Re: NTP authentication question

Good luck. I have seen it literally not work at all without ntp
trusted-key on both sides in some versions of code and it is pretty well
documented out there by others as well. Because of this, as a general rule
of thumb I always configure it in both places.

Petr from INE mentions this in a blog post response here as well
http://blog.ine.com/2007/12/28/how-does-ntp-authentication-work/ but like I
say, it seems to be somewhat "flaky"

On Tue, Dec 13, 2011 at 11:53 AM, Roy Waterman <roy.waterman_at_gmail.com>wrote:

> Hi Joe
>
> *ntp trusted-key* is not needed on the server side going by David's
> config (12.4 mainline)
> I believe I've also not used it on server side with 12.4(T) either,
> however ntp authentication can be pretty "finicky" :)
>
> Regards
> Roy
>
>
> On 9 December 2011 18:40, Joe Astorino <joeastorino1982_at_gmail.com> wrote:
>
>> -What does <ntp trusted-key *id*> command provide that <ntp server
>> *ip-addr*key
>> *id*> does not?
>>
>> "ntp server *ip* key *id*" just tells the client to point to the NTP
>> server
>> at *ip* and to use key *id*. That authentication key still needs to be
>> trusted or "activated" for it to be useful. You must create the key, AND
>> trust the key
>>
>>
>> -<ntp authenticate> command is only necessary for the clients, yes?
>> Yep. I don't know of a way for the server to authenticate the client in a
>> master/client relationship. You can do it with an NTP peer relationship I
>> believe.
>>
>>
>> -If NTP authentication only occurs with <ntp authenticate>, <ntp
>> trusted-key *id*> and <ntp server ip-addr key id>, why does Cisco make the
>> extra commands required? Why not just use the <ntp server *ip-addr* key
>> *id
>> *> command?
>>
>> Because they are Cisco : ) Seriously, I understand your frustration but
>> that is just the way the code is. You must define the key and
>> specifically
>> trust that key, even though you would clearly want to trust a key you just
>> called in the ntp server command. <shrug>
>>
>> PS. As of 12.4 I believe you must have ntp trusted-key on the server side
>> as well for NTP to sync
>>
>>
>>
>> On Fri, Dec 9, 2011 at 10:20 AM, David Johnson <dmjohnson.intl_at_gmail.com
>> >wrote:
>>
>> > Hi Experts
>> > I'm sure this has been asked before, but I couldn't find it. I am
>> looking
>> > at NTP authentication and trying to figure out what the individual
>> commands
>> > do.
>> >
>> > *Here is what I know:*
>> > -<ntp trusted-key *id*> only has to be on the authenticating device
>> > (usually the client). If it is configured on the server, or a device
>> > without a configured <ntp server *ip-addr*> command, it will not affect
>> > authentication of any clients. The same goes for <ntp authenticate>
>> command
>> > on servers.
>> > -Without the key *id* option in <ntp server *ip-addr*>, output from
>> <show
>> > ntp association detail> does not say authenticated. That is true
>> > regardless of <ntp authenticate> command configured or not. From this,
>> I
>> > gather <ntp server *ip-addr* key *id*> is needed for authentication,
>> along
>> > with <ntp authenticate>.
>> > -<ntp server *ip-addr* key *id*>, the key id must be included in the
>> <ntp
>> > trusted-key *id*> command, else the NTP peer will not authenticate. You
>> > can have multiple ntp trusted keys as long as they match the server keys
>> > and include the key id configured in ntp server command.
>> >
>> > *Here is what I do not know:*
>> > -What does <ntp trusted-key *id*> command provide that <ntp server
>> > *ip-addr*key
>> > *id*> does not? While it is undoubtedly necessary for NTP
>> authentication,
>> > I do not see why the command is necessary in providing information the
>> > other command does not.
>> > -<ntp authenticate> command is only necessary for the clients, yes? If
>> I
>> > wanted the server to authenticate the clients, how would I go about
>> doing
>> > that?
>> > -If NTP authentication only occurs with <ntp authenticate>, <ntp
>> > trusted-key *id*> and <ntp server ip-addr key id>, why does Cisco make
>> the
>> > extra commands required? Why not just use the <ntp server *ip-addr* key
>> > *id
>> > *> command?
>> >
>> >
>> > I have looked this up in books and online, but cannot find the
>> granularity
>> > of answers I am looking for. I'm sure there are a host of mistakes in
>> my
>> > assumptions, if you could straighten me out, I would appreciate it.
>> >
>> > *Testing Information:*
>> > Below is my configuration, I tried to make it basic, the routers are
>> > directly connected, and connectivity is fine:
>> > (C2691-ADVENTERPRISEK9_SNA-M), Version 12.4(13b)
>> >
>> >
>> ---------------------------------------------------------------------------------------
>> > *R2 Configuration v1 -- Client (without key command in ntp server ip)*
>> > ntp authentication-key 1 md5 021201481F575F 7
>> > ntp authenticate
>> > ntp trusted-key 1
>> > ntp clock-period 17179896
>> > ntp server 6.6.6.6
>> >
>> > *R2(config)#do sh ntp assoc deta*
>> > 6.6.6.6 configured, our_master, sane, valid, stratum 2
>> >
>> > *R2 Configuration v2 -- Client* *(with key command in ntp server ip)*
>> > ntp authentication-key 1 md5 021201481F575F 7
>> > ntp authenticate
>> > ntp trusted-key 1
>> > ntp clock-period 17179908
>> > ntp server 6.6.6.6 key 1
>> >
>> > *R2(config)#do sh ntp assoc deta*
>> > 6.6.6.6 configured, authenticated, our_master, sane, valid, stratum 2
>> >
>> >
>> ---------------------------------------------------------------------------------------
>> > *R6 Configuration -- Server*
>> > ntp authentication-key 1 md5 09584B1A0D5447 7
>> > ntp authentication-key 2 md5 010703174F5956 7
>> > ntp master 2
>> >
>> >
>> ---------------------------------------------------------------------------------------
>> >
>> > Thanks!
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347
>> Blog: http://astorinonetworks.com
>>
>> "He not busy being born is busy dying" - Dylan
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Regards
> Roy Waterman
> 07515963501
>
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net