NTP Authentication on Cisco IOS

This is how you can use NTP authentication on Cisco IOS in order to authenticate your external NTP servers respectively their NTP packets. Though it is not able to process SHA-1 but only MD5, you’re getting an authentic NTP connection. Let’s have a look:

This article is one of many blogposts within this NTP series. Please have a look!

I am using a Cisco 2811 (revision 3.0) with IOS version 15.1(4)M12a.

Note that MD5 NTP keys are ASCII strings that are converted to a “7” encryption type when sending the CLI command on Cisco IOS. For example, this input:

actually becomes:

Furthermore, one of my NTP keys generated by ntp-keygen was this: z?_[vI~t|udu,Lss4{=Q. Do you see the problem? I wasn’t able to use this key because of the question mark. Hence I needed to change it to another one. Hmpf.

Config

Since I am operating three different stratum 1 NTP servers with different keys (Pi w/ DCF77, Pi w/ GPS, Meinberg LANTIME M200), I have to use three different key IDs. Otherwise the NTP client couldn’t distinguish between them.

That is:

  • three authentication keys
  • enabling NTP authentication
  • trusting all three keys
  • adding the three servers with the appropriate key IDs

Show

Listing the NTP associations without details at least reveals whether NTP is working at all, while not clearly whether authentication was accomplished or not:

Therefore you have to use the “detail” keyword. The first line for each NTP server shows an “authenticated”. Perfect:

Debug

For debug output you can use the debug ntp packet or even debug ntp all. However, this does not show whether the packets itself are authenticated or not. Sample output:

That’s it. :D

Featured image “Golden Gate Sunrise” by Bastian Hoppe is licensed under CC BY-NC-ND 2.0.

9 thoughts on “NTP Authentication on Cisco IOS

  1. Hi Johannes,

    I have not read all posts of the serie, even so I wonder, can I authenticate my stratum 1 NTP with a stratum 0 NTP?

    Best

    1. Hi Gerardo,

      a “stratum 0” is not an NTP server, but a “high-precision timekeeping devices such as atomic clocks, GPS or other radio clocks”, https://en.wikipedia.org/wiki/Network_Time_Protocol#Clock_strata

      Hence no “NTP authentication” here, since it’s not NTP running but receiving radio waves, for example.

      As far as I known you can’t authenticate these GPS/Galileo/DCF77/whatever sources via some kind of cryptographic stuff. This is why you should use three different stratum 0 sources, to minimize the attack vector, refer to: https://weberblog.net/why-should-i-run-own-ntp-servers/

      Cheers
      Johannes

    1. Hi Arnout,

      sorry, but I am not familiar with these devices. I just had a quick look at the manual of this EMC Professional 3001 NTP server, but none of your questions are answered there as well. Hm.

      Please send your questions directly to the Support team from EMC. Thanks.

      Cheers
      Johannes

  2. Question marks can be entered into passwords/etc in IOS by preceding with Control+V.

  3. Is the key # relevant for authentication? Assuming I’m configuring a switch to get time from a router, can I designate my authentication key as key #1 on the switch and Key #2 on the router and have the config work?

    Thanks!

    1. No, you MUST use the same key number along with the same key value on all involved devices. The key # is transferred in the NTP network protocol (along with the MAC) to match the corresponding key. Otherwise, the server would not know which symmetric key to use for the MAC. (The MAC in this case is the message authentication code, kind of a verification code.)

      Refer to my packet capture of NTP packets: https://weberblog.net/packet-capture-network-time-protocol-ntp/

  4. Hello Johannes,
    I am running into some problems trying to authenticate NTP servers on my Cisco ISR920:
    ntp authentication-key 1 md5 000F1F090F0A 7
    ntp authentication-key 2 md5 1102150A1C40 7
    ntp authenticate
    ntp trusted-key 1 – 2
    ntp master
    ntp update-calendar
    ntp server 0.be.pool.ntp.org key 1
    ntp server 1.be.pool.ntp.org key 2

    When I configure these last 2 ntp servers (which function fine unautenticated) I suddenly get the error: Mar 12 11:48:39: NTP Core (ERROR): Invalid-NAK error at 1212118 84.196.74.66<-185.153.41.4

    So I have found two ntp servers which do not generate this error, namely:
    ntp server europe.pool.ntp.org key 2
    ntp server de.pool.ntp.org key 1
    But is no real solution as they remain 'insane':
    194.25.134.196 configured, ipv4, authenticated, insane, invalid, unsynced, stratum 16
    ref ID .STEP., time 00000000.00000000 (01:00:00.000 CET Mon Jan 1 1900)
    our mode client, peer mode unspec, our poll intvl 512, peer poll intvl 1024
    root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15939.58
    delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50, jitter 0.00 msec
    precision 2**17, version 4
    assoc id 14055, assoc name de.pool.ntp.org
    assoc in packets 0, assoc out packets 24, assoc error packets 0
    org time E5D71616.66CE1170 (13:52:38.401 CET Sat Mar 12 2022)
    rec time 00000000.00000000 (01:00:00.000 CET Mon Jan 1 1900)
    xmt time 00000000.00000000 (01:00:00.000 CET Mon Jan 1 1900)
    filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
    minpoll = 6, maxpoll = 10

    Do you have a hint for what I could do? I need to move to NTP authentication as I want to activate the Autosecure and this requires NTP authentication.
    Kind regards,
    Steven

    1. Hey Steven.
      I’m sorry, but I don’t have an idea right now. Are you sure that the NTP keys are correct? Have you tested them with some other NTP clients?
      What does Cisco support say about this?
      Cheers,
      Johannes

Leave a Reply

Your email address will not be published. Required fields are marked *