- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2025
07:46 AM
- last edited on
02-04-2025
08:10 AM
by
shazubai
Hello Pros,
we have 5 2960x, , with the latest STIG released on last Wednesday. we need to update the NTP authentication to now use SHA-256.
The current IOS is running is C2960X-UNIVERSALK9-M
I was trying to add
(config)#ntp authentication-key 1 hmac-sha2-256 HEX:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. The 2960x switch is accepting sha2-256 key.
- Does (C2960X-UNIVERSALK9-M) IOS support/accept SHA2-256 key? if not then which IOS version do I have to upgrade with??
Thanks, in advanced.
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2025 10:14 AM
The Cisco 2960X running the C2960X-UNIVERSALK9-M IOS does not support SHA-256 for NTP authentication. It only supports MD5 for NTP authentication keys. Unfortunately, there's no IOS version for the 2960X that adds support for SHA-256, as this feature is not available on the hardware platform. If SHA-256 is a strict STIG requirement, you may need to consider upgrading to a newer switch model, like the Catalyst 9200 or 9300, which support SHA-256 with the appropriate IOS XE versions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2025 11:07 AM
That's what I was thinking too. I tried to add SHA-256 Key to one of 9200 switch and it worked but not on C2960x model.
Thank you all Pros for your time and assistance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2025 08:19 AM - edited 02-04-2025 08:45 AM
@Zee-Far-Man unfortunately it seems neither SHA-256 nor SHA appear to be supported for NTP currently - https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
only MD5 is supported.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2025 10:14 AM
The Cisco 2960X running the C2960X-UNIVERSALK9-M IOS does not support SHA-256 for NTP authentication. It only supports MD5 for NTP authentication keys. Unfortunately, there's no IOS version for the 2960X that adds support for SHA-256, as this feature is not available on the hardware platform. If SHA-256 is a strict STIG requirement, you may need to consider upgrading to a newer switch model, like the Catalyst 9200 or 9300, which support SHA-256 with the appropriate IOS XE versions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2025 11:07 AM
That's what I was thinking too. I tried to add SHA-256 Key to one of 9200 switch and it worked but not on C2960x model.
Thank you all Pros for your time and assistance.
