09-06-2018 08:35 AM - edited 03-10-2019 01:05 AM
Hi
We want to setup a NTP Server that can supports authentication. Currently all the network devices use the DC as a NTP server which does not support authentication from what I have been told.
NTP authentication is required as part of our security audits.
What do others use for NTP authentication?
Solved! Go to Solution.
09-06-2018 10:37 AM
You can try:
1. The built-in w32tm service in any windows machine. You do need to tweak registry codes in order for it to support cisco devices. Check this: https://learningnetwork.cisco.com/thread/36181
2. If you're a linux guy try Linux Servers. It's free and supports your requirement. Complex though. I wont share the link here since it's a bit complex. I don't even use considering you have an authentication requirement
3. Cisco routers can be set to be your NTP servers as well. Here's a simple guide
https://www.freeccnaworkbook.com/workbooks/ccna/configuring-the-cisco-ios-ntp-server
If you want to add authentication, use the ff. commands on your server and client
#conf t
#ntp authenticate
#ntp authentication-key 1 md5 <DESIRED KEY>
#ntp trusted-key 1
4. 3rd party software that is installed on your computer, heck just google NTP Software and you'll see a bunch of results, Meinberg NTPd, is a common one.
All should meet your requirements i.e., authentication, I would stick to the software though, it's a bit easier. There's a UI
09-07-2018 04:30 AM
"I was thinking of using a router in each of the 2 DCs as a NTP server (primary and secondary) which syncs its clock with an external source. "
Yes this is possible and is actually the current setting: By default all domain-computers NTP is the active-directory, the Active-Directory syncs their time with time.windows.com, the external source your are talking about.
"...All the site routers sync with the DC routers, and the site switches sync with the site routers. So a hierarchical setup"
This one is on your network equipment side: As far as I understand you have two(2) routers in your head-office, and router or routers per site. You can set them up in hierarchy as well
Two routers in Head-Office sync their time with an external source, provide NTP to the site routers
Site router sync their time with the primary router, backup secondary router.
Site devices sync their time with their respective site router
The Head-Office routers are set to Stratum 3, while the site office is set to Stratum 4
PS: Stratum defines the authoritativeness of an NTP server. The lower the number the more authoritative it is. Dont go lower than 3
09-06-2018 10:37 AM
You can try:
1. The built-in w32tm service in any windows machine. You do need to tweak registry codes in order for it to support cisco devices. Check this: https://learningnetwork.cisco.com/thread/36181
2. If you're a linux guy try Linux Servers. It's free and supports your requirement. Complex though. I wont share the link here since it's a bit complex. I don't even use considering you have an authentication requirement
3. Cisco routers can be set to be your NTP servers as well. Here's a simple guide
https://www.freeccnaworkbook.com/workbooks/ccna/configuring-the-cisco-ios-ntp-server
If you want to add authentication, use the ff. commands on your server and client
#conf t
#ntp authenticate
#ntp authentication-key 1 md5 <DESIRED KEY>
#ntp trusted-key 1
4. 3rd party software that is installed on your computer, heck just google NTP Software and you'll see a bunch of results, Meinberg NTPd, is a common one.
All should meet your requirements i.e., authentication, I would stick to the software though, it's a bit easier. There's a UI
09-06-2018 10:43 AM
09-07-2018 04:23 AM
Thankyou for the info.
I was thinking of using a router in each of the 2 DCs as a NTP server (primary and secondary) which syncs its clock with an external source. Then all the site routers sync with the DC routers, and the site switches sync with the site routers. So a hierarchical setup.
Does this seem like a design to go for as it also supports authentication?
09-07-2018 04:30 AM
"I was thinking of using a router in each of the 2 DCs as a NTP server (primary and secondary) which syncs its clock with an external source. "
Yes this is possible and is actually the current setting: By default all domain-computers NTP is the active-directory, the Active-Directory syncs their time with time.windows.com, the external source your are talking about.
"...All the site routers sync with the DC routers, and the site switches sync with the site routers. So a hierarchical setup"
This one is on your network equipment side: As far as I understand you have two(2) routers in your head-office, and router or routers per site. You can set them up in hierarchy as well
Two routers in Head-Office sync their time with an external source, provide NTP to the site routers
Site router sync their time with the primary router, backup secondary router.
Site devices sync their time with their respective site router
The Head-Office routers are set to Stratum 3, while the site office is set to Stratum 4
PS: Stratum defines the authoritativeness of an NTP server. The lower the number the more authoritative it is. Dont go lower than 3
09-07-2018 04:35 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: