Re: NTP Auth key from NTP server

Jeff Horton · ‎05-31-2018

We are trying to use a key that comes from a Veracity NTP Timenet Pro and authenticate a Cisco 3850 with this key. Has anyone tried using one of these and if so how did you implement the key.. If not, here is a key below.. How would I implement this key?? This is exactly how it reads from the file:

# ntpkey_MD5key_timenet.3732029433
# Fri Apr 6 18:50:33 2018

1 MD5 ,^0l?rXJ/Ht&{DU)X8,[ # MD5 key
2 MD5 &=Xd31(23/k^K8imzuTe # MD5 key
3 MD5 Nhp)|MFgE{{^WH~n,k?$ # MD5 key
4 MD5 fHozzD'u%>&0l*}Q!|DW # MD5 key
5 MD5 ^$z"Y[E7%Pl<&UO"\X&N # MD5 key
6 MD5 1\ZQ4I*W4P-uL17VFi2U # MD5 key
7 MD5 jf}WQj%)0GRp^cHe;3vx # MD5 key
8 MD5 |IVo%4rjboUxa3s;u+v} # MD5 key
9 MD5 s()Z$[FO.]sjM8VppR*} # MD5 key
10 MD5 ?nO14]jPu>yMxhc\CBD} # MD5 key
11 SHA1 8cf717a78f2037d0b66bd96b45b7e99eb5c01ba5 # SHA1 key
12 SHA1 6170c096e13cd42787f32fdda5b5eca6087dc794 # SHA1 key
13 SHA1 5e1f36bd47a72275c4808df133ee7e7fdcdef602 # SHA1 key
14 SHA1 f351bbc3ea10b8da3c19d411e9aac0718568d0fc # SHA1 key
15 SHA1 21885e023818f8c610308291e84df7c1c4831424 # SHA1 key
16 SHA1 35af6709533693c6a3cf2f92eb73b4e5089c7301 # SHA1 key
17 SHA1 42ef837fd14caf0a24410404448c11e32978b59d # SHA1 key
18 SHA1 0d1e581f1c5c59bbaee17e0e4426019e89526004 # SHA1 key
19 SHA1 11676f91b111f820359d156d51b8e3a23c4fa2e7 # SHA1 key
20 SHA1 aef7274f1f7e432b580a8461ea0db9085fb65fc7 # SHA1 key

Personally I don't think it will work but I wanted to be sure before I go another direction....

Jeff

dperezoquendo · ‎06-01-2018

It may work. Depending on the switch, some special characters may not work with MD5 passwords. Unfortunately, I don't recall what works with the 3850s and I also don't remember finding any documentation detailing this.

Jeff Horton · ‎06-01-2018

Just was informed that each line is a key... So there are 10 md5 keys and 10 SHA-1 keys.. I was able to get an ASA5510 to authenticate with the NTP server now working on getting a 2960 to work.. If this works, then its a no brainer for the 3850's..

pkoh · ‎02-20-2024

Hi Jeff,
How do you import the ntp.keys files keys (in hash format)?
ntp authentication-key accept passphrase and hash it with md5 to store into configuration file. It do not seemed to accept hash value directly.

Syntax: ntp authentication-key <key_id> md5 <PassPhrase>
Example: ntp authentication-key 1 md5 TestPass12345

You copy and pass it into the startup-config directly?

Thanks in advance for your help.

I am trying in vain to get windows NTPD server to sync with cisco device with ntp md5 authentication.
NTPD server for windows: https://www.meinbergglobal.com/english/sw/ntp.htm

Thanks in advance for your help.

Jeff Horton · ‎02-20-2024

Does your ntp.keys file only have hash information or does it have individual key lines? Cisco does not use the hash, only the PassPhrase. It may be as mine was where the ntp.keys file has the actual keys not hash. The red text section of mine was the actual key and not a hash: 1 MD5 ,^0l?rXJ/Ht&{DU)X8,[ # MD5 key

The red text is what I had to put in the cisco device as the PassPhrase, then the cisco device created its own hash. I was then able to copy the hash from Cisco device to Cisco device.

Hope this helps.

pkoh · ‎03-02-2024

Hi Jeff Horton,

I was testing ntp authentication with NTPD for windows by meinberg. Version is 4.2.8p15a. The ntp.keys are generated are plaintext. The problem seemed lies with MeinBerg NTPD's ntpd authentication feature. I cannot get it to work even between 2 windows machine, nor with fortigate firewall or Cisco after much testing.

Having said that, trying to get NTP authentication working between fortigate and cisco seemed to have issue also.

I have given up on NTPD authentication as windows cannot support it. Neither can CISCO support windows's built in SNTP.

However a blessing in disguise came through. I manage to find out how to use ntpd to do time drift correction on an isolated network. This minimized the time drift (less than 2 sec) on of all devices on isolated network that has no GPS NTP server nor connection to internet NTP public server.

Thanks for your help, what you said is correct. Cisco store the ntp authenication password in cipher text in startup and running config.