For things like this always do a debug. UDP is one way but the client has to inform the NTP server that it wants to receive time from the server as it is done by default using unicast packets not broadcast/multicast. The client will request Time sending his password to hash the request. It will expect to receive the response back with the server hashing the response with the same password. If the server doesn't respond in kind you will get an error in the debug "CRYPTO-NAK".
If the client is not configured for authentication and the server is, the server will not hash the traffic to the client. The client must make the request first with the password for the server to answer back with the password. At least this is the case with 12.4(24)T4. With NTP peer be aware that both peers must have a valid NTP source before they will form a peer relationship with each other. Each must first be configured with a valid NTP server. Take the password off the server and you will see an error about invalid authentication. R1(config)# .Jan 21 15:34:23.904: NTP message sent to 4.4.4.4, from interface 'FastEthernet0/0' (192.1.14.1): .Jan 21 15:34:23.904: NTP recv pkt on v4 socket, pak = 0x48C4A86C. .Jan 21 15:34:23.904: NTP message received from 4.4.4.4 on interface 'FastEthernet0/0' (192.1.14.1): .Jan 21 15:34:23.904: NTP Core(DEBUG): ntp_receive: message received .Jan 21 15:34:23.904: NTP Core(DEBUG): ntp_receive: peer is 0x473D1B58, next action is 1. .Jan 21 15:34:23.904: NTP Core(NOTICE): ntp_receive: dropping message: crypto-NAK. R1(config)# Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: tsc...@ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: ccie_rs-boun...@onlinestudylist.com [mailto:ccie_rs-boun...@onlinestudylist.com] On Behalf Of Bojan Zivancevic Sent: Friday, January 21, 2011 12:57 AM To: Matt Hill Cc: ccie_rs@onlinestudylist.com Subject: Re: [OSL | CCIE_RS] NTP mutual authentication - is it possible? Yes you are right, but the idea could be that you have two conversations actually, where every device will authenticate the other one. That is why I mentioned NTP peer command. There is a "key" parameter there, that is the first thing. Also, there is no "server" because they can sync each other's clocks. Maybe this is a way to do mutual authentication? I could not find any detailed info on this "ntp peer key" command. Best Regards, Bojan Zivancevic Network Engineer From: Matt Hill [mailto:mayd...@gmail.com] Sent: Thursday, January 20, 2011 23:30 To: Bojan Zivancevic Cc: ccie_rs@onlinestudylist.com Subject: Re: [OSL | CCIE_RS] NTP mutual authentication - is it possible? I might throw this one in the air... NTP is UDP and completely unidirectional. There are no ACKs or anything like that. The protocol itself has no mechanism for two way comms so I would suggest that is why we cant so mutual authentication here. If someone else has something to add here (even if it proves me wrong) I'm happy to hear it. Cheers, Matt CCIE #22386 CCSI #31207 On 20 January 2011 21:59, Bojan Zivancevic <bzivance...@comutel.co.rs<mailto:bzivance...@comutel.co.rs>> wrote: I have been searching for the "final' answer to this question but still could not find it. Cisco doc is of no use, so it seems. Looked on the internet also, but I am not convinced what can be done about it. If someone could clear this up it will be a blast. So, for many years NTP authentication was one-way. Only client had to authenticate the source i.e. only the device that gets its clock changed has to make sure that the source is valid. Makes sense. But since 12.4T Cisco made some changes and now if we are doing authentication we must make configs symmetrical. We could have done it before as well, but it was not mandatory. But I could not quite get if that is real mutual authentication or not. I looked up on the CLI etc. But it just does not click to me. I would like your opinion. And what about NTP peer authentication? Is that mutual auth? There is no real explanation about this command on Cisco doc as well. Best Regards, Bojan Zivancevic Network Engineer ---- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
