topic Re: NTP Server Authentication in Network Access Control

NTP Server Authentication

avilt — Fri, 21 Feb 2020 18:19:22 GMT

I am setting up NTP master server on Catalyst 4000 series switch. I would like to implement authentication between the server and the client. I have the following commands which does not work.

Whats wrong with the below commands?

Server:

ntp authentication-key 1 md5 xxx

ntp authenticate

ntp master 6

ntp max-associations 10

Client:

ntp authentication-key 1 md5 xxx

ntp authenticate

ntp server 10.0.0.1 key 1

Re: NTP Server Authentication

Richard Burts — Sat, 13 Oct 2007 18:26:33 GMT

avil

You need to add:

ntp trusted-key 1

on both the server and the client.

Try it and let us know if it works now.

HTH

Rick

Re: NTP Server Authentication

avilt — Mon, 15 Oct 2007 03:37:21 GMT

Thanks, it worked.

One more query, I have configured the NTP server to get the time from the US Navy Server. But it does not sync its time.

The NTP command on the Server is given below.

ntp master 6

ntp server 192.5.41.41

I am alost attaching the show ntp commands.

In my firewall logs I can see the ntp access from the switch to the US navy server, but the switch does not updates its clock.

Re: NTP Server Authentication

Mel Popple — Mon, 15 Oct 2007 08:51:37 GMT

Try using:

ntp server 192.5.41.41 prefer

Re: NTP Server Authentication

Richard Burts — Mon, 15 Oct 2007 16:03:51 GMT

avil

Thanks for posting the additional information. There are several parts of the output that show quite clearly that your device has not established NTP communication with the US Navy server.

Your post mentions messages in the firewall logs. Could you provide some details of what the firewall is saying?

At this point it is a bit hard to tell whether the problem is that you are not getting to the server or whether the server response is not getting back to you. I wonder if the firewall is denying NTP packets.

Also I am not clear why you have configured your device with ntp master 6. Perhaps you can explain why this is configured? In the meantime while we try to resolve the issue with the Navy server I suggest that you remove the ntp master 6 from the config. It may simplify the troubleshooting.

HTH

Rick

Re: NTP Server Authentication

avilt — Mon, 15 Oct 2007 23:18:00 GMT

Hi Rick,

I change my config on the switch as below

ntp master

ntp server 192.5.41.41 prefer

Still it does not update its time. On the firewall logs, it shows the ntp request getting accepted. Its not a firewall issue as we have other UNIX servers inside LAN getting time from the same US Navy NTP server, which comes under the same firewall rule.

Thanks

Re: NTP Server Authentication

Richard Burts — Tue, 16 Oct 2007 03:57:19 GMT

ntp master 6 or ntp master - there is not much significant difference. Can you explain to us why you are configuring this as an ntp master?

Are you sure that the firewall rule that permits your Unix servers also permits this device?

HTH

Rick

Re: NTP Server Authentication

avilt — Tue, 16 Oct 2007 04:22:03 GMT

I am configuring this as NTP master because I want this switch to act as a NTP server to other NTP clients(Inside LAN).

Yes, the firewall permits ntp access to this device.

Re: NTP Server Authentication

Richard Burts — Tue, 16 Oct 2007 13:27:46 GMT

You do not need to configure ntp master to have the switch act as an NTP server for other devices. If the switch has learned authoritative time from an NTP source it is automatically enabled to act as an NTP server to other devices.

Configuring ntp master means that the switch would act as a server even if it did not have authoritative time. Is that what you want?

HTH

Rick

Re: NTP Server Authentication

avilt — Tue, 16 Oct 2007 23:56:33 GMT

Rick,

I removed the command "NTM MASTER", still the same issue. Also noted that when I remove that command client doesnot sync their time with the NTP Server(Switch).

My Requirement is that, L3 Switch should get its time from US Navy NTP Server. Our other internal L2 switches should get the time from the L3 switch.

Thanks

Re: NTP Server Authentication

Richard Burts — Wed, 17 Oct 2007 01:26:45 GMT

I believe that there are two separate issues here and they are really not related to each other. One issue is whether your switch should be configured as ntp master. If the switch is configured as ntp master then it will offer its version of time whether it is authoritative or not (is correct or not). I think that this is a bad idea and hope that this is not something that you did intentionally.

The other issue is why the switch is not learning time from the Navy server. It seems that there are a couple of reasons why this may happen. It is possible that you NTP requests are not getting to the server or that the responses from the server are not getting to you. My guess is that this is likely the case since the show ntp association does not show a reference clock for the Navy server. Or it is possible that the NTP response is getting to you but that there is enough variability in traffic through the network that the switch is not able to sync with the server. I have seen a customer network where this was an issue for a while.

I would suggest that the next step might be to run debug ntp packet and see if you are sending to the right address and to see if you are getting responses.

HTH

Rick

Re: NTP Server Authentication

avilt — Wed, 17 Oct 2007 04:09:18 GMT

Thank You Rick.

It seems like a connection issue between the L3switch and the US Navy NTP server. The firewall logs shows that for the NTP access, the L3 switch uses both source/destination port 123. Where as other UNIX servers use source port >1024 and destination port 123.

We have acl's at the internet edge router, which might be blocking ntp reply from the US navy NTP server.

I wonder why for NTP access L3 switch uses both source/destination port 123.

Thank You for the feedback

Re: NTP Server Authentication

avilt — Wed, 17 Oct 2007 05:51:37 GMT

How can I disable the router from becoming a NTP server but still it should get time from external NTP server?

Thanks

Re: NTP Server Authentication

Richard Burts — Wed, 17 Oct 2007 22:03:58 GMT

It is common behavior in IOS to use 123 as both the source port and the destination port. I am not aware of anything configuration option to change this.

I am somewhat puzzled at the most recent question. It seems like in previous posts you want it to be an NTP server for other devices on your network and now you are asking how to block it from being an NTP server. In IOS if a device has learned authoritative time then it is willing to serve as an NTP server for other devices. If you want to prevent this I believe that you can use the ntp access-group server command to prevent this.

Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can know that they will read a solution that resolved the issue.

I encourage you to continue your participation in the forum.

HTH

Rick