HPE FlexNetwork 7500 Series Command Reference Manual page 119
Network management and monitoring
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (597 pages) ,
- Network management and monitoring command reference (430 pages) ,
- Command reference manual (376 pages)
Table of Contents
Advertisement
•
hmac-sha-384: Specifies the HMAC-SHA-384 algorithm.
•
hmac-sha-512: Specifies the HMAC-SHA-512 algorithm.
•
md5: Specifies the MD5 algorithm.
cipher: Specifies an authentication key in encrypted form.
simple: Specifies an authentication key in plaintext form. For security purposes, the authentication
key specified in plaintext form will be stored in encrypted form.
string: Specifies a case-sensitive authentication key. Its plaintext form is a string of 1 to 32 characters.
Its encrypted form is a string of 1 to 73 characters.
acl ipv4-acl-number: Specifies an IPv4 basic ACL by its number in the range of 2000 to 2999. Only
the devices permitted by the ACL can use the key ID for authentication.
ipv6 acl ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999.
Only the devices permitted by the ACL can use the key ID for authentication.
Usage guidelines
In a network where there is a high security demand, the NTP authentication feature must be enabled
for a system running NTP. This feature enhances the network security by using client-server key
authentication, which prohibits a client from synchronizing to a device that has failed the
authentication.
The key ID in the message from the peer device identifies the key used for authentication. The acl
ipv4-acl-number or acl ipv6-acl-number option is used to identify the peer device that can use the
key ID.
•
The device uses the acl ipv4-acl-number or acl ipv6-acl-number option to identify the peer
device that can use the key ID only when an NTP session for the peer device is required to be
established or after the NTP session has been established.
•
If the specified IPv4 or IPv6 ACL does not exist, any device can use the key ID for
authentication.
•
If the specified IPv4 or IPv6 ACL does not contain any rules, no device can use the key ID for
authentication.
To ensure a successful NTP authentication, configure the same key ID, authentication algorithm, and
key on the time server and client.
After you specify an NTP authentication key, use the ntp-service reliable authentication-keyid
command to configure the key as a trusted key. The key automatically changes to untrusted after you
delete the key. In this case, you do not need to execute the undo ntp-service reliable
authentication-keyid command.
The security strength of the five algorithms, in descending order, is HMAC-SHA-512,
HMAC-SHA-384, HMAC-SHA-256, HMAC-SHA-1, and MD5.
You can set a maximum of 128 authentication keys by executing the command.
Examples
# Set a plaintext MD5 authentication key, with the key ID of 10 and key value of BetterKey.
<Sysname> system-view
[Sysname] ntp-service authentication enable
[Sysname] ntp-service authentication-keyid 10 authentication-mode md5 simple BetterKey
Related commands
ntp-service authentication enable
ntp-service reliable authentication-keyid
109
Advertisement
Table of Contents
