Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trouble with NTP authentication

I'm have problems getting NTP authentication to work properly. Router One is my NTP master and has the following configuration:

<p>

ntp authentication-key 1 md5 secret

<p>

ntp authenticate

<p>

ntp trusted-key 1

<p>

ntp master

<p>

Router Two has the following configuration:

<p>

ntp server 192.168.1.1 (the ip address of Router One)

<p>

The trouble is that it always properly syncs, even though there is no authentication information on Router Two - but I only want authenticated routers to sync.

1 REPLY
Anonymous
N/A

Re: Trouble with NTP authentication

The ntp seems to be operating normally.

"If we are running in authenticated mode, we only trust frames which have

authentication attached, which are validated and which are using one of our trusted keys.

We respond to all other pollers without saving any state. If a host we are passively peering

with changes his key from a trusted one to an untrusted one, we immediately unpeer with him,

reselect the clock and treat him as an unmemorable client.

If a similar event occurs with a configured peer we drop the frame and hope he'll revert to

our key again. If we get a frame which can't be authenticated with the given key, we drop it."

So the server is protected agaist unsyn time by untrusted host peer and if you want the server to drop

ntp packets from other host, you might try putting a key at the end of the ntp server

statement.

ntp server 192.168.1.1 key 1

Hopefully the ntp master would drop any frame from

any host that has the right key but not authenticating.

190
Views
0
Helpful
1
Replies