Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
3
Replies

How to use NTPv4 SHA Hex key on Cisco Equipment?

Ronit Bhattacharjee
Level 1
Level 1

‎09-16-2024 06:11 PM

We currently have our Cisco equipment synced to our NTP server using MD5 authentication, which works well. We have a directive from our cybersecurity team to upgrade to one of the SHA authentication mechanisms and facing a problem with that.

Now, both NTPD and ChronyD generate authentication keys, in hexadecimal form with 40 characters length, which is 20 bytes. Example : 8d6c9b1211c4e393d02b457c2507b7b7cc16c070

Cisco equipment (IOS-XE and IOS-XR) both accept keys up to 32 bytes in length, but they don't accept the 40 character hex key

image.png

If I trim the last 8 characters off the key (and make it 32 character, 16 bytes), it is accepted, but obviously NTP doesn't authenticate anymore. 

The only reason I think this may be happening is because the Cisco equipment accepts the key in text format and is considering the hex as text. 

To fix this, I tried converting the hex into ASCII, but it generates garbage characters.

image (2).pngimage (1).png

Has anyone her experience using NTP authentication with SHA or above keys?

 

Labels:
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎09-17-2024 12:04 AM

 

  - It's probably a limitation on cisco devices : refs : 
       https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-12/configuration_guide/sys_mgmt/b_1712_sys_mgmt_9500_cg.pdf
      https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/17-9/configuration_guide/sys_mgmt/b_179_sys_mgmt_9400_cg.pdf
         >...The digest length is 128 bits and the key length is 1 to 32 bytes.

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Ronit Bhattacharjee
Level 1
Level 1
In response to marce1000

‎09-17-2024 12:07 AM

Hello. I did note that. The 40 digit Hex key is 20 bytes only, so should be OK. The problem is, it is considering the 40 digit hex key as text, so 40 bytes instead of 20. 

The disconnect is between hex and text.

0 Helpful

marce1000
VIP
VIP
In response to Ronit Bhattacharjee

‎09-17-2024 12:16 AM

 

     - I would advise to contact TAC for this requirement , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card