NTP Authentication on Cisco IOS

This is how you can use NTP authentication on Cisco IOS in order to authenticate your external NTP servers respectively their NTP packets. Though it is not able to process SHA-1 but only MD5, you’re getting an authentic NTP connection. Let’s have a look:

This article is one of many blogposts within this NTP series. Please have a look!

I am using a Cisco 2811 (revision 3.0) with IOS version 15.1(4)M12a.

Note that MD5 NTP keys are ASCII strings that are converted to a “7” encryption type when sending the CLI command on Cisco IOS. For example, this input:

actually becomes:

Furthermore, one of my NTP keys generated by ntp-keygen was this: z?_[vI~t|udu,Lss4{=Q. Do you see the problem? I wasn’t able to use this key because of the question mark. Hence I needed to change it to another one. Hmpf.


Since I am operating three different stratum 1 NTP servers with different keys (Pi w/ DCF77, Pi w/ GPS, Meinberg LANTIME M200), I have to use three different key IDs. Otherwise the NTP client couldn’t distinguish between them.

That is:

  • three authentication keys
  • enabling NTP authentication
  • trusting all three keys
  • adding the three servers with the appropriate key IDs


Listing the NTP associations without details at least reveals whether NTP is working at all, while not clearly whether authentication was accomplished or not:

Therefore you have to use the “detail” keyword. The first line for each NTP server shows an “authenticated”. Perfect:


For debug output you can use the debug ntp packet or even debug ntp all. However, this does not show whether the packets itself are authenticated or not. Sample output:

That’s it. :D

Featured image “Golden Gate Sunrise” by Bastian Hoppe is licensed under CC BY-NC-ND 2.0.

7 thoughts on “NTP Authentication on Cisco IOS

  1. Hi Johannes,

    I have not read all posts of the serie, even so I wonder, can I authenticate my stratum 1 NTP with a stratum 0 NTP?


    1. Hi Gerardo,

      a “stratum 0” is not an NTP server, but a “high-precision timekeeping devices such as atomic clocks, GPS or other radio clocks”, https://en.wikipedia.org/wiki/Network_Time_Protocol#Clock_strata

      Hence no “NTP authentication” here, since it’s not NTP running but receiving radio waves, for example.

      As far as I known you can’t authenticate these GPS/Galileo/DCF77/whatever sources via some kind of cryptographic stuff. This is why you should use three different stratum 0 sources, to minimize the attack vector, refer to: https://weberblog.net/why-should-i-run-own-ntp-servers/


    1. Hi Arnout,

      sorry, but I am not familiar with these devices. I just had a quick look at the manual of this EMC Professional 3001 NTP server, but none of your questions are answered there as well. Hm.

      Please send your questions directly to the Support team from EMC. Thanks.


  2. Question marks can be entered into passwords/etc in IOS by preceding with Control+V.

  3. Is the key # relevant for authentication? Assuming I’m configuring a switch to get time from a router, can I designate my authentication key as key #1 on the switch and Key #2 on the router and have the config work?


    1. No, you MUST use the same key number along with the same key value on all involved devices. The key # is transferred in the NTP network protocol (along with the MAC) to match the corresponding key. Otherwise, the server would not know which symmetric key to use for the MAC. (The MAC in this case is the message authentication code, kind of a verification code.)

      Refer to my packet capture of NTP packets: https://weberblog.net/packet-capture-network-time-protocol-ntp/

Leave a Reply

Your email address will not be published. Required fields are marked *