NTP Authentication

mikegrous · ‎12-31-2008

My question is what is the differnece between the 2 scenarios. Scenario 2 shows up as AUTHENTICATED when you do a show ntp ass detail, but scenario 1 does NOT. Does that mean scenario 1 is doing it wrong. From my readings it seems both scenarios should do ntp authetication however only scenario 2 shows up as AUTHENTICATED. NTP is working in both scenarios.

Scenario 1

R1

ntp master

ntp authentication-key 1 md5 cisco

ntp authenticate

sw1

ntp server (ip address of R1)

ntp authentication-key 1 md5 cisco

ntp authenticate

ntp trusted-key 1

SW1#show ntp ass d

144.44.1.1 configured, insane, invalid, stratum 1

ref ID .LOCL., time CD05E352.EC8C28EB (12:25:54.924 UTC Wed Dec 31 2008)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

_______________

Scenario 2

r1

ntp master

ntp authentication-key 1 md5 cisco

sw1

ntp authentication-key 1 md5 02050D480809 7

ntp trusted-key 1

ntp server 144.44.1.1 key 1

SW1(config)#do sho ntp ass de

144.44.1.1 configured, authenticated, insane, invalid, stratum 8

ref ID 127.127.7.1, time CD05E412.EC8B3E09 (12:29:06.923 UTC Wed Dec 31 2008)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.03, reach 0, sync dist 7917.099

Pari Thiagasundaram · ‎12-31-2008

you need to associate the peer with the configured 'trusted' key. Once this is done

then it tells the router which key is valid to do the authentication.

I still see that in scenario 2, you have "authenticated, insane". Configure "ntp trusted-key" in scenario 2 and then it should show "authenticated, sane".

Here is a link on configuring ntp:

http://www.cisco.com/en/US/docs/ios/12_0/configfun/configuration/guide/fcgenral.html#wp4036

mikegrous · ‎12-31-2008

on scenario 2 i did the show command again and here is what it says (not it says SANE) i mite not have waited long enough before. But still the questio nis why scenario 1 doesnt say authenticated.

SW1(config)#do sho ntp ass de

144.44.1.1 configured, authenticated, our_master, sane, valid, stratum 8

ref ID 127.127.7.1, time CD060256.EC68CDAE (14:38:14.923 UTC Wed Dec 31 200

our mode client, peer mode server, our poll intvl 256, peer poll intvl 256

root delay 0.00 msec, root disp 0.03, reach 377, sync dist 45.670

delay 47.81 msec, offset -4.5224 msec, dispersion 21.74

precision 2**18, version 3

i confirmed the configs just to be sure

sw1

ntp authentication-key 1 md5 02050D480809 7

ntp trusted-key 1

ntp clock-period 17179957

r1

ntp authentication-key 1 md5 01100F175804 7

ntp master

ntp server 144.44.1.1 key 1

Edison Ortiz · ‎12-31-2008

Michael,

You are only being authenticated when you have the key in the ntp server command.

Let's say you have multiple NTP servers entries and some require authentication and some do not. The key option on the NTP server command separates both groups.

The other NTP authentication related commands are used only on those servers you decide to send the key.

HTH,

__

Edison.

mikegrous · ‎12-31-2008

ah okey. So in scenario 2 it is authenticated. However i did not use the command ntp server authenticate. Could you expalin what this command does?