Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NTP authent

Hello all,

I have question, can somebody explain me please why is authentication done after I

add "key 1" to the "ntp server X.X.X.X" command on R2 as highlighted below?  Before this command I did not see in #sh ntp assoc det   word "authenticated"

Router2#sh run | i ntp

ntp authentication-key 1 md5 104D000A061843595F 7

ntp authenticate

ntp trusted-key 1

ntp server 10.10.10.1 key 1

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

NTP authent

Hi Michal,

Because if you configured only

ntp server 10.10.10.1

this mean that you don't need the client to authenticate the server, So the client will be able to syncronizes with any NTP server ( as the client is the side which enforce the authentication NOT the server)

which means that the server can serve many clients ( with and without authentication) simulatenously, But for the clients which require authentication the server must have a matched key configured, and for other clients it doesn't matter if the server has authentication keys configured or not

if you need to restrict the server to serve some customers use the serve-only ACL , and for the client to authenticate from specific servers use the peer ACL

i hope that i covered your questions .

feel free to discuss

Regards.

7 REPLIES

Re: NTP authent

Hi Michal,

I've had the exact issue last time and someone answered me on this thread

https://supportforums.cisco.com/message/3611572#3611572

Are you also going for your IINS?

Sent from Cisco Technical Support iPhone App

New Member

NTP authent

I saw this thread, but there is not expalnation why I have to put the key for each server if global authentication is enabled.

New Member

Re: NTP authent

Hi All,

because the NTP authentication works in a different manner, as the client who is the one authenticating the server.

so you need to tell the client which key to use when authenticating a server.

Regards.

New Member

NTP authent

Thank you for you reply, and can you also tell me please why NTP is working in case I do not put

ntp server 10.10.10.1 key 1 ?

New Member

NTP authent

Hi Michal,

Because if you configured only

ntp server 10.10.10.1

this mean that you don't need the client to authenticate the server, So the client will be able to syncronizes with any NTP server ( as the client is the side which enforce the authentication NOT the server)

which means that the server can serve many clients ( with and without authentication) simulatenously, But for the clients which require authentication the server must have a matched key configured, and for other clients it doesn't matter if the server has authentication keys configured or not

if you need to restrict the server to serve some customers use the serve-only ACL , and for the client to authenticate from specific servers use the peer ACL

i hope that i covered your questions .

feel free to discuss

Regards.

New Member

NTP authent

Thank you very much for clear explanation, can you advise me some book or cisco material please? I have tryied to find something where is NTP in detail, but unsecesfull.

New Member

NTP authent

Hi Michal,

you can read " Hardening Cisco Routers " book as a start, then try to read Cisco's white papers for more details if you want.

Thanks

356
Views
0
Helpful
7
Replies
CreatePlease to create content