Solved: NTP authent

Michal Valach · ‎04-18-2012

Hello all,

I have question, can somebody explain me please why is authentication done after I

add "key 1" to the "ntp server X.X.X.X" command on R2 as highlighted below? Before this command I did not see in #sh ntp assoc det word "authenticated"

Router2#sh run | i ntp

ntp authentication-key 1 md5 104D000A061843595F 7

ntp authenticate

ntp trusted-key 1

ntp server 10.10.10.1 key 1

Thank you

medhat elsaeed · ‎04-18-2012

Hi Michal,

Because if you configured only

ntp server 10.10.10.1

this mean that you don't need the client to authenticate the server, So the client will be able to syncronizes with any NTP server ( as the client is the side which enforce the authentication NOT the server)

which means that the server can serve many clients ( with and without authentication) simulatenously, But for the clients which require authentication the server must have a matched key configured, and for other clients it doesn't matter if the server has authentication keys configured or not

if you need to restrict the server to serve some customers use the serve-only ACL , and for the client to authenticate from specific servers use the peer ACL

i hope that i covered your questions .

feel free to discuss

Regards.

View solution in original post

johnlloyd_13 · ‎04-18-2012

Hi Michal,

I've had the exact issue last time and someone answered me on this thread

https://supportforums.cisco.com/message/3611572#3611572

Are you also going for your IINS?

Sent from Cisco Technical Support iPhone App

Michal Valach · ‎04-18-2012

I saw this thread, but there is not expalnation why I have to put the key for each server if global authentication is enabled.

medhat elsaeed · ‎04-18-2012

Hi All,

because the NTP authentication works in a different manner, as the client who is the one authenticating the server.

so you need to tell the client which key to use when authenticating a server.

Regards.

Michal Valach · ‎04-18-2012

Thank you for you reply, and can you also tell me please why NTP is working in case I do not put

ntp server 10.10.10.1 key 1 ?

medhat elsaeed · ‎04-18-2012

Hi Michal,

Because if you configured only

ntp server 10.10.10.1

this mean that you don't need the client to authenticate the server, So the client will be able to syncronizes with any NTP server ( as the client is the side which enforce the authentication NOT the server)

which means that the server can serve many clients ( with and without authentication) simulatenously, But for the clients which require authentication the server must have a matched key configured, and for other clients it doesn't matter if the server has authentication keys configured or not

if you need to restrict the server to serve some customers use the serve-only ACL , and for the client to authenticate from specific servers use the peer ACL

i hope that i covered your questions .

feel free to discuss

Regards.

Michal Valach · ‎04-18-2012

Thank you very much for clear explanation, can you advise me some book or cisco material please? I have tryied to find something where is NTP in detail, but unsecesfull.

medhat elsaeed · ‎04-19-2012

Hi Michal,

you can read " Hardening Cisco Routers " book as a start, then try to read Cisco's white papers for more details if you want.

Thanks