Network Time Protocol Authentication

NTP supports symmetric key scheme for authentication. The scheme uses either MD5 or SHA1 authentication algorithms. The key-id and the calculated digest form the Message Authentication Code (MAC). When authentication is enabled on the server, it is expected that the client's request message has a valid MAC. If authentication of the client message fails, NTP replies with a crypto-NAK packet.

Enabling NTP authentication

To enable NTP strict authentication, use the authenticate command. To disable the function, use the no form of this command.
device(config)# ntp authenticate
Syntax: [no] ntp authenticate

Defining an authentication key

To define an authentication key for NTP, use the authentication-key command. To remove the authentication key for NTP, use the no form of this command.

device(config)# ntp authentication-key 10 sha1 teststring encryption-level 0
Full Syntax: [no] ntp authentication-key <key-id> <Auth-Type sha1/md5> <Auth-String> encryption-level <0/7>

The valid key-id parameter is 1 to 65535.

Key type is either SHA1 or MD5. SHA1 specifies message authentication support provided using SHA1 algorithm; MD5 uses the Message Digest 5 Agorithm.

Auth String; secret key string.

Encryption level 0/7; 0 is clear text, 7 is encrypted text.

NTP Trusted Keys

Trusted keys are a set of keys within the set of configured keys used to synchronize a device to a trusted server, and prevent synchronization with an non-trusted device. While it is possible to synchronize a server to a client with only an Authentication key, synchronizing a client to a server requires that an NTP Authentication is enabled on both the client and server, and the same trusted keys be specified on each device. The keys configured for server/peer are implicitly considered trusted keys.
Note

Note

To add a key as trusted key, it must first configured as an authentication-key.
device(config)# [no] ntp trusted-key 10 20
Full syntax: [no] ntp trusted-key <key-id-list>

Key-id: The allowed range is 1-65535.

A maximum of 10 trusted keys can be configured, and must be configured under the ntp authentication-key command.