RE: NTP Authentications

From: Tracy Blackmore (TracyB@xxxxxxxxx)
Date: Wed Nov 15 2000 - 23:44:50 GMT-3

• Next message: Price, Jamie: "RE: visio icons"
• Previous message: Connary, Julie Ann: "md5 authentication for OSPF"
• Maybe in reply to: Sam Munzani: "NTP Authentications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Don't fell bad, I confused myself too. Ok;

1 - Yes. If the client has authentication configured with a key, it will
only accept time from a master or peer with the same key.
2 - Client without authentication configured will accept time from any
master or peer.
3 - peer mode - This is just saying that the client can also be a provider
of time to other peers. It will change its clock per peer suggestion as
well as suggest to other peers. Some implementations of NTP peering will
have the peers both change their clocks towards the difference between them
in small increments. A server will NOT change its clock per client request.
It serves time only and thinks that it is always correct.
4 - CCO isn't too bad. NTP is in the System Management area of the
Configuration Fundamentals for your IOS.

Tracy W. Blackmore
T.S. Lad Consulting
1026 E Stanford Ave.
Gilbert, AZ., 85234
(480)558-0472

                -----Original Message-----
                From: Ramil [mailto:Ramil@SkiBuff.com]
                Sent: Thursday, November 16, 2000 7:08 AM
                To: Sam Munzani; Tracy Blackmore
                Cc: ccielab@groupstudy.com
                Subject: Re: NTP Authentications

                You guys confused me.

                So let me get this straight. Based on your conversations:

                1 -- Client(with key) gets the time only from Master(with
matching key).

                2 -- Client(without key) gets time from anyone running NTP
service including
                the Master(with key).

                3 -- Peer mode? Did I miss something? Can you provide
configs?

                4 -- Is this on the Documentation CD and can be easily
figured out?

                Hey Sam? You're up at bat sometime soon, right? I'm going
to miss your
                posts WHEN you get your numbers! I'd wish you luck but I
don't think you'll
                need it. Like was there any doubt Jack Heney was going to
have any problems
                judging from his multitude of posts.>:-[

                ----- Original Message -----
                From: "Sam Munzani" <sam@munzani.com>
                To: "Tracy Blackmore" <TracyB@TSLAD.com>
                Cc: <ccielab@groupstudy.com>
                Sent: Wednesday, November 15, 2000 9:24 AM
                Subject: Re: NTP Authentications

> Thanks Tracy,
>
> Now I understand how it works. I always though in order to
get time from
> master, client has to authenticate. Otherwise it will not
get it's time.
> It's not like that. However in peer mode both peers have
to authenticate
                in
> order to adjust each other's time.
>
> Regards,
> Sam
>
>
> > Ok, I'll eat some crow! If you have a master coded, it
will provide
                time
> to
> > any client. When you add in the key values to the
client, it will ONLY
> > accept the time from a master (or peer) that has the key
as well. In
> normal
> > NTP servers, you can also require that the clients
authenticate to the
> > master but it doesn't look like Cisco's implementation
has that ability.
> > Sorry for the confusion.
> >
> > The master should read:
> >
> > Ntp authentication
> > Ntp authentication-key 1 md5 keyname
> > Ntp master
> >
> > The client will be:
> >
> > Ntp authentication
> > Ntp authentication-key 1 md5 keyname
> > Ntp server x.x.x.x key 1
> >
> > Tracy W. Blackmore
> > T.S. Lad Consulting
> > 1026 E Stanford Ave.
> > Gilbert, AZ., 85234
> > (480)558-0472
> >
> > -----Original Message-----
> > From: Sam Munzani [mailto:sam@munzani.com]
> > Sent: Tuesday, November 14, 2000 10:51 AM
> > To: Tracy Blackmore
> > Subject: Re: NTP Authentications
> >
> > << File: r6.TXT >> << File: r3.TXT >> << File: r2.TXT >>
> > O.K. Here it comes.
> > R6 is NTP master, I am using authentication on R2 with
R6
> > and not using any
> > authentication on R3 to get time from R6.
> >
> > R3 still gets time without any authentication keys.
> >
> > Sam
> > ----- Original Message -----
> > From: "Tracy Blackmore" <TracyB@TSLAD.com>
> > To: "'Sam Munzani'" <sam@munzani.com>
> > Sent: Monday, November 13, 2000 4:01 AM
> > Subject: RE: NTP Authentications
> >
> >
> > > Without seeing your config, it's hard to say. If you
have
> > the following,
> > it
> > > should work (I have 11.2(23)).
> > >
> > > NTP AUTHENTICATE
> > > NTP AUTHENTICATION-KEY xx MD5 key
> > > NTP TRUSTED-KEY xx
> > >
> > > Once I configured the client, I had to reload it but
it
> > didn't work
> > without
> > > the lines above.
> > >
> > > -----Original Message-----
> > > From: Sam Munzani [mailto:sam@munzani.com]
> > > Sent: Monday, November 13, 2000 2:18 PM
> > > To: ccielab@groupstudy.com
> > > Subject: NTP Authentications
> > >
> > >
> > > Hi Guys,
> > >
> > > This is discussed on group so many time but there is
no
> > definate answer on
> > > archives.
> > >
> > > 1. NTP master serves time to authenticated clients
only.
> > All non
> > > authenticated clients should not get time from master.
> > >
> > > I tried and it gets time even if you have wrong
> > authentication key on
> > > client. Any catch in this one?
> > >
> > > Sam
>

• Next message: Price, Jamie: "RE: visio icons"
• Previous message: Connary, Julie Ann: "md5 authentication for OSPF"
• Maybe in reply to: Sam Munzani: "NTP Authentications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:45 GMT-3