NTP can be configured to provide cryptographic authentication of messages with the clients/peers and with the upstream time server.
NTP supports symmetric key scheme for authentication. The scheme uses either MD5 or SHA1 authentication algorithms. The key-id and the calculated digest form the Message Authentication Code (MAC). When authentication is enabled on the server, it is expected that the client's request message has a valid MAC. If authentication of the client message fails, NTP replies with a crypto-NAK packet.
device(config)# ntp authenticate
To define an authentication key for NTP, use the authentication-key command. To remove the authentication key for NTP, use the no form of this command.
device(config)# ntp authentication-key 10 sha1 teststring encryption-level 0Full Syntax: [no] ntp authentication-key <key-id> <Auth-Type sha1/md5> <Auth-String> encryption-level <0/7>
The valid key-id parameter is 1 to 65535.
Key type is either SHA1 or MD5. SHA1 specifies message authentication support provided using SHA1 algorithm; MD5 uses the Message Digest 5 Agorithm.
Auth String; secret key string.
Encryption level 0/7; 0 is clear text, 7 is encrypted text.
Note
To add a key as trusted key, it must first configured as an authentication-key.device(config)# [no] ntp trusted-key 10 20Full syntax: [no] ntp trusted-key <key-id-list>
Key-id: The allowed range is 1-65535.
A maximum
of 10 trusted keys can be configured, and must be configured under the ntp authentication-key
command.