NTP authentication - cisco

Steven Vona
Steven Vona used Ask the Experts™
We are trying to set up NTP authentication on our cisco devices and our linux machines.

Our cisco router is the time source, it gets its time from another server in corporate without authentication.

What we need is for our cisco router to get its time from the corporate source WITHOUT authentication, but server time to our internal switches and linux servers WITH authentication.

I am attaching a VERY crude drawing to help explain what we need.

I need to know how to configure our router to get unauthenticated ntp time from a source, but authenticate anything it servers out.  Does this make sense?

I am told by the Cisco guy that our router is a 6504
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

in ntp world the client authenticates the server.  the server never authenticates the clients.
I appreciate your comments but neither help me.  

Is it possible to have the network set up like the ugly drawing I posted?

Our router needs to get unauthenticated ntp data and needs to give authenticated data to the rest of the devices on the network.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

let's simplify
the router is a ntp client (not authenticated)
the router is a ntp server that atuthenticates the messages with a key.

ntp client & ntp server are two separate processes.
it is possible to do it.
you need to configure the router as ntp client and then as ntp master with the desired keys.
Thanks DanJ, that is exactly what I need.  Unfortunately I am a linux administrator and that is how I understand that they are two separate processes (in linux ntpd for server and ntpdate for client).

The problem I am having is the cisco guy at work does not understand this.  I was tasked with setting up ntp authentication on all our linux servers.  Unfortunately our ntp servers are cisco devices and I have no control over them, or the source they receive their ntp data from.  So I asked the cisco guy to setup the exact thing you mentioned above.  And after 15 tries he is yet to get it right.

I was hoping you (or someone) would give me the exact commands, or close so I can pass the information off to someone with cisco enable access.

Marius GunnerudSenior Systems Engineer
Top Expert 2013

ntp server:

ntp host x.x.x.x (where x.x.x.x is the update source for your ntp server...not needed though)
ntp authenticate
ntp authentication-key 1 md5 <password>

ntp client:

ntp authenticate
ntp authentication-key 1 md5 <password>
ntp host y.y.y.y key 1 (where y.y.y.y is the ip address of the server)

you can lock down the ntp further by only allowing those specific ntp clients to update by use of ACLs.
this is the configuration for the router

ntp authentication key 11 md5 NTPKEY
ntp trusted-key 11
ntp server x.x.x.x (where x.x.x.x is the outside source)

for all other devices

ntp authentication key 11 md5 NTPKEY
ntp trusted-key 11
ntp server x.x.x.x (where x.x.x.x is the 6500 chassis)
ntp authenticate
Thanks, it is working now!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial