Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring NTP Authentication Using the System Configuration Page (CTPView)

 

NTP authentication enables the CTP device, which functions as the NTP client, to verify that servers are known and trusted. Symmetric key authentication will be used to authenticate the packets. It is assumed that the shared secret key is already being communicated between client and server and it is the responsibility of the server to have the shared secret keys already configured in their configuration and keys files. The client then adds the required key ID and shared secret key to their configuration and keys files through CTPView or through syscfg commands. The Key ID and Key Value fields must be left blank in CTPView to disable NTP authentication.

To configure NTP authentication using CTPView:

  1. In the side pane, select System > Configuration. Tip

    Alternatively, you can specify the key ID and key value for NTP authentication from the System Query page by selecting System > Query in the side pane.

  2. Click Node Settings tab.

    The NTP Settings page is displayed. The hostname and IP address of the CTP device are displayed under the Device table, which is shown to the left of the NTP Settings table.

  3. Configure the parameters described in Table 14 and click Submit Settings.
  4. (Optional) Click System > Configuration > Node Settings to verify the NTP configuration details.

Table 14: NTP Server Authentication Settings on the System Configuration Page in CTPView

FieldFunctionYour Action

Server IP

Specifies the IPv4 or IPV6 address of the NTP server.

Adds NTP servers to the server list (IP addresses or hostnames). You can configure a maximum of two NTP servers. NTP authentication is started from the first server in the list and if the first server fails or becomes unavailable, the second server in the list is used.

Enter the IPv4 or IPv6 address of the NTP server to be used for authentication.

Key ID

Specifies the key ID to authenticate the NTP packets received from the server by the NTP client.

The servers and clients involved must agree on the key and key identifier to authenticate NTP packets. Keys and related information are specified in a key file. Key ID is used to prove authenticity of data received over the network. During the synchronization of time, the client requests the key ID with the “NTP Client” packet and server sends the response with the “NTP Server” packet. If the key ID differs in both the packets, then the time does not synchronize. The time is synchronized and modified for the client only when the two key IDs are the same. The IP address with the secret key is configured in the “/etc/ntp.conf” NTP configuration file on the CTP device.

The following is the example for the ntp.conf file:

‘server x.x.x.x key 123’

where:

x.x.x.x is the NTP server IP address

Key is the secret key id which is shared by both the client and server.

Enter a 32-bit integer in the range of 1 through 65534.

Key Value

Specifies the value of the NTP key used for NTP authentication between the NTP server and the NTP client.

NTP uses keys to implement authentication. This key is used while exchanging data between the client and server. The following three key types are present:

  • An A key is just a sequence of up to eight ASCII characters.

  • An M key is a sequence of up to 31 ASCII characters.

  • An S key is a 64 bit value with the low order bit of each byte being odd parity.

CTP devices support the M key (MD5) for NTP authentication. All the keys must be defined in the “/etc/ntp/keys” file.

The following is an example for the keys file:

‘123 M pass’

where:

123 is the key id (range 1 to 65534)

M designates the key type (M means MD5 encryption)

Pass denotes the key itself

Enter the key value as a sequence of up to 31 ASCII characters.

Status

Specifies whether you want to enable or disable the NTP process on the CTP device.

Select one:

  • Enabled—Enables the NTP process on the CTP device.

  • Disabled—Disables the NTP process on the CTP device.

You can also configure the RADIUS and TACACS+ settings from the System Configuration page.

To configure TACACS+ from the CTPView web interface:

  1. In the side pane, select System > Configuration.
  2. Click Node Settings > TACACS+ Settings tab.

    The TACACS+ Settings page is displayed.

  3. Configure the parameters described in Table 15 and click Submit Settings.
  4. (Optional) Click System > Query > Node Settings to verify the TACACS+ configuration details.

    Table 15: TACACS+ Settings for the CTPView Web Interface

    Field

    Function

    Your Action

    Status

    Specifies whether TACACS+ is enabled or disabled.

    TACACS+ is disabled by default.

    Select one.

    • Enabled

    • Disabled

    Dest Port

    TACACS+ uses the TCP port for sending and receiving data.

