Blog |Follow Nick on Twitter| About
 

NTP Authentication is a recommended best security practice; there are a lot of documents out there on how to setup NTP authentication between two Cisco IOS devices but anything between Cisco and LINUX is few and far between.

I have setup a LINUX Server (Redhat/CentOS) box, that will act as an upstream proxy to pool.ntp.org. NTP authentication will be enabled on the LINUX box so that the downstream Cisco IOS box (router/switch) can be configured with authentication.

CentOS Server config

Start with installing and starting NTP.

sudo yum install ntpd
sudo systemctl start  ntpd.service

... don't forget to open the firewall...

sudo firewall-cmd --permanent --zone=public --add-port=123/udp

Next, add a key to /etc/ntp/keys...

# For more information about this file, see the man page ntp_auth(5).
#
# id    type    key
1 M Cisco123

What I've done here is, add a key with id 1 that is type MD5 (authentication), the key is Cisco123

Now, setup /etc/ntp.conf, below is an example of a minimal config (with comments removed, backup your original).

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1

restrict 1.1.1.0 mask 255.255.255.252 nomodify notrap
restrict 2.2.2.0 mask 255.255.255.252 nomodify notrap

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

keys /etc/ntp/keys
trustedkey 1

disable monitor

Take note of two things.

  1. trustedkey 1 must match the ID in /etc/ntp/keys
  2. restrict 1.1.1.0 mask 255.255.255.252 nomodify notrap this says that any client (i.e IOS router) in the 1.1.1.0/30 network can query out CentOS time server

Restart NTP to make the changes effective.

sudo systemctl restart  ntpd.service

Use ntpq to check its working...

[nick@CentOS7 ~]$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ntp1.as34288.ne 85.158.25.72     2 u   31   64  377   56.363  -52.207  15.576
+ntp.coreless.ne 77.40.226.114    2 u   30   64  377   64.117  -45.444  10.966
-fra94-1-78-193- 212.83.158.83    3 u   23   64  377   42.197  -44.928  10.275
+dn3t.de         129.69.1.153     2 u   98   64  376   44.418  -42.061   7.436
[nick@CentOS7 ~]$

Don't move onto the IOS box until ntpq shows a * next to one of the upstream servers. You need clocks sync'd on the linux box before the IOS one will work. It should take at least 5 minutes to sync up; if you are having issues, manually set the linux clock to within a minute and restart the NTP service.

Cisco IOS Config

My Cisco router is 1.1.1.1, my linux server is 1.1.1.2, make sure both boxes can ping each other ;-)

The router config is...

ntp authentication-key 1 md5 Cisco123
ntp trusted-key 1
ntp server 1.1.1.2 key 1
ntp authenticate

Take note of the order! I wasted loads of time troubleshooting the debug error NTP Core(INFO): 1.1.1.2 C01C 8C bad_auth no key because the command order is fussy

You can check it's working with the show ntp association commands... notice on the detailed version is says authenticated

R1#show ntp as

  address         ref clock       st   when   poll reach  delay  offset   disp
*~1.1.1.2         81.94.123.17     3     41     64     7 16.017  -4.263  1.893
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#show ntp as detail
1.1.1.2 configured, ipv4, authenticated, our_master, sane, valid, stratum 3
ref ID 81.94.123.17   , time D9104931.F7121393 (13:46:25.965 UTC Wed May 27 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 56.70 msec, root disp 63.87, reach 7, sync dist 6302.70
delay 16.01 msec, offset -4.2633 msec, dispersion 1.89, jitter 6199.94 msec
precision 2**24, version 4
assoc id 42451, assoc name 1.1.1.2
assoc in packets 40, assoc out packets 42, assoc error packets 0
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rec time D91049C8.3C62C714 (13:48:56.235 UTC Wed May 27 2015)
xmt time D91049C8.3C62C714 (13:48:56.235 UTC Wed May 27 2015)
filtdelay =   107.76   51.78   16.01   19.97   23.99   19.84   32.00   43.89
filtoffset = 16398.9   76.43   -4.26   -1.38   22.31   27.85   22.48    8.67
filterror =     0.00    0.99    1.87    1.90    1.93    1.96    1.99    2.02
minpoll = 6, maxpoll = 10

R1#

Footnote

NTP authentication is one way, the client authenticates the response from the server, so authentication is optional.

I also have another router (2.2.2.2) talking to the CentOS linux server (1.1.1.2) with a default config....

ntp server 1.1.1.2

And it works just fine...

R2#show ntp as

  address         ref clock       st   when   poll reach  delay  offset   disp
*~1.1.1.2         81.94.123.17     3     18     64     1 39.632  -1.911 187.61
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R2#
R2#
R2#show ntp as det
1.1.1.2 configured, ipv4, our_master, sane, valid, stratum 3
ref ID 81.94.123.17   , time D9104B06.F4F12334 (13:54:14.956 UTC Wed May 27 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 47.43 msec, root disp 55.89, reach 1, sync dist 322.40
delay 39.63 msec, offset -1.9110 msec, dispersion 187.61, jitter 34.98 msec
precision 2**24, version 4
assoc id 48023, assoc name 1.1.1.2
assoc in packets 8, assoc out packets 8, assoc error packets 0
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rec time D9104B96.A0AFE3F2 (13:56:38.627 UTC Wed May 27 2015)
xmt time D9104B96.A0AFE3F2 (13:56:38.627 UTC Wed May 27 2015)
filtdelay =    76.05   48.05   39.83   56.03   39.85   39.63    0.00    0.00
filtoffset =   64.31   33.05    5.55   17.13  -11.56   -1.91    0.00    0.00
filterror =     0.00    0.03    0.06    0.09    0.12    0.15 16000.0 16000.0
minpoll = 6, maxpoll = 10

R2#

So make sure your clients have authentication enabled.

 

 
Nick Bettison ©