area-authentication-mode

Use area-authentication-mode to specify an area authentication mode and a key.

Use undo area-authentication-mode to restore the default.

Syntax

area-authentication-mode { { gca key-id { hmac-sha-1 | hmac-sha-224 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 } [ nonstandard ] | md5 | simple } { cipher | plain } string | keychain keychain-name } [ ip | osi ]

undo area-authentication-mode

Default

No area authentication mode or key is configured.

Views

IS-IS view

Predefined user roles

network-admin

Parameters

gca: Specifies the Generic Cryptographic Authentication (GCA) mode.

key-id: Uniquely identifies an SA in the range of 1 to 65535. The sender inserts the Key ID into the authentication TLV, and the receiver authenticates the packet by using the SA that is selected based on the Key ID.

hmac-sha-1: Specifies the HMAC-SHA-1 algorithm.

hmac-sha-224: Specifies the HMAC-SHA-224 algorithm.

hmac-sha-256: Specifies the HMAC-SHA-256 algorithm.

hmac-sha-384: Specifies the HMAC-SHA-384 algorithm.

hmac-sha-512: Specifies the HMAC-SHA-512 algorithm.

nonstandard: Specifies the nonstandard GCA mode.

md5: Specifies the MD5 authentication mode.

simple: Specifies the simple authentication mode.

cipher: Specifies a key in encrypted form.

plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 16 characters. Its encrypted form is a case-sensitive string of 33 to 53 characters.

keychain: Specifies the keychain authentication mode.

keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters.

ip: Checks IP-related fields in LSPs.

osi: Checks OSI-related fields in LSPs.

Usage guidelines

Area authentication enables IS-IS to discard routes from untrusted routers.

The key in the specified mode is inserted into all outbound Level-1 packets (LSP, CSNP, and PSNP) and is used to authenticate inbound Level-1 packets.

IS-IS keychain authentication can operate correctly only when the keys in the keychain use the HMAC-MD5 authentication algorithm.

Before IS-IS sends a Level-1 packet, it uses the valid send key obtained from the keychain to authenticate the packet. If no valid send key exists or the valid send key does not use the HMAC-MD5 algorithm, the authentication fails and the packet does not contain authentication information.
After IS-IS receives a Level-1 packet, it uses a valid accept key obtained from the keychain to authenticate the packet. If no valid accept key exists or all valid accept keys fail to authenticate the packet, the authentication fails and the packet is discarded.

Routers in an area must have the same authentication mode and key.

If neither ip nor osi is specified, OSI-related fields are checked.

When you specify the GCA mode, follow these guidelines:

If you do not specify the nonstandard keyword, the device can communicate only with devices that use the GCA mode.
If you specify the nonstandard keyword, the device can communicate only with devices that use the nonstandard GCA mode.

Examples

# Set the area authentication mode to simple, and set the plaintext key to 123456.

<Sysname> system-view
[Sysname] isis 1
[Sysname-isis-1] area-authentication-mode simple plain 123456

Related commands

area-authentication send-only

domain-authentication-mode

isis authentication-mode

prev	up	next
area-authentication send-only	home	auto-cost enable