    Port 49 is reserved for TACACS+ and is the default port.

    Enter the destination port number.

    Timeout

    Time in seconds that the TACACS+ client should wait for a response from the TACACS+ server after sending the authentication and authorization request. Timeout value applies to all the TACACS+ servers that are configured.

    The default timeout value is 5 seconds.

    Specify a value.

    Off-Line-Failover

    You can use the local authentication credentials if the configured TACACS+ servers are unavailable or no response is received from the TACACS+ servers.

    The default option is Allowed to Loc Acct.

    Select one.

    • Not Allowed

    • Allowed to Loc Acct

    Reject-Failover

    You can use the local authentication credentials if the TACACS+ server rejects the attempt to authenticate.

    The default option is Allowed to Loc Acct.

    Select one.

    • Not Allowed

    • Allowed to Loc Acct

    Servers

    You can configure up to 10 TACACS+ servers each for CTPOS and CTPView users for authentication and authorization.

    CTP tries to authenticate the user from the first server in the list. If the first server is unavailable or fails to authenticate, then it tries to authenticate from the second server in the list, and so on.

    Authorization is done on the server that successfully authenticates the user.

    Enter the IP address of the server, and specify a shared secret.

    Shared Secret

    Shared secret is the secret key that TACACS+ servers use to encrypt and decrypt packets that are sent and received from the server. TACACS+ clients use the same secret key to encrypt and decrypt packets.

    Specify the shared secret.

To configure RADIUS from the CTPView web interface:

  1. In the side pane, select System > Configuration.
  2. Click Node Settings > RADIUS Settings tab.

    The RADIUS Settings page is displayed.

  3. Configure the parameters described in Table 16 and click Submit Settings.
  4. (Optional) Click System > Query > Node Settings to verify the RADIUS configuration details.

    Table 16: RADIUS Settings for the CTPView Web Interface

    Field

    Function

    Your Action

    Status

    Specifies whether RADIUS is enabled or disabled.

    RADIUS is disabled by default.

    Select one.

    • Enabled

    • Disabled

    Dest Port

    RADIUS uses the TCP port for sending and receiving data.

    Port 49 is reserved for RADIUS and is the default port.

    Enter the destination port number.

    Timeout

    Time in seconds that the RADIUS client should wait for a response from the RADIUS server after sending the authentication and authorization request. Timeout value applies to all the RADIUS servers that are configured.

    The default timeout value is 5 seconds.

    Specify a value.

    Off-Line-Failover

    You can use the local authentication credentials if the configured RADIUS servers are unavailable or no response is received from the RADIUS servers.

    The default option is Allowed to Loc Acct.

    Select one.

    • Not Allowed

    • Allowed to Loc Acct

    Reject-Failover

    You can use the local authentication credentials if the RADIUS server rejects the attempt to authenticate.

    The default option is Allowed to Loc Acct.

    Select one.

    • Not Allowed

    • Allowed to Loc Acct

    Servers

    You can configure up to 10 RADIUS servers each for CTPOS and CTPView users for authentication and authorization.

    CTP tries to authenticate the user from the first server in the list. If the first server is unavailable or fails to authenticate, then it tries to authenticate from the second server in the list, and so on.

    Authorization is done on the server that successfully authenticates the user.

    Enter the IP address of the server, and specify a shared secret.

    Shared Secret

    Shared secret is the secret key that RADIUS servers use to encrypt and decrypt packets that are sent and received from the server. RADIUS clients use the same secret key to encrypt and decrypt packets.

    Specify the shared secret.

Configuring NTP and Syslog over IPv6 on CTP Node (CTPView)

Following are the pre-requirements for configuring NTP and Syslog over IPv6 on CTP node:

  • CTP should be configured to either “IPv6 only” or “IPv4 and IPv6” protocol as shown below:

  • The NTP or Syslog server should be configured with an IPv6 address.

This section contains the following topics:

Configuring NTP (without Authentication) over IPv6 on CTP Node

To configure NTP (without authentication) over IPv6 on CTP node using CTPView:

  1. In the side pane, select System > Configuration. The System Configuration page appears.

  2. Click the Node Settings tab.

  3. Under the NTP Settings section, enter the first IPv6 server address in the 1st field. If required, enter the second IPv6 server address in the 2nd field.

