NTP Authentication on Cisco IOS

This is how you can use NTP authentication on Cisco IOS in order to authenticate your external NTP servers respectively their NTP packets. Though it is not able to process SHA-1 but only MD5, you’re getting an authentic NTP connection. Let’s have a look:

This article is one of many blogposts within this NTP series. Please have a look!

I am using a Cisco 2811 (revision 3.0) with IOS version 15.1(4)M12a.

Note that MD5 NTP keys are ASCII strings that are converted to a “7” encryption type when sending the CLI command on Cisco IOS. For example, this input:

actually becomes:

Furthermore, one of my NTP keys generated by ntp-keygen was this: z?_[vI~t|udu,Lss4{=Q. Do you see the problem? I wasn’t able to use this key because of the question mark. Hence I needed to change it to another one. Hmpf.

Config

Since I am operating three different stratum 1 NTP servers with different keys (Pi w/ DCF77, Pi w/ GPS, Meinberg LANTIME M200), I have to use three different key IDs. Otherwise the NTP client couldn’t distinguish between them.

That is:

  • three authentication keys
  • enabling NTP authentication
  • trusting all three keys
  • adding the three servers with the appropriate key IDs

Show

Listing the NTP associations without details at least reveals whether NTP is working at all, while not clearly whether authentication was accomplished or not:

Therefore you have to use the “detail” keyword. The first line for each NTP server shows an “authenticated”. Perfect:

Debug

For debug output you can use the debug ntp packet or even debug ntp all. However, this does not show whether the packets itself are authenticated or not. Sample output:

That’s it. :D

Featured image “Golden Gate Sunrise” by Bastian Hoppe is licensed under CC BY-NC-ND 2.0.

4 thoughts on “NTP Authentication on Cisco IOS

  1. Hi Johannes,

    I have not read all posts of the serie, even so I wonder, can I authenticate my stratum 1 NTP with a stratum 0 NTP?

    Best

    1. Hi Gerardo,

      a “stratum 0” is not an NTP server, but a “high-precision timekeeping devices such as atomic clocks, GPS or other radio clocks”, https://en.wikipedia.org/wiki/Network_Time_Protocol#Clock_strata

      Hence no “NTP authentication” here, since it’s not NTP running but receiving radio waves, for example.

      As far as I known you can’t authenticate these GPS/Galileo/DCF77/whatever sources via some kind of cryptographic stuff. This is why you should use three different stratum 0 sources, to minimize the attack vector, refer to: https://blog.webernetz.net/why-should-i-run-own-ntp-servers/

      Cheers
      Johannes

    1. Hi Arnout,

      sorry, but I am not familiar with these devices. I just had a quick look at the manual of this EMC Professional 3001 NTP server, but none of your questions are answered there as well. Hm.

      Please send your questions directly to the Support team from EMC. Thanks.

      Cheers
      Johannes

Leave a Reply to Gerardo Marciales Cancel reply

Your email address will not be published. Required fields are marked *