Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NTP Authentication

Hi All,

I want synchronize the time in couple of my router, on the NTP server I use:

clock timezone EST 0

clock summer-time EST recurring

ntp authentication-key 1 md5 075E751D6B594B5532435F5D50780D77716065 7

ntp authenticate

ntp trusted-key 1

ntp master 6

on the client side, after I configured "ntp server <ntpsvr-ip>", it synchronized with server automatically.

Could you tell me if it is normal or maybe I made some mistakes. I know I should put some NTP authentication commands on the client. But it seems to be working.

Thanks in advance

Banlan

  • Other Network Infrastructure Subjects
4 REPLIES
New Member

Re: NTP Authentication

NTP authentication is merely an MD5 checksum that's forwarded as part of the NTP packet.

If you want the client to authenticate the server you'll need to add the same authentication lines on the client side, telling the client to authenticate the packets received from the server:

ntp authentication-key 1 md5 075E751D6B594B5532435F5D50780D77716065 7

ntp authenticate

ntp trusted-key 1

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/fcfprt3/fcf012.htm#1001202

Bronze

Re: NTP Authentication

I have the same question and I dont understand this anwer. If you tell one side to authenticate why doesn't the other have to be configured. I have 3 routers r4 is the time master r2 and r5 are clients. I configured r2 to authenticate and did not on r5. r4 is the server and is not configured to authenticate. Both r2 and r5 are sync'd. I dont understand why.

***************************************

hostname r4

!

clock timezone CDT -6

clock summer-time CDT recurring

!

ntp master

end

**************************************

hostname r2

clock timezone CDT -6

clock summer-time CDT recurring

!

ntp authentication-key 1 md5 0508050624 7

ntp authenticate

ntp clock-period 17179851

ntp server 10.1.1.4

end

r2#

r2# sh ntp stat

Clock is synchronized, stratum 9, reference is 10.1.1.4

nominal freq is 250.0000 Hz, actual freq is 250.0002 Hz, precision is 2**18

reference time is C2BDCD24.5304CB11 (19:45:24.324 CDT Mon Jul 14 2003)

clock offset is -1.4181 msec, root delay is 51.32 msec

root dispersion is 876.56 msec, peer dispersion is 875.11 msec

r2# sh ntp assoc

address ref clock st when poll reach delay offset disp

*~10.1.1.4 127.127.7.1 8 33 64 37 51.3 -1.42 875.1

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

r2#

******************************************

hostname r5

!

clock timezone CDT -6

clock summer-time CDT recurring

!

ntp server 10.1.1.4

end

r5#sh ntp sta

Clock is synchronized, stratum 9, reference is 10.1.1.4

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19

reference time is C2BDCDB9.863F12C7 (19:47:53.524 CDT Mon Jul 14 2003)

clock offset is -1.1192 msec, root delay is 94.30 msec

root dispersion is 3.88 msec, peer dispersion is 2.72 msec

r5#sh ntp assoc

address ref clock st when poll reach delay offset disp

*~10.1.1.4 127.127.7.1 8 36 128 377 94.3 -1.12 2.7

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

r5#

New Member

Re: NTP Authentication

According to Jeff Doyle "Routing TCP/IP Vol II" the commands:

ntp authenticate

ntp authentication-key md5

globally enables NTP authentication and defines the keys which are sent in the NTP packets. This must be enabled both on server and client.

For the client router to actually USE the keys you use the commands:

ntp trusted-key

ntp server key

Try adding the following to r2's config:

ntp trusted-key 1

ntp server 10.1.1.4 key 1

Given the above authentication on r2 should then fail, and it should drop the association with r4 until you configure r4 with:

ntp authentication-key 1 md5 0508050624 7

ntp authenticate

You should be able to track it using "debug ntp packet", including which key numbers that are sent

Bronze

Re: NTP Authentication

Thanks for the response.

I added the

ntp authentication-key 1 md5 0508050624 7

ntp authenticate

statements (with my key) to r4 and r2 sync'd up. But r5 didn't loose sync. I rebooted r5 since I have not found any commands to clear sync, and it sync'd again when it came up.

I think I'm starting to understand why. The server will talk to anyone, its up to the client to decide to use the authentication to identify the server they are getting time from bu they dont have to. Does that sound right?

724
Views
1
Helpful
4
Replies
This widget could not be displayed.