Infoblox Grid Manager NTP Authentication

Configuring NTP authentication on the Infoblox Grid Master is quite simple. Everything is packed inside the single “NTP Grid Config” menu. You just have to enter the NTP keys respectively key IDs and enable authentication on the appropriate servers. In the case of incorrect authentication values an error message is logged. Very good, since this is not the case on some other network security devices (Palo, Forti).

Too bad that it only supports MD5 while SHA-1 should be used instead of.

For a secure environment you should use 3x your own stratum 1 NTP servers along with NTP authentication. Refer to Why should I run own NTP Servers?. I am using 2x Raspberry Pis (based on DCF77 and GPS) and a Meinberg M200. NTP authentication is enabled on any of them. For each NTP server I have different NTP keys since you must use different key IDs for each of them. You can’t use the same ID with different keys anywhere.

I am using vNIOS version 8.3.4 for the following setup. Find the NTP config at: Grid -> Grid Manager -> (right-hand side) NTP -> NTP Grid Config.

My config looks like that:

Note the MD5 keys rather than SHA-1. :( Anyway, better than nothing.

For testing purposes, I have entered a falsified NTP key (ID 2). Using the

show ntp

Infoblox > show ntp
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 127.127.1.1     .LOCL.          12 l  23h   64    0    0.000    0.000   0.000
+2a01:4f9:2b:a5a 51.174.131.248   2 u  245  256  377   33.536   -3.225   6.057
*2003:de:2016:33 .PZF.            1 u  197  256  377    8.079   -0.128   0.638
 2003:de:2016:33 .INIT.          16 u    -  256    0    0.000    0.000   0.000
+2003:de:2016:33 .DCFa.           1 u   13  256  377   14.818   -1.194   0.711
-2a02:c205:2009: 26.91.187.18     2 u  236  256  377   12.652    0.639   0.570

While the logs clearly state the authentication error. Nice!

However, please note that I am not completely happy with the CLI output from the above mentioned “show ntp” because it does NOT explicitly show which NTP servers are in fact using authentication. I would like to have a more detailed NTP output as on Cisco routers with their “show ntp associations detail”.

Featured image “Weitsicht” by Norbert Reimer is licensed under CC BY-SA 2.0.