NTP Authentication

Question

Has anyone been successful in having NTP Authentication (as specified in SOL14120) function correctly?&nbsp;
If you say "yes," have you validated that the ntp synchronization breaks when you edit the /etc/ntp/keys file by providing an invalid key and then restarting the ntpd daemon?  
&nbsp;
We now have our ntp Server configured correctly such that some network devices are known to be authenticating properly with the ntp server and are therefore receiving time from the server.  Those clients with invalid passwords are not receiving authentication (as expected).&nbsp;
Currently, the F5s are exhibiting a different behavior.
The F5s are running BIG-iP v12.1.1 HF1.
The F5s are configured per SOL14120, with a single NTP server and single and very simple key.
The F5s are not receiving time from the server.  A tcpdump shows that the F5 is in client mode and is requesting time.  There's no indication of authentication in use.  There is no response from the ntp server, which has been configured to ignore requests if they do not include proper authentication.&nbsp;
Unlike other network devices, the F5's NTP documentation (SOL14120) does not include any direction to use an "authentication" or "enable auth" statement in the configuration.&nbsp;
If we modify the NTP Server with an exclusion statement, telling the ntp server that the IP of the F5 is not required to use authentication, then the F5 receives time from the server and all is well.&nbsp;
We are looking to ensure that ntp authentication is required and functioning properly.&nbsp;
Can you provide any input, suggestions, help?&nbsp;
tmsh modify /sys ntp servers replace-all-with { 192.168.1.21 }
echo -e "1	M	PassWord	MD5 Key" &gt;&gt; /etc/ntp/keys
(or echo "1 M Password" &gt;&gt; /etc/ntp/keys)
(or simply using vi)
tmsh save /sys config partitions all&nbsp;
tmsh 
edit /sys ntp all-properties&nbsp;
Attempted various versions of the following:&nbsp;
include "server 192.168.2.5 key 1 iburst trustedkey 1"&nbsp;
Of course, there are routes which enable the subnets to communicate with one another.  As stated, without the requirement for authentication, the F5 receives time from the NTP server just fine.&nbsp;
Thanks&nbsp;

weaverjk · Answer

Problem Solved.
The issue was that the F5 had previously been configured with ntp servers.
tmsh modify /sys ntp servers replace-all-with { 192.168.2.5 }&nbsp;
When the /etc/ntp.conf file was reviewed, we found the following entries:
server 192.168.2.5 iburst
and, because of following SOL14120: 
server 192.168.2.5 key 1 iburst&nbsp;
The NTPD grabbed and used the first such entry, which was NOT using a key for authentication.  As such, the F5 unit was continually attempting to communicate to the ntp server without using authentication.&nbsp;
Solution:  "tmsh modify /sys ntp servers none"
followed by "tmsh save /sys config partitions all"&nbsp;

Forum Discussion

NTP Authentication

1 Reply

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

F5 BigIP External Authentication and NTP servers in non default route domain.

NTP Monitor

Doing mTLS Authentication per URL

Distributed caching of authentication requests with NGINX Ingress Controller