How to Configure NTP with authentication

We are going to configure NTP Authentication on router R5 and R6 with router R5 being the time server.
Configure such that router R6 has a stratum level of 5. Use the password ‘time’ for your authentication.

For this step we are going to configure R5 to be our NTP master.

We are then going to configure R6 to use R5 as its authenticated time server.

First we will set the clock on R5.

This is done under the enable mode, not under the config mode. Remember that the time is entered as military time, based on a 24 hour clock.

R5#clock set 13:39:00 1 Aug 2007

Now that the clock is set we want R5 to act as the NTP master. We are told that R6 should have a stratum of 5. In order for R6 to have a stratum of 5 our master will need a stratum of 4. Anyone who gets the time off of the master will have the master’s stratum plus 1.

R5(config)#ntp master 4

Then we are going to set R6 to use R5 as its time server. We can point to any reachable IP address on R5, we suggest that you use a Loopback interface if possible since Loopbacks never flap.

R6(config)#ntp server

We do not have any authentication configured yet, but we should check to make sure our NTP is synchronized before adding it.
We can check to make sure R6 is synchronized with R5 by issuing the show ntp status command.

R6#show ntp status
Clock is synchronized, stratum 5, reference is
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CA5B0BC7.0E24598C (13:40:23.055 UTC Wed Aug 1 2007)
clock offset is -0.6770 msec, root delay is 89.63 msec
root dispersion is 3.30 msec, peer dispersion is 2.58 msec

Now that we know our NTP is synchronizing we can go ahead and add the authentication. NTP authentication is a little different than most. For NTP authentication it is the client that authenticates the master, not the other way around. The master only need to be told the authentication-key that it will use and nothing else. We will configure the authentication-key on R5 using the specified password of ‘time’.

R5(config)#ntp authentication-key 1 md5 time

The majority of the authentication commands go on the client, R6. We need to tell R6 to authenticate and what authentication-key to use

R6(config)#ntp authenticate
R6(config)#ntp authentication-key 1 md5 time

We then need to tell R6 to only accept the server if it uses key 1 – the same key number we are specifying in the authentication-key command. This command will override the original ntp server command.

R6(config)#ntp server key 1

Finally on R6 we need to tell it to only trust key 1.

R6(config)#ntp trusted-key 1

Now that we have our NTP authentication configured we can check to make sure it is working by issuing the show ntp associations detail command on R6.

R6#show ntp associations detail configured, authenticated, our_master, sane, valid, stratum 16
ref ID, time CA5B0BED.06292161 (13:41:01.024 UTC Wed Aug 1 2007)
our mode client, peer mode server, our poll intvl 128, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 376, sync dist 48.813
delay 89.68 msec, offset -4.3660 msec, dispersion 3.95
precision 2**18, version 3
org time CA5B0C47.05C2F056 (13:42:31.022 UTC Wed Aug 1 2007)
rcv time CA5B0C47.1B3444A9 (13:42:31.106 UTC Wed Aug 1 2007)
xmt time CA5B0C46.F706E1D6 (13:42:30.964 UTC Wed Aug 1 2007)
filtdelay =    89.68   89.63   89.84  118.70  114.38   93.61  110.18  108.02
filtoffset =   -4.37   -0.68   -0.85  -14.94  -12.91   -2.53    9.75   -9.48
filterror =     0.03    1.01    1.02    1.04    1.05    1.07    1.08    1.10

A Networker Blog


2 thoughts on “How to Configure NTP with authentication

  1. After reading through this article, I just feel that I really need more info. Can you share some more resources please?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s