Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1061
Views
0
Helpful
3
Replies

How to add SHA 256 NTP Authentication key.

Go to solution
Zee-Far-Man
Level 1
Level 1

‎02-04-2025 07:46 AM - last edited on ‎02-04-2025 08:10 AM by Cisco Employee

Hello Pros,

we have 5 2960x, ,  with the latest STIG released on last Wednesday.  we need to update the NTP authentication to now use SHA-256.     

The current IOS is running is C2960X-UNIVERSALK9-M 

I was trying to add 

(config)#ntp authentication-key 1 hmac-sha2-256 HEX:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. The 2960x switch is accepting sha2-256 key.

  1. Does (C2960X-UNIVERSALK9-M) IOS support/accept SHA2-256 key? if not then which IOS version do I have to upgrade with??

 

Thanks, in advanced.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
vishalbhandari
Spotlight
Spotlight

‎02-04-2025 10:14 AM

@Zee-Far-Man 

The Cisco 2960X running the C2960X-UNIVERSALK9-M IOS does not support SHA-256 for NTP authentication. It only supports MD5 for NTP authentication keys. Unfortunately, there's no IOS version for the 2960X that adds support for SHA-256, as this feature is not available on the hardware platform. If SHA-256 is a strict STIG requirement, you may need to consider upgrading to a newer switch model, like the Catalyst 9200 or 9300, which support SHA-256 with the appropriate IOS XE versions

View solution in original post

0 Helpful

Go to solution
Zee-Far-Man
Level 1
Level 1
In response to vishalbhandari

‎02-04-2025 11:07 AM

@vishalbhandari 

That's what I was thinking too.  I tried to add SHA-256 Key to one of 9200 switch and it worked but not on C2960x model.

 

Thank you all Pros for your time and assistance.

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎02-04-2025 08:19 AM - edited ‎02-04-2025 08:45 AM

@Zee-Far-Man unfortunately it seems neither SHA-256 nor SHA appear to be supported for NTP currently - https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/syst-mgmt/b-system-management/m_bsm-time-calendar-set.html

only MD5 is supported.

 

0 Helpful

Go to solution
vishalbhandari
Spotlight
Spotlight

‎02-04-2025 10:14 AM

@Zee-Far-Man 

The Cisco 2960X running the C2960X-UNIVERSALK9-M IOS does not support SHA-256 for NTP authentication. It only supports MD5 for NTP authentication keys. Unfortunately, there's no IOS version for the 2960X that adds support for SHA-256, as this feature is not available on the hardware platform. If SHA-256 is a strict STIG requirement, you may need to consider upgrading to a newer switch model, like the Catalyst 9200 or 9300, which support SHA-256 with the appropriate IOS XE versions

0 Helpful

Go to solution
Zee-Far-Man
Level 1
Level 1
In response to vishalbhandari

‎02-04-2025 11:07 AM

@vishalbhandari 

That's what I was thinking too.  I tried to add SHA-256 Key to one of 9200 switch and it worked but not on C2960x model.

 

Thank you all Pros for your time and assistance.

 

0 Helpful
Customers Also Viewed These Support Documents