In the network with high requirement for the security, when running the NTP protocol, it is necessary to enable the authentication function. Authenticate the packet interacted by the NTP clock service requester and clock service provider to ensure that the clock service requester is synchronized with the valid time, improving the network security.
Configuration Condition
To configure the NTP authentication function, first complete the following task:
- Configure the network layer address of the interface, making the network layer between the NTP clock service requester and clock service provider reachable.
- The NTP clock service provider enables NTP.
Configure NTP Client/Server Authentication
When configuring the NTP client/server authentication, it is necessary to enable the authentication function on the client and server, configure the authentication key, set the authentication key as the trusted key, and specify the key associated with the server on the client.
Perform the following configuration on the NTP client.
Table 4-10 Configure the NTP client authentication
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Enable the NTP authentication function
|
ntp authenticate
|
Mandatory
By default, do not enable the NTP authentication function.
|
|
Configure the authentication key
|
ntp authentication-key key-number md5 {0 plain-key | 7 cipher-key}
|
Mandatory
By default, do not configure the authentication key.
|
|
Configure the specified key as the trusted key
|
ntp trusted-key key-number
|
Mandatory
By default, do not specify the trusted key.
|
|
Specify the key associated with the server
|
ntp server [ vrf vrf-name ] { ip-address | domain-name | ipv6 ipv6-address } [ version version | source interface-name ] key key-number
|
Mandatory
|
Perform the following configuration on the NTP server.
Table 4-11 Configure the NTP server authentication
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Enable the NTP authentication function
|
ntp authenticate
|
Mandatory
By default, do not enable the NTP authentication function.
|
|
Configure the authentication key
|
ntp authentication-key key-number md5 {0 plain-key | 7 cipher-key}
|
Mandatory
By default, do not configure the authentication key.
|
|
Specify the key as the trusted key
|
ntp trusted-key key-number
|
Mandatory
By default, do not specify the trusted key.
|
-
The server and client need to be configured with the same authentication key.
Configure NTP Peer Authentication
When configuring the NTP peer authentication, it is necessary to enable the authentication function on the active peer and passive peer, configure the authentication key, set the authentication key as the trusted key, and specify the key associated with the passive peer on the active peer.
Perform the following configuration on the NTP active peer.
Table 4-12 Configure the NTP active peer authentication
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Enable the NTP authentication function
|
ntp authenticate
|
Mandatory
By default, do not enable the NTP authentication function.
|
|
Configure the authentication key
|
ntp authentication-key key-number md5 {0 plain-key | 7 cipher-key}
|
Mandatory
By default, do not configure the authentication key.
|
|
Specify the key as the trusted key
|
ntp trusted-key key-number
|
Mandatory
By default, do not specify the trusted key.
|
|
Specify the key associated with the passive peer
|
ntp peer [ vrf vrf-name ] ip-address | domain-name | ipv6 ipv6-address [ version version | source interface-name ] key key-number
|
Mandatory
|
Perform the following configuration on the NTP passive peer.
Table 4-13 Configure the NTP passive peer authentication
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Enable the NTP authentication function
|
ntp authenticate
|
Mandatory
By default, do not enable the NTP authentication function.
|
|
Configure the authentication key
|
ntp authentication-key key-number md5 {0 plain-key | 7 cipher-key}
|
Mandatory
By default, do not configure the authentication key.
|
|
Specify the key as the trusted key
|
ntp trusted-key key-number
|
Mandatory
By default, do not specify the trusted key
|
- The active peer and passive peer need to be configured with the same authentication key.
Configure NTP Broadcast Authentication
When configuring the NTP broadcast authentication, it is necessary to enable the authentication function on the broadcast client and broadcast server, configure the authentication key, set the authentication key as the trusted key, and specify the key associated with the broadcast server.
Perform the following configuration on the NTP broadcast client.
Table 4-14 Configure the NTP broadcast client authentication
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Enable the NTP authentication function
|
ntp authenticate
|
Mandatory
By default, do not enable the NTP authentication function.
|
|
Configure the authentication key
|
ntp authentication-key key-number md5 {0 plain-key | 7 cipher-key}
|
Mandatory
By default, do not configure the authentication key.
|
|
Specify the key as the trusted key
|
ntp trusted-key key-number
|
Mandatory
By default, do not specify the trusted key.
|
Perform the following configuration on the NTP broadcast server.
Table 4-15 Configure the NTP broadcast server authentication
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
configure terminal
|
-
|
|
Enable the NTP authentication function
|
ntp authenticate
|
Mandatory
By default, do not enable the NTP authentication function.
|
|
Configure the authentication key
|
ntp authentication-key key-number md5 {0 plain-key | 7 cipher-key}
|
Mandatory
By default, do not configure the authentication key.
|
|
Specify the key as the trusted key
|
ntp trusted-key key-number
|
Mandatory
By default, do not specify the trusted key.
|
|
Enter the interface configuration mode
|
interface interface-name
|
-
|
|
Specify the key associated with the broadcast server
|
ntp broadcast-server [ version version- number ] key key-number
|
Mandatory
|
-
The broadcast server and broadcast client need to be configured with the same authentication key.
Switch
.png){kind=icon}
.png){kind=logo}
