From: Rich Collins (nilsi2002@gmail.com)
Date: Tue Nov 13 2007 - 23:31:25 ART
I checked some more and you have to include the key in the server
command if you want to FORCE authentication. If you don't include the
key it will drop back to not doing authentication irregardless of the
ntp authenticate command and just synchronize.
It looks like the data is there unencrypted but the client will just
look at the md5 to see if it wants to trust this source as an option.
Here is a debug on the client with a bad key.
Bad key
Router#sh run | i ntp
ntp authentication-key 1 md5 06150624414B070A 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17180041
ntp server 10.10.10.2 key 1
10:12:09: Authentication failed
10:12:10: NTP: xmit packet to 10.10.10.2:
10:12:10: leap 3, mode 3, version 3, stratum 0, ppoll 64
10:12:10: rtdel 3760 (216.309), rtdsp 20DE (128.387), refid 0A0A0A02
(10.10.10.2)
10:12:10: ref CAE4D876.B23507B1 (02:14:14.696 UTC Wed Nov 14 2007)
10:12:10: org CAE4DA85.B9B33CAD (02:23:01.725 UTC Wed Nov 14 2007)
10:12:10: rec CAE4DA85.B45D13B0 (02:23:01.704 UTC Wed Nov 14 2007)
10:12:10: xmt CAE4DA86.B3F47E18 (02:23:02.702 UTC Wed Nov 14 2007)
10:12:10: Authentication key 1
10:12:10: NTP: rcv packet from 10.10.10.2 to 10.10.10.1 on FastEthernet0/1:
10:12:10: leap 0, mode 4, version 3, stratum 3, ppoll 64
10:12:10: rtdel 3873 (220.505), rtdsp 1EBF (120.102), refid 47288094
(71.40.128.148)
10:12:10: ref CAE4D8D0.402E7FD3 (02:15:44.250 UTC Wed Nov 14 2007)
10:12:10: org CAE4DA86.B3F47E18 (02:23:02.702 UTC Wed Nov 14 2007)
10:12:10: rec CAE4DA86.B99B91A0 (02:23:02.725 UTC Wed Nov 14 2007)
10:12:10: xmt CAE4DA86.B9AE2FCE (02:23:02.725 UTC Wed Nov 14 2007)
10:12:10: inp CAE4DA86.B4610653 (02:23:02.704 UTC Wed Nov 14 2007)
10:12:10: Authentication key 0
10:12:10: NTP: packet from 10.10.10.2 failed validity tests 10sh
10:12:10: Authentication failednt
IMSswitch#sh ntp st
IMSswitch#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 249.9975 Hz, precision is 2**18
reference time is CAE4D876.B23507B1 (02:14:14.696 UTC Wed Nov 14 2007)
clock offset is 11.5590 msec, root delay is 216.31 msec
root dispersion is 128.37 msec, peer dispersion is 0.34 mse
Good key - proper password
It synchronized
-Rich
On Nov 13, 2007 2:54 PM, De Pauw, Wim <Wim.DePauw@getronics.com> wrote:
> Hi ,
>
> I already did the effort and checked the configuration guide , where
> they also configure authentication without the key specified in the
> ntp server command .
> I think you need to put a sniffer to check the packets to be 100 % sure
>
> Gr
> wim
>
>
>
>
> I configured my peer R4 as master and R5 as server and enable ntp
> authentication
> R4 Config
> Mar 1 00:30:25.967: xmt C0294A21.F4B59446 (00:30:25.955 UTC Fri Mar 1
> 2002)
> Rack1R4#sho run | incl ntp
> ntp authentication-key 1 md5 01040F09 7
> ntp authenticate
> ntp master 1
>
> R5 Config
>
> Rack1R5(config)#do sho run | incl ntp
> ntp authentication-key 1 md5 120E0C1A 7
> ntp authenticate
> ntp trusted-key 1
> ntp clock-period 17179870
> ntp server 172.16.1.1
> Rack1R5(config)#
>
>
> When I debug I get the following output
>
> Rack1R5(config)#UTC Fri Mar 1 2002)
> Mar 1 00:22:55.032: NTP: rcv packet from 172.16.1.1 to 172.16.1.2 on
> Serial1/1:
> Mar 1 00:22:55.032: leap 0, mode 4, version 3, stratum 1, ppoll 64
> Mar 1 00:22:55.036: rtdel 0000 (0.000), rtdsp 0002 (0.031), refid
> 4C4F434C (76
> .79.67.76)
> Mar 1 00:22:55.036: ref C0294821.BC6780EC (00:21:53.735 UTC Fri Mar 1
> 2002)
> Mar 1 00:22:55.040: org C029485E.E66F7250 (00:22:54.900 UTC Fri Mar 1
> 2002)
> Mar 1 00:22:55.040: rec C029485E.E8771C4C (00:22:54.908 UTC Fri Mar 1
> 2002)
> Mar 1 00:22:55.044: xmt C029485E.EC9C3629 (00:22:54.924 UTC Fri Mar 1
> 2002)
> Mar 1 00:22:55.044: inp C029485F.08375D2C (00:22:55.032 UTC Fri Mar 1
> 2002)
>
> When I debug with ntp authentication I don't get any message so I
> changed the configuration on R5
>
> Rack1R5(config)#do sho run | incl ntp
> ntp authentication-key 1 md5 120E0C1A 7
> ntp authenticate
> ntp trusted-key 1
> ntp clock-period 17179870
> ntp server 172.16.1.1 key 1
>
> And then I get the following output
>
>
> Rack1R5#
> .Mar 1 00:22:02.035: leap 0, mode 4, version 3, stratum 1, ppoll 64
> .Mar 1 00:22:02.035: rtdel 0000 (0.000), rtdsp 0002 (0.031), refid
> 4C4F434C (7
> 6.79.67.76)
> .Mar 1 00:22:02.039: ref C0294821.BC6780EC (00:21:53.735 UTC Fri Mar 1
> 2002)
> .Mar 1 00:22:02.039: org C0294829.E6566E95 (00:22:01.899 UTC Fri Mar 1
> 2002)
> .Mar 1 00:22:02.043: rec C0294829.F3BE9A8B (00:22:01.952 UTC Fri Mar 1
> 2002)
> .Mar 1 00:22:02.043: xmt C0294829.F8E16C46 (00:22:01.972 UTC Fri Mar 1
> 2002)
> .Mar 1 00:22:02.047: inp C029482A.081BC9FD (00:22:02.031 UTC Fri Mar 1
> 2002)
> .Mar 1 00:22:02.047: Authentication key 1
>
>
>
>
> Regards
>
> Wim De Pauw
>
> Getronics Belgium nv
> Prins Boudewijnlaan 41
> 2560 Edegem
> Tel: +32 (0)2 229.99.50
> Fax: +32 (0)3 457.37.46
> E-mail: wim.depauw@getronics.com
>
> ICT Security | Network Integration Services | Network & Desktop
> Outsourcing | Application Integration & Management
> http://www.getronics.com
>
> The information transmitted is intended only for use by the addressee
> and may contain confidential and/or privileged material. Any review,
> re-transmission, dissemination or other use of it, or the taking of any
> action in reliance upon this information by persons and/or entities
> other than the intended recipient is prohibited. If you received this in
> error, please inform the sender and/or addressee immediately and delete
> the material.
> Thank you.
>
>
>
> -----Original Message-----
> From: Rich Collins [mailto:nilsi2002@gmail.com]
> Sent: dinsdag 13 november 2007 20:50
> To: De Pauw, Wim
>
> Cc: Cisco certification
> Subject: Re: Ipexpert Lab 36 Questions
>
> Hi Wim,
>
> I am not 100% sure. I will have to lab it up to verify but that is the
> conclusion I had from some of the notes that I had.
>
> Rich
>
> On Nov 13, 2007 11:02 AM, De Pauw, Wim <Wim.DePauw@getronics.com> wrote:
> > Hi Rich,
> >
> > Sorry for the late reply ,if I understand correctly :
> > When you don't specify the ntp server X.X.X.X <key> you won't have any
>
> > authentication . I checked the previous answers of the ipexpert lab
> > and they are all without the key specification so it means that they
> > are wrong ??
> >
> > Gr
> > wim
> >
> >
> > -----Original Message-----
> > From: Rich Collins [mailto:nilsi2002@gmail.com]
> > Sent: Sunday, November 11, 2007 19:42
> > To: De Pauw, Wim
> > Cc: ccielab@groupstudy.com
> > Subject: Re: Ipexpert Lab 36 Questions
> >
> > For your second question, your ntp client will sync up still but will
>
> > be requesting and receiving time without using authentication. The
> > NTP server will still respond but not include any authentication hash.
> >
> >
> >
> > On Nov 11, 2007 6:20 AM, <wim.depauw@getronics.com> wrote:
> > > Hi,
> > >
> > > I got a couple of questions/remarks about Lab 36 of Ipexpert:
> > >
> > > - QOs Configuration : In the solution provided there are a lot of
> > parameters like bc/be , frame-relay fragments but I can't deduct from
> > the text if it is necessary to apply these parameters.It seems that
> > they used a Tc of 1000 but where do they get it from ?
> > >
> > > - In the ntp solution they use ntp server 136.10.4.4 key <X> , is
> > > the
> > key option really necessary , I thought you only needed to specify ntp
>
> > authenticaton-key and ntp authenticate ?
> > >
> > > gr
> > > wim
> > >
> > > ____________________________________________________________________
> > > __ _ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:29 ART