Hi Experts
I'm sure this has been asked before, but I couldn't find it. I am looking
at NTP authentication and trying to figure out what the individual commands
do.
*Here is what I know:*
-<ntp trusted-key *id*> only has to be on the authenticating device
(usually the client). If it is configured on the server, or a device
without a configured <ntp server *ip-addr*> command, it will not affect
authentication of any clients. The same goes for <ntp authenticate> command
on servers.
-Without the key *id* option in <ntp server *ip-addr*>, output from <show
ntp association detail> does not say authenticated. That is true
regardless of <ntp authenticate> command configured or not. From this, I
gather <ntp server *ip-addr* key *id*> is needed for authentication, along
with <ntp authenticate>.
-<ntp server *ip-addr* key *id*>, the key id must be included in the <ntp
trusted-key *id*> command, else the NTP peer will not authenticate. You
can have multiple ntp trusted keys as long as they match the server keys
and include the key id configured in ntp server command.
*Here is what I do not know:*
-What does <ntp trusted-key *id*> command provide that <ntp server *ip-addr*key
*id*> does not? While it is undoubtedly necessary for NTP authentication,
I do not see why the command is necessary in providing information the
other command does not.
-<ntp authenticate> command is only necessary for the clients, yes? If I
wanted the server to authenticate the clients, how would I go about doing
that?
-If NTP authentication only occurs with <ntp authenticate>, <ntp
trusted-key *id*> and <ntp server ip-addr key id>, why does Cisco make the
extra commands required? Why not just use the <ntp server *ip-addr* key *id
*> command?
I have looked this up in books and online, but cannot find the granularity
of answers I am looking for. I'm sure there are a host of mistakes in my
assumptions, if you could straighten me out, I would appreciate it.
*Testing Information:*
Below is my configuration, I tried to make it basic, the routers are
directly connected, and connectivity is fine:
(C2691-ADVENTERPRISEK9_SNA-M), Version 12.4(13b)
---------------------------------------------------------------------------------------
*R2 Configuration v1 -- Client (without key command in ntp server ip)*
ntp authentication-key 1 md5 021201481F575F 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179896
ntp server 6.6.6.6
*R2(config)#do sh ntp assoc deta*
6.6.6.6 configured, our_master, sane, valid, stratum 2
*R2 Configuration v2 -- Client* *(with key command in ntp server ip)*
ntp authentication-key 1 md5 021201481F575F 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179908
ntp server 6.6.6.6 key 1
*R2(config)#do sh ntp assoc deta*
6.6.6.6 configured, authenticated, our_master, sane, valid, stratum 2
---------------------------------------------------------------------------------------
*R6 Configuration -- Server*
ntp authentication-key 1 md5 09584B1A0D5447 7
ntp authentication-key 2 md5 010703174F5956 7
ntp master 2
---------------------------------------------------------------------------------------
Thanks!
Blogs and organic groups at http://www.ccie.net
Received on Fri Dec 09 2011 - 10:20:35 ART
This archive was generated by hypermail 2.2.0 : Sun Jan 01 2012 - 08:27:00 ART