NTP authentication

mlopacinski · ‎05-26-2009

Hello

On R1 i have:

ntp authentication-key 1 md5 Cisco

ntp authentication-key 2 md5 Cisco2

ntp trusted-key 1

ntp server 1.1.1.1 key 1

Router R2 with enabled authentication is connecting to R1 as a client.

What keys R1 will use to sign replies to R2 ? Are the key numbers globally significiant ? (like in EIGRP chain). How R1 chooses how to sign replies ?

Thanx

Edison Ortiz · ‎05-26-2009

R1 will use key 1 since you have key 1 as part of the 'ntp server' command.

HTH,

__

Edison.

mlopacinski · ‎05-26-2009

But R2 is a client for R1 - not server !

Command "ntp server" on R1 configures it's connection to server (R3) - not client. And i am asking about authentication used for clients.

Could you clarify ?

Edison Ortiz · ‎05-27-2009

You've only shown the portion of the config from R1 and based on this config, R1 is getting its time from 1.1.1.1.

The 'ntp server 1.1.1.1' command won't make R1 the server. On Cisco routers, you can make a device a NTP server by getting its time from an authoritative NTP server or by entering the 'ntp master' command.

http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html#wp1014092

In short, based on your configuration - R1 is configured as a client to server 1.1.1.1 and 1.1.1.1 can't be R1.

HTH,

__

Edison.

mlopacinski · ‎05-27-2009

Sorry, i will post more configs:

R1:

ntp authentication-key

ntp authentication-key 1 md5 Cisco

ntp authentication-key 2 md5 Cisco2

ntp trusted-key 1

ntp server 1.1.1.1 #point to R3

R3:

ntp master

R2:

ntp authentication-key

ntp authentication-key 1 md5 Cisco

ntp trusted-key 1

ntp server 2.2.2.2 key 1 #point to R1

So R1 get it's time from R3 without authentication. But what about R2 getting it's time from R1 ? We do not configure on NTP server it's clients. How R1 will know which key should it use returning response to R2 ?

Is the key number globally significiant ? Or R1 will return response to R2 signed by all possible keys ?

Could you describe how R1 process the request from R2 ?

Thanx

Edison Ortiz · ‎05-28-2009

On R1, you've configured to trust key 1. This means R1 will use 'md5 Cisco' for clients trying to authenticate

http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html#wp1015038

On R2, you've configured 'md5 Cisco' for key 1 authentication and you've also added key 1 as part of the 'ntp server' command so R2 will use 'md5 Cisco' to authenticate to R1 and R1 will use no authentication to obtain time from R3.

HTH,

__

Edison.

mlopacinski · ‎05-28-2009

You said that: "On R1, you've configured to trust key 1. This means R1 will use 'md5 Cisco' for clients trying to authenticate".

What if on R1 i will configure trust key 1 and trust key 2 and trust key 3. Will R1 send three replies for each client ?

Thanx

Edison Ortiz · ‎05-28-2009

R1 would accept authentication from NTP clients that matches any of the configured keys.

One thing I noticed that is missing in your config, 'ntp authenticate' command.

http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html#wp1013299

At the moment, authentication isn't taking place.

HTH,

__

Edison.

mlopacinski · ‎05-28-2009

You said: "R1 would accept authentication from NTP clients that matches any of the configured keys."

So - this mean that client sending request to server is sending key hash which is compared with all the hashes on server ? And then server responds once with the key that matches ? Could you describe what information is sending client in request (key or hash), what comparison is done on server and what information is returned to client ?

Edison Ortiz · ‎05-28-2009

Yes, the clients send the authentication-key information in MD5 format and the server simply accepts it.

If you want to see the type of information being sent or receive between devices, I recommend configuring on a lab and issue the 'debug ntp authentication' command.

HTH,

__

Edison.