From: Chuck Ryan (chryan@cisco.com)
Date: Thu Mar 10 2005 - 21:09:05 GMT-3
Roy,
Per Chapter 11, page 604-605 in the "Troubleshooting IP Routing Protocols"
book, there are a couple of ways to verify authentication failures:
1) show clns neighbors (you will see ES-IS adjacency instead of IS-IS
adjacency)
2) debug isis adj-packets (should show you the following error message upon
authentication failures "ISIS-ADJ: Authentication failed")
HTH,
Chuck
At 05:37 PM 3/10/2005, Roy Dempsey wrote:
>Thanks,
>
>Interesting email. Looks like there's nothing available for verifying
>interface level authentication....
>
>
>On Thu, 10 Mar 2005 12:58:07 -0500, ccie2be <ccie2be@nyc.rr.com> wrote:
> > I was just going through some old posts and noticed this one.
> >
> > *********************************************************************
> > Since area authentication adds a password to the LSPs in the level-1
> > database, that's where you can see it configured. As you can see this
> > router has area authentication configured:
> >
> > R5#sh run | b ^router isis
> > router isis
> > net 49.0001.5555.5555.5555.00
> > is-type level-1
> > area-password cisco
> >
> > Now when you look at the LSP for this router in the level-1 database you
> > can see that it has authentication configured:
> >
> > R5#sh isis database R5.00-00 level-1 detail
> >
> > IS-IS Level-1 LSP R5.00-00
> > LSPID LSP Seq Num LSP Checksum LSP Holdtime
> > ATT/P/OL
> > R5.00-00 * 0x000000D3 0xD475 896 0/0/0
> > Auth: Length: 6
> > Area Address: 49.0001
> > NLPID: 0xCC
> > Hostname: R5
> > IP Address: 133.1.1.5
> > Metric: 10 IP 133.1.1.0 255.255.255.0
> > Metric: 10 IP 133.1.2.0 255.255.255.0
> > Metric: 10 IS R4.00
> >
> > There's a line saying 'Auth: Length: 6' which is not there when
> > authentication is not configured.
> >
> > In a similar way domain authentication is visible in the level-2
> > database with an extra TLV in the LSPs. Only for the interface level
> > authentication I have not been able to find a decent show command.
> >
> > Regards,
> >
> > Tom Lijnse
> > CCIE #11031
> > Global Knowledge Netherlands
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Roy
> > Dempsey
> > Sent: Thursday, March 10, 2005 12:49 PM
> > To: Cisco certification
> > Subject: ISIS MD5 authentication
> >
> > Hi,
> >
> > Is there are a way to verify ISIS authentication? I'm testing key
> > chain authentication between 2 hosts which were working without it.
> > I've created a key chain and attached it to the interface using isis
> > authentication mode and isis authentication key-chain commands.
> >
> > The ISIS neighbors didn't go down, and are still adjacent. However I
> > don't see any mention of authentication when debugging adjacencies,
> > and I can't find a show command that mentions it.
> >
> > I'm sure there must be a way to verify it...
> >
> > Thanks
> > Roy
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:44 GMT-3