  4. Leave the Key ID and Key Value fields blank.

  5. Change the Status to Enabled, and then click Submit Settings.

    After submitting the NTP settings, CTP node tries to synchronize with the first NTP server. Upon successful synchronization, the date or time of CTP node is changed to the respective date or time of the first NTP server. If the CTP node is unable to synchronize with the first server, it tries to synchronize with the second NTP server. Upon successful synchronization with the second NTP server, the date or time of the CTP node is changed to the respective date or time of the second NTP server.

Configuring NTP (with Authentication) over IPv6 on CTP Node

It is assumed that the shared secret key is already being communicated between client and server and it is the responsibility of the server to have the shared secret keys already configured in their conf and keys files.

If CTPView acts as NTP server, make sure that the line “trustedkey 1” (here 1 is key ID, some other key ID can also be used) is added in the /etc/ntp.conf of CTPView server. The line “1 M juniper” (here 1 is key ID and juniper is key, some other key and key ID can also be used) should be mentioned in the /etc/ntp/keys, and ntpd should be started in CTPView server.

To configure NTP with authentication over IPv6 on CTP node using CTPView:

  1. In the side pane, select System > Configuration. The System Configuration page appears.
  2. Click the Node Settings tab.
  3. Under the NTP Settings section, enter the first IPv6 server address in the 1st field. If required, enter the second IPv6 server address in the 2nd field.
  4. Enter key ID and key values in the Key ID and Key Value fields, respectively. The key ID should be unique for both NTP servers.
  5. Change the Status to Enabled, and then click Submit Settings.

    4. After submitting the NTP settings, CTP node tries to synchronize with the first NTP server. Upon successful synchronization, the date or time of CTP node is changed to the respective date or time of the first NTP server. If the CTP node is unable to synchronize with the first server, it tries to synchronize with the second NTP server. Upon successful synchronization with the second NTP server, the date or time of the CTP node is changed to the respective date or time of the second NTP server.

Configuring Syslog over IPv6 on CTP Node

To configure Syslog over IPv6 on CTP Node:

  1. In the side pane, select System > Configuration. The System Configuration page appears.
  2. Click the Node Settings tab.
  3. Under the Syslog Settings section, enter the first IPv6 server address in the 1st field. If required, enter the second IPv6 server address in the 2nd field.
  4. Change the Status to Enabled, and then click Submit Settings.
  5. After submitting the Syslog settings, monitor the /var/log/messages of both the syslog servers. The CTP logs should be displayed in syslog servers as shown below:

Configuring NTP over IPv6 on CTPView Server (CTPView)

Following are the pre-requirements for configuring NTP over IPv6 on CTPView:

  • CTPView should be configured to either “IPv6 only” or “IPv4 and IPv6” protocol as shown below:

  • The NTP server should be configured with an IPv6 address.

This section contains the following topic:

Configuring NTP over IPv6 on CTPView

To configure NTP over IPv6 on CTPView:

  1. In the side pane, select Server > Administration. The Administrative Functions pane is displayed.
  2. Click NTP Server Configuration. The NTP Server Settings window is displayed.
  3. Under the Manage NTP Peers section, enter the IPv6 address of NTP server, and then click Add New NTP Peer.

    A popup of “Successfully added peer” is displayed.

  4. Click OK and wait for 3 to 5 minutes. Then, click Refresh Page.

    Under the Summary of NTP Servers Peers section, verify that the CTPView server is synchronized successfully with the added NTP server.

  5. You can also manually synchronize CTPView server with NTP server by selecting the already added NTP peer from the Select a peer to manually sync to: list and then clicking the Sync to Selected Peer button.

    After clicking Sync to Selected Peer, a popup of “The CTPView server clock has been manually synchronized to peer” should be displayed. Wait for 3 to 5 minutes, and then click the Refresh Page button. Under the Summary of NTP Servers Peers section, verify that CTPView server is synchronized successfully with the added NTP server.