Cisco Cisco IOS Software Release 12.2(14)S
IS-IS HMAC-MD5 Authentication and Enhanced Clear Text Authentication
How to Configure IS-IS HMAC-MD5 Authentication or Enhanced Clear Text Authentication
8
Cisco IOS Release 12.2(14)S
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication
When you are migrating from the old clear text authentication to HMAC-MD5 authentication, after you
load the first router with an image that includes this feature, the router will continue to use the old clear
text authentication with other routers on the network.
load the first router with an image that includes this feature, the router will continue to use the old clear
text authentication with other routers on the network.
Note
If you want HMAC-MD5 authentication, all routers in the authentication scope must have the new image
before HMAC-MD5 can be configured. The scope can be either a Level 1 or Level 2 domain.
before HMAC-MD5 can be configured. The scope can be either a Level 1 or Level 2 domain.
Before you can configure authentication, you must decide whether to configure authentication for the
IS-IS instance or for individual IS-IS interfaces (both tasks are in this section).
IS-IS instance or for individual IS-IS interfaces (both tasks are in this section).
Migrating from Old Clear Text Authentication to HMAC-MD5 Authentication for the IS-IS Instance
To achieve a smooth transition to authenticating IS-IS packets, perform the following steps in the order
shown, which requires moving from router to router doing certain steps before all the steps are performed
on any one router.
shown, which requires moving from router to router doing certain steps before all the steps are performed
on any one router.
When you configure the MD5 authentication, the area-password and domain-password command
settings will be overridden automatically with the new authentication commands.
settings will be overridden automatically with the new authentication commands.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
key chain name-of-chain
4.
key key-id
5.
key-string text
6.
exit
7.
router isis area-tag
8.
authentication send-only [level-1 | level-2]
Step 11
isis authentication key-chain
name-of-chain [level-1 |
level-2
]
Example:
Router(config-if)# isis authentication key-chain
multistate87723
Enables MD5 authentication for an IS-IS interface.
•
Refer to the key management feature, which is
referenced in the “Related Documents”
section.
referenced in the “Related Documents”
section.
Step 12
Repeat Steps 10 and 11 on each router that will communicate. —
Step 13
Router(config-if)# no isis authentication send-only
Example:
Router(config-if)# no isis authentication send-only
Specifies that MD5 authentication is performed on
packets being sent and received on a specified IS-IS
interface.
packets being sent and received on a specified IS-IS
interface.
Step 14
Repeat Step 13 on each router that will communicate.
—
Command
Purpose