Steven Vona
asked on
NTP authentication - cisco
We are trying to set up NTP authentication on our cisco devices and our linux machines.
Our cisco router is the time source, it gets its time from another server in corporate without authentication.
What we need is for our cisco router to get its time from the corporate source WITHOUT authentication, but server time to our internal switches and linux servers WITH authentication.
I am attaching a VERY crude drawing to help explain what we need.
I need to know how to configure our router to get unauthenticated ntp time from a source, but authenticate anything it servers out. Does this make sense?
I am told by the Cisco guy that our router is a 6504
crude-drawing.jpg
Our cisco router is the time source, it gets its time from another server in corporate without authentication.
What we need is for our cisco router to get its time from the corporate source WITHOUT authentication, but server time to our internal switches and linux servers WITH authentication.
I am attaching a VERY crude drawing to help explain what we need.
I need to know how to configure our router to get unauthenticated ntp time from a source, but authenticate anything it servers out. Does this make sense?
I am told by the Cisco guy that our router is a 6504
crude-drawing.jpg
in ntp world the client authenticates the server. the server never authenticates the clients.
ASKER
I appreciate your comments but neither help me.
Is it possible to have the network set up like the ugly drawing I posted?
Our router needs to get unauthenticated ntp data and needs to give authenticated data to the rest of the devices on the network.
Is it possible to have the network set up like the ugly drawing I posted?
Our router needs to get unauthenticated ntp data and needs to give authenticated data to the rest of the devices on the network.
let's simplify
the router is a ntp client (not authenticated)
the router is a ntp server that atuthenticates the messages with a key.
ntp client & ntp server are two separate processes.
it is possible to do it.
you need to configure the router as ntp client and then as ntp master with the desired keys.
the router is a ntp client (not authenticated)
the router is a ntp server that atuthenticates the messages with a key.
ntp client & ntp server are two separate processes.
it is possible to do it.
you need to configure the router as ntp client and then as ntp master with the desired keys.
ASKER
Thanks DanJ, that is exactly what I need. Unfortunately I am a linux administrator and that is how I understand that they are two separate processes (in linux ntpd for server and ntpdate for client).
The problem I am having is the cisco guy at work does not understand this. I was tasked with setting up ntp authentication on all our linux servers. Unfortunately our ntp servers are cisco devices and I have no control over them, or the source they receive their ntp data from. So I asked the cisco guy to setup the exact thing you mentioned above. And after 15 tries he is yet to get it right.
I was hoping you (or someone) would give me the exact commands, or close so I can pass the information off to someone with cisco enable access.
The problem I am having is the cisco guy at work does not understand this. I was tasked with setting up ntp authentication on all our linux servers. Unfortunately our ntp servers are cisco devices and I have no control over them, or the source they receive their ntp data from. So I asked the cisco guy to setup the exact thing you mentioned above. And after 15 tries he is yet to get it right.
I was hoping you (or someone) would give me the exact commands, or close so I can pass the information off to someone with cisco enable access.
ntp server:
ntp host x.x.x.x (where x.x.x.x is the update source for your ntp server...not needed though)
ntp authenticate
ntp authentication-key 1 md5 <password>
ntp client:
ntp authenticate
ntp authentication-key 1 md5 <password>
ntp host y.y.y.y key 1 (where y.y.y.y is the ip address of the server)
you can lock down the ntp further by only allowing those specific ntp clients to update by use of ACLs.
ntp host x.x.x.x (where x.x.x.x is the update source for your ntp server...not needed though)
ntp authenticate
ntp authentication-key 1 md5 <password>
ntp client:
ntp authenticate
ntp authentication-key 1 md5 <password>
ntp host y.y.y.y key 1 (where y.y.y.y is the ip address of the server)
you can lock down the ntp further by only allowing those specific ntp clients to update by use of ACLs.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
for all other devices
ntp authentication key 11 md5 NTPKEY
ntp trusted-key 11
ntp server x.x.x.x (where x.x.x.x is the 6500 chassis)
ntp authenticate
ntp authentication key 11 md5 NTPKEY
ntp trusted-key 11
ntp server x.x.x.x (where x.x.x.x is the 6500 chassis)
ntp authenticate
ASKER
Thanks, it is working now!
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008010e97e.shtml