and password, and add the authentication information to Hello packets sent.
The undo isis authentication-mode command cancels the authentication and deletes the password at the same time.
By default, the password is not set and no authentication is performed. Configuring authentication is recommended to ensure system security.
isis authentication-mode { simple { plain plain-text | [ cipher ] plain-cipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
isis authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]
isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | [ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
undo isis authentication-mode [ level-1 | level-2 ]
undo isis authentication-mode keychain keychain-name [ level-1 | level-2 ] [ send-only ]
undo isis authentication-mode { simple { plain plain-text | cipher plain-cipher-text } | md5 { cipher plain-cipher-text | plain plain-text } } [ level-1 | level-2 ] [ ip | osi ] [ send-only ]
undo isis authentication-mode hmac-sha256 key-id key-id { plain plain-text | cipher plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
| Parameter | Description | Value |
|---|---|---|
simple |
Indicates the password transmit in simple text. |
- |
plain |
Indicates the password in simple text. Only the simple text password can be entered. The password in the configuration file is displayed in simple text. NOTICE:
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in explicittext if you select explicittext mode, which has a high risk. To ensure device security, change the password periodically. |
- |
plain-text |
Specifies the authentication password in simple text. |
The value is a string of case-sensitive characters that can be letters or numbers. In simple authentication, the value is a string of 1 to 16 characters. In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters. |
cipher |
Indicates the password in ciphertext. The explicit text password or the ciphertext password can be entered. The password in the configuration file is displayed in ciphertext. IS-IS authentication is in ciphertext by default. |
- |
plain-cipher-text |
Specifies the authentication password in simple text or ciphertext. A ciphertext password is a character string that is encrypted using a special algorithm. A ciphertext password is used for configuration restoration. The parameter value must be the same as the ciphertext password in the configuration file. |
The value is a string of case-sensitive characters that can be letters or numbers. In simple authentication, the value is a string of 1 to 16 characters in simple text, or a string of 32 or 48 characters in ciphertext. In md5 or hmac-sha256 authentication, the value is a string of 1 to 255 characters in simple text, or a string of 20 to 392 characters in ciphertext. |
md5 |
Specifies the password transmit encrypted by MD5. |
- |
keychain keychain-name |
Specifies the keychain that changes with time. |
keychain-name specifies the name of the keychain. The value is a string of 1 to 47 case-insensitive characters. |
level-1 |
Indicates the Level-1 authentication. |
- |
level-2 |
Indicates the Level-2 authentication.
NOTE:
The level-1 and level-2 parameters are valid only on the Ethernet interfaces. These interfaces must be enabled with IS-IS. |
- |
ip |
Indicates the IP authentication password. This parameter cannot be configured when keychain authentication is used. |
- |
osi |
Indicates the OSI authentication password. This parameter cannot be configured when keychain authentication is used. |
- |
send-only |
Encapsulates the sent Hello packets with authentication information and ignores checking authentication information carried in the received Hello packets. |
- |
hmac-sha256 |
Encapsulates generated packets with the HMAC-SHA256 authentication and a password encrypted by the HMAC-SHA256 algorithm and authenticates received packets. |
- |
key-id key-id |
Indicates key ID of the HMAC-SHA256 algorithm. |
It is an integer ranging from 0 to 65535. |
Ethernet interface view, Ethernet sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, Tunnel interface view, Loopback interface view, Dialer interface view, VLANIF interface view, Virtual-Template interface view
Usage Scenario
To ensure network security, you can enable a router to authenticate the received packets based on the pre-defined authentication rule or add authentication information to the packets to be sent. Only the packets that pass the authentication can be forwarded on the network.
Using the isis authentication-mode command, you can configure the local node to discard all the Hello packets whose authentication passwords are different from the authentication password set using this command. You can also add the set authentication password to all the Hello packets sent by this node.
Precautions
If a broadcast interface is emulated as a P2P interface through the isis circuit-type command or then restored to the broadcast interface through the undo isis circuit-type command, the authentication configuration of the IS-IS area is restored to the default setting.
When the link type of the IS-IS interface is Level-1-2, if [ level-1 | level-2 ] is not set, the Level-1 and Level-2 Hello packets are considered to be configured with the authentication mode and password.
If the password is set, but neither ip nor osi is specified, osi is defaulted.
If hmac-sha256 is specified, packets can be authenticated only when the key-id and password carried by the packet are the same as those configured on the remote end.
Characters %#%# are used as the prefix and suffix of existing passwords with variable lengths. Therefore, characters %#%# cannot be configured together at the beginning or end of a simple text password.
# Set the authentication password "Huawei-123" in the simple text for GigabitEthernet0/0/0.
<sysname> system-view
[sysname] interface GigabitEthernet 0/0/0
[sysname-GigabitEthernet0/0/0] isis authentication-mode simple Huawei-123
# Set the authentication password "Huawei-123" for GigabitEthernet0/0/0 and the authentication mode as HMAC-SHA256.
<sysname> system-view
[sysname] interface GigabitEthernet0/0/0
[sysname-GigabitEthernet0/0/0] isis authentication-mode hmac-sha256 key-id 2 Huawei-123