NTP Authentication is a recommended best security practice; there are a lot of documents out there on how to setup NTP authentication between two Cisco IOS devices but anything between Cisco and LINUX is few and far between.
I have setup a LINUX Server (Redhat/CentOS) box, that will act as an upstream proxy to pool.ntp.org. NTP authentication will be enabled on the LINUX box so that the downstream Cisco IOS box (router/switch) can be configured with authentication.
CentOS Server config
Start with installing and starting NTP.
sudo yum install ntpd
sudo systemctl start ntpd.service
... don't forget to open the firewall...
sudo firewall-cmd --permanent --zone=public --add-port=123/udp
Next, add a key to /etc/ntp/keys...
# For more information about this file, see the man page ntp_auth(5).
#
# id type key
1 M Cisco123
What I've done here is, add a key with id 1 that is type MD5 (authentication), the key is Cisco123
Now, setup /etc/ntp.conf, below is an example of a minimal config (with comments removed, backup your original).
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
restrict 1.1.1.0 mask 255.255.255.252 nomodify notrap
restrict 2.2.2.0 mask 255.255.255.252 nomodify notrap
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
keys /etc/ntp/keys
trustedkey 1
disable monitor
Take note of two things.
trustedkey 1must match the ID in/etc/ntp/keysrestrict 1.1.1.0 mask 255.255.255.252 nomodify notrapthis says that any client (i.e IOS router) in the 1.1.1.0/30 network can query out CentOS time server
Restart NTP to make the changes effective.
sudo systemctl restart ntpd.service
Use ntpq to check its working...
[nick@CentOS7 ~]$ ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*ntp1.as34288.ne 85.158.25.72 2 u 31 64 377 56.363 -52.207 15.576
+ntp.coreless.ne 77.40.226.114 2 u 30 64 377 64.117 -45.444 10.966
-fra94-1-78-193- 212.83.158.83 3 u 23 64 377 42.197 -44.928 10.275
+dn3t.de 129.69.1.153 2 u 98 64 376 44.418 -42.061 7.436
[nick@CentOS7 ~]$
Don't move onto the IOS box until ntpq shows a * next to one of the upstream servers. You need clocks sync'd on the linux box before the IOS one will work. It should take at least 5 minutes to sync up; if you are having issues, manually set the linux clock to within a minute and restart the NTP service.
Cisco IOS Config
My Cisco router is 1.1.1.1, my linux server is 1.1.1.2, make sure both boxes can ping each other ;-)
The router config is...
ntp authentication-key 1 md5 Cisco123
ntp trusted-key 1
ntp server 1.1.1.2 key 1
ntp authenticate
Take note of the order! I wasted loads of time troubleshooting the debug error NTP Core(INFO): 1.1.1.2 C01C 8C bad_auth no key because the command order is fussy
You can check it's working with the show ntp association commands... notice on the detailed version is says authenticated
R1#show ntp as
address ref clock st when poll reach delay offset disp
*~1.1.1.2 81.94.123.17 3 41 64 7 16.017 -4.263 1.893
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#show ntp as detail
1.1.1.2 configured, ipv4, authenticated, our_master, sane, valid, stratum 3
ref ID 81.94.123.17 , time D9104931.F7121393 (13:46:25.965 UTC Wed May 27 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 56.70 msec, root disp 63.87, reach 7, sync dist 6302.70
delay 16.01 msec, offset -4.2633 msec, dispersion 1.89, jitter 6199.94 msec
precision 2**24, version 4
assoc id 42451, assoc name 1.1.1.2
assoc in packets 40, assoc out packets 42, assoc error packets 0
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rec time D91049C8.3C62C714 (13:48:56.235 UTC Wed May 27 2015)
xmt time D91049C8.3C62C714 (13:48:56.235 UTC Wed May 27 2015)
filtdelay = 107.76 51.78 16.01 19.97 23.99 19.84 32.00 43.89
filtoffset = 16398.9 76.43 -4.26 -1.38 22.31 27.85 22.48 8.67
filterror = 0.00 0.99 1.87 1.90 1.93 1.96 1.99 2.02
minpoll = 6, maxpoll = 10
R1#
Footnote
NTP authentication is one way, the client authenticates the response from the server, so authentication is optional.
I also have another router (2.2.2.2) talking to the CentOS linux server (1.1.1.2) with a default config....
ntp server 1.1.1.2
And it works just fine...
R2#show ntp as
address ref clock st when poll reach delay offset disp
*~1.1.1.2 81.94.123.17 3 18 64 1 39.632 -1.911 187.61
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R2#
R2#
R2#show ntp as det
1.1.1.2 configured, ipv4, our_master, sane, valid, stratum 3
ref ID 81.94.123.17 , time D9104B06.F4F12334 (13:54:14.956 UTC Wed May 27 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 47.43 msec, root disp 55.89, reach 1, sync dist 322.40
delay 39.63 msec, offset -1.9110 msec, dispersion 187.61, jitter 34.98 msec
precision 2**24, version 4
assoc id 48023, assoc name 1.1.1.2
assoc in packets 8, assoc out packets 8, assoc error packets 0
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rec time D9104B96.A0AFE3F2 (13:56:38.627 UTC Wed May 27 2015)
xmt time D9104B96.A0AFE3F2 (13:56:38.627 UTC Wed May 27 2015)
filtdelay = 76.05 48.05 39.83 56.03 39.85 39.63 0.00 0.00
filtoffset = 64.31 33.05 5.55 17.13 -11.56 -1.91 0.00 0.00
filterror = 0.00 0.03 0.06 0.09 0.12 0.15 16000.0 16000.0
minpoll = 6, maxpoll = 10
R2#
So make sure your clients have authentication enabled.