07-06-2009 12:33 PM - edited 03-10-2019 04:41 AM
Hi,
I am new to the IDS environment, we are planing to configure a NTP server on the IDS 4215 box.
I have a completed command set for the same as mentioned below.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# ntp-option enable
sensor(config-hos-ena)# ntp-servers ip_address key-id key_ID
now the problem for me is i don't have the Key-id & Key-value for my ntp server.
Can some one help me configue NTP with out the key-id information.
Solved! Go to Solution.
07-06-2009 01:28 PM
Unfortunately 5.1(8)E3 is pretty old and doesn't support unauthenticated ntp.
The 5.1 train has been End Of Saled, and is quickly approaching End Of Life/ End Of Signature Support:
Last date for Signatures for the 5.1 version is Oct 24th of this year.
So you only have around 4 months left before you would be forced to upgrade to 6.0 in order to continue getting signature updates.
The 4215 is also End Of Saled, but it's End Of Signature Support is not until July 29th 2011.
Version 6.0 is the last version to support the IDS-4215, so Signature Updates for 6.0 for the IDS-4215 will continue until at least July 29th 2011.
So if you upgrade to 6.0 now, you will still have 2 more years of signature updates before you need to purchase a new sensor.
The 6.0(5)E3 version does support the unauthenticated ntp option.
So you will want to plan an upgrade to 6.0 sometime in the next 4 months.
In the meantime you will need to use key authenticated ntp.
If you have access to a router you could try using the router as a temporary inbetween server.
The router would be configured to get its time for your existing ntp server. Talk to your network administrator on how to set this up.
Then configure the router to also be an ntp server with an authenitcated key.
Here is a section of the CLI Guide explaining how to setup the router as a key authenticated ntp server:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1035649
The sensor would be configured to use the router as the ntp server using that key.
This would be a temporary workaround until you can get upgraded to 6.0.
07-06-2009 12:46 PM
What sensor version are you running?
Older sensor versions will require you to setup keys for your ntp server. You would need to work with your network administrator that setup the ntp server to see if keys have already been created that you can use, or if new keys would need to be created.
NEWER sensor versions, however, provide a new configuration option:
sensor(config-hos)# ntp-option enabled-ntp-unauthenticated
This new unauthenticated option only requires the ntp server IP and works with ntp servers that allow unauthenticated access (which is the most common deployment)
07-06-2009 12:54 PM
Hi,
Thanks for your quick response.
below is the version we are running on the box.
Cisco Intrusion Prevention System, Version 5.1(8)E3
unfortunate thing i am not finding that command syntax my IOS code.
Any alternate for my existing code
07-06-2009 01:28 PM
Unfortunately 5.1(8)E3 is pretty old and doesn't support unauthenticated ntp.
The 5.1 train has been End Of Saled, and is quickly approaching End Of Life/ End Of Signature Support:
Last date for Signatures for the 5.1 version is Oct 24th of this year.
So you only have around 4 months left before you would be forced to upgrade to 6.0 in order to continue getting signature updates.
The 4215 is also End Of Saled, but it's End Of Signature Support is not until July 29th 2011.
Version 6.0 is the last version to support the IDS-4215, so Signature Updates for 6.0 for the IDS-4215 will continue until at least July 29th 2011.
So if you upgrade to 6.0 now, you will still have 2 more years of signature updates before you need to purchase a new sensor.
The 6.0(5)E3 version does support the unauthenticated ntp option.
So you will want to plan an upgrade to 6.0 sometime in the next 4 months.
In the meantime you will need to use key authenticated ntp.
If you have access to a router you could try using the router as a temporary inbetween server.
The router would be configured to get its time for your existing ntp server. Talk to your network administrator on how to set this up.
Then configure the router to also be an ntp server with an authenitcated key.
Here is a section of the CLI Guide explaining how to setup the router as a key authenticated ntp server:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1035649
The sensor would be configured to use the router as the ntp server using that key.
This would be a temporary workaround until you can get upgraded to 6.0.
07-06-2009 02:26 PM
Awesome,
Thanks for all your support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide