Home Linux Configure NTP Authentication with Cisco IOS Devices

Configure NTP Authentication with Cisco IOS Devices

by Lakindu Jayasena
3.3K views 10 mins read
NTP Authentication with Cisco IOS

In a large enterprise network, having one time standard for all network devices is very important for management, reporting, and correlating events logged across multiple devices. The Network Time Protocol (NTP) is a UDP protocol responsible for synchronizing all devices’ system clocks in a network.

The implementation of NTP requires a client-server architecture and the NTP daemon operating in both client mode and server mode. Using NTP packets, the client and server exchange time stamp data that set up the clock on the client machine similar to the NTP server.

Why NTP Authentication?

The network time is very important because if the device’s time is inaccurate, then it would be more difficult during an examination to correlate the system logs, disruption of authentication systems, etc. So what if the time synchronization is arbitrarily changed by attackers? Hence, the use of authentication mechanisms in NTP is vital to prevent the manipulation of time information by an attacker.

There are several ways to implement authentication on NTP depending on your NTP version.

  • The older and still somewhat secure symmetric key approach, which was introduced in NTP v3 and also supports NTP v4. But the only drawback is that a secret key has to be exchanged in a safe way between servers and clients.
  • Public Key Authentication (autokey)was introduced in NTP v4 which uses public/private keypairs for the authentication process. Because this method does not provide a level of protection as expected, therefore introduced Network Time Security (NTS).

If encryption is really required, the option is to use NTS or establish an encrypted tunnel (VPN) between the NTP client and the server. However, this also affects the network delay and jitter and thus reduces the accuracy of the synchronized time.

In this article, I will show you how to install an NTP server with NTP Authentication (Symmetric Key approach) and configure the NTP client as a CISCO IOS device.

NTP Authentication Procedure

NTP authentication checks the authenticity of the NTP server before synchronizing time with the NTP server. That helps you to identify legitimate server/s from unauthorized or illegal servers. NTP authentication works with a symmetric key that was already configured by the admin in their configuration and key files. Also, the “trustedkey keyid” attribute must be mentioned in the server’s ntp.conf file and the NTP process must be started on the server side for successful authentication.

The following figure shows how the NTP authentication works.

NTP Authentication Flow
  1. The NTP server uses key-value identified by the Key ID to calculate a digest for the NTP message using a specified algorithm and send the calculated digest along with the NTP message and Key ID to the NTP client.
  2. Upon receiving the NTP packet to the NTP client, perform the following tasks.
    • Get the configured key value according to the Key ID in the NTP packet.
    • Use that key value and the same algorithm to calculate the digest.
    • Compares the generated digests with the digest contained in the NTP packet. If they are different, the NTP client simply discards the packet and if it is the same, accepts the packet and creates the NTP session.

Let’s Install & Configure NTP Server

Install the NTP server

Update the System Repositories and install the NTP server.

sudo apt update -y
sudo apt install ntp 

To verify that NTP has been successfully installed, run the command.

sntp --version

Configure NTP Server Pools

The default NTP server configuration comes with NTP pool servers in the /etc/ntp.conf file. However, you may change the default NTP server pools closest to your location. The following link directs you to a page where you can select your most preferred NTP pool list.

NTP Pool Servers

In this article, I’m using the NTP pools located in Asia (asia.pool.ntp.org) as shown below.

Configure NTP Server Pools

Configure NTP Authentication

NTP authentication is very easy to configure you only need to generate some NTP keys and trust them in your ntp.conf configuration file.

Using the following command line tool you can generate a symmetric keys file containing 10 MD5 and SHA (if OpenSSL is available). I’m running this command on the /etc/ directory and that generates a key file as well as a link called “ntp.keys”.

sudo su -
cd /etc/
ntp-keygen -M
Generate NTP Authentication Keys

Once you generate the NTP keys, you can see them as follows.

List Generated NTP Authentication Keys

The next step is to enable NTP authentication by telling the NTP server which key file to use and which keys to trust inside the /etc/ntp.conf file.

keys /etc/ntp.keys        # path for keys file
trustedkey (1 ... 10)     # define trusted keys

Once you have done the above changes, restart the NTP service and verify its status by the following commands.

sudo systemctl restart ntp
sudo systemctl status ntp

That’s it about the configuration of the NTP server with authentication. You can now use those generated keys on your NTP clients to authenticate with a trusted NTP server.

Configure Cisco IOS Device as NTP Client

As an NTP client, I am using a Cisco 2960 device with IOS version 15.2(2).

To define an authentication key for NTP, use the following command in the Cisco device’s global configuration mode. Also, the message authentication support is provided using the MD5 algorithm, and the key type md5 is the only key type supported here.

Switch(config)#ntp authentication-key 2 md5 )5{Euq0)~9G3F45`Sb&N
Keep in mind to avoid using the md5 key with question mark character (?), because I wasn’t able to use the first key because of the question mark.

Now enter the following commands in the same prompt.

#enabling NTP authentication
Switch(config)#ntp authenticate

#The ntp trusted-key command provides protection against accidentally synchronizing the device to a NTP server that is not trusted.
Switch(config)#ntp trusted-key 2
                         
#adding the NTP server with the appropriate key ID
Switch(config)#ntp server 192.168.100.70 key 2 prefer

Once you are done with the above configuration on your Cisco IOS device, you can see it on the running configuration as follows.

Note that MD5 NTP keys are ASCII strings that are converted to a “7” encryption type when sending the CLI command on a Cisco IOS device.
Switch#show running-config | include ntp
NTP Client Configuration Commands on Cisco IOS Device

The clock is now synchronized. You can verify it by the following command.

Switch#show ntp status
Show the NTP Status on Cisco Device

Troubleshooting and Debugging

You can list the NTP associations with details to see the authentication status. The first line for each NTP server shows an “authenticated”.

Show the NTP Association Details on Cisco Device

Furthermore, you can refer to the following link for troubleshooting and debugging steps.

Network Time Protocol (NTP) Issues Troubleshooting and Debugging Guide

Conclusion

NTP is a well-known and efficient protocol to ensure your systems are always synchronized with the correct time; also, the use of authentication mechanisms in NTP is essential to prevent the manipulation of time information by an attacker. Authentication establishes the authenticity of a packet’s source, whereas encrypting the contents of the NTP packets is not necessarily required because it only contains time information, which isn’t really sensitive in itself.

Related Articles

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.