From: keith tokash (ktokash@hotmail.com)
Date: Sat May 17 2008 - 18:13:35 ART
Alright, after an embarrassing amount of time and, naturally, announcing to
the world, "I don't get it", I see the nuance I was missing.
The configuration I have below will work just fine. R3 will sync to R6 and it
will authenticate. The problem is if you remove the key from R6 (which I
did). Now R3 will sync to R6 ... unauthenticated.
So if the question says, "have R3 sync to R6 either with key 666 or without
it", then the configs below are what you want. However I doubt that will
happen. I suspect that if someone wants to authenticate their time source, in
an exam or the real world, they want to refuse to accept unauthenticated time.
For that you have to add to the client:
ntp authenticate
Now the client will either authenticate and sync, or not authenticate and not
sync. However once you add that command you have to trust the key. Why do
you have to trust it after forcing authentication but not before? I have no
idea. It seems like you would have to trust the key either way, but you
don't.
With a few exceptions, secrecy is deeply incompatible with democracy and with
science.
--Carl Sagan
> Date: Sat, 17 May 2008 15:50:17 -0500
> From: cisconetman@gmail.com
> To: ktokash@hotmail.com
> Subject: Re: NTP trusted-key needed?
> CC: ccielab@groupstudy.com
>
> you need to do ntp authenticate on the client, otherwise you are not
> authenticating and yes, you will then need to trust the key at that point.
>
> On 5/17/08, keith tokash <ktokash@hotmail.com> wrote:
> >
> > Hi all, quick question. I keep seeing the "ntp trusted-key 1" command as
a
> > requirement on the client for NTP authentication to work. However I
didn't
> > apply it and my authentication is working just fine.
> >
> > SERVER
> > R6(config)#do sh run | i ntp
> > ntp authentication-key 666 md5 1531223F2705 7
> > ntp master 5
> >
> > CLIENT
> > R3(config)#do sh run | i ntp
> > ntp authentication-key 666 md5 0802657D2A36 7
> > ntp server 6.6.6.6 key 666
> >
> > R3#sh ntp st
> > Clock is synchronized, stratum 6, reference is 6.6.6.6
> >
> > R3#sh ntp a d
> > 6.6.6.6 configured, authenticated, our_master, sane, valid, stratum 5
> >
> > As you can see, R3 is showing R6 as an *authenticated* time source. What
> > am I
> > missing here? Did the IOS behavior change or is there some nuance that
I'm
> > glossing over? I searched the archives, checked two vendors' answers,
> > checked
> > the DocCD, and found the config in Doyle. They all list that command as
> > required, but ... I'm confused.
> >
> > With a few exceptions, secrecy is deeply incompatible with democracy and
> > with
> > science.
> > --Carl Sagan
> > _________________________________________________________________
> > Give to a good cause with every e-mail. Join the i m Initiative from
> > Microsoft.
> > http://im.live.com/Messenger/IM/Join/Default.aspx?souce=EML_WL_ GoodCause
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:17 ART