Time is inherently important to the function of networking devices, It provides the only frame of reference between all devices on the network. This makes synchronized time extremely important. Without proper time synchronization between your Aruba Gears and network servers , you may not only have trouble with correlating log files, but inaccurate time may also affect your ability to perform accounting, fault analysis, network management, and even time-based AAA authentication and authorization.
You can set the clock on a controller manually or by configuring the controller to use a Network Time Protocol (NTP).
Aruba Controllers supports network Time Protocol (NTP), a protocol designed to synchronize the clocks of Devices over a network. NTP Version 3 is a standard formalized in RFC 1305 that uses the User Datagram Protocol (UDP) and port 123.
Aruba Controller can be configured as NTP client to let its clock be set and synchronized by an external NTP timeserver.
Environment : This article applies to all Aruba Mobility Controllers.
Configure the controller to set its system clock using NTP by configuring one or more NTP
In the WebUI
1. Navigate to the Configuration > Management > Clock page.
2. Under NTP Servers, click Add.
3. Enter the IP address of the NTP server.
4. Select (check) the iburst mode, if desired.
5. Click Add.
6. Under Time Zone, enter the name of the time zone and the offset from Greenwich Mean Time (GMT).
7. Click Apply.
In the CLI
ntp server ipaddr [iburst]
For each NTP server, you can optionally specify the NTP iburst mode for faster clock synchronization.
To set the time zone and daylight savings time adjustment, enter the following commands in configure mode:
clock timezone <WORD> <-23 - 23>
Note :- Make sure your controller's timezone is set to something sensible
|
NTP Authentication
Most users of NTP do not need authentication as the protocol contains several filters against bad time. However, there is still authentication, and its use seems to become more common. Some reasons might be:
-
You only want to use time from trusted sources
-
An attacker may broadcast wrong time stamps
-
An attacker disguise as another time server
The Network Time Protocol adds security to an NTP client by authenticating the server before synchronizing thelocal clock. NTP authentication works by using a symmetric key which is configured by the user. The secret key is shared by both the controller and an external NTP server. This helps identify secure servers from fraudulent servers. Trusted Keys are additional subset of keys which are trusted and can be used for NTP authentication.
In the WebUI
1. Navigate to the Configuration > Management > Clock page.
2. Under NTP Authentication, make sure Enable is selected.
3. Under NTP Servers, enter the NTP server IP address in the NTP Server Address field.
4. Under NTP Identification Keys, enter an identification key (a number between 1 and 65535)in the Identification Key field. Then add a secret string in the Md5 Secret field. The Md5 ID key must be an ASCII string up to 31 characters.
5. Click Add.
6. The identification key along with its corresponding Md5 secret string display in the NTP Identification Keys section.
7. Under NTP Trusted Keys, enter a string in the Trusted Key field. This is a subset of key which are trusted. The trusted key value must be numeric characters between 1 to 65535.
8. Click Apply.
In the CLI
This example enables NTP authentication, add authentication secret keys into the database, and specifies a subset
of keys which are trusted. It also enables the iburst option.
(host) (config) #ntp authenticate
(host) (config) #ntp authentication-key <key-id> md5 <key-secret>
(host) (config) #ntp trusted-key <key-id>
(host) (config) #ntp <server IP> iburst key <key-id>
The following show commands can be used to verify NTP configurations
(host) #show running-config | include clock
Building Configuration...
clock summer-time CDT recurring 2 sunday march 02:00 first sunday november 02:00 5
clock timezone CST -6
(host) #show ntp servers
remote local st poll reach delay offset disp
=======================================================================
=10.4.0.21 10.6.2.253 16 1024 0 0.00000 0.000000 0.00000
*10.1.1.250 10.6.2.253 2 1024 377 0.00081 -0.010376 0.03040
(host) (config) #show ntp servers brief
server 1.1.1.1 key 1234
server 10.1.1.245 iburst key 12345
(host)#show ntp status
system uptime: 7594
time since reset: 7594
bad stratum in packet: 0
old version packets: 113
new version packets: 0
unknown version number: 0
bad packet format: 0
packets processed: 110
bad authentication: 0
packets rejected: 0
system peer: 10.1.1.250
system peer mode: client
leap indicator: 00
stratum: 3
precision: -18
root distance: 0.03236 s
root dispersion: 0.06728 s
reference ID: [10.1.1.250]
reference time: cd45b701.bcbc05d5 Tue, Feb 17 2009 14:21:53.737
system flags: auth monitor ntp kernel stats
jitter: 0.005020 s
stability: 0.866 ppm
broadcastdelay: 0.003998 s
authdelay: 0.000000 s
#show ntp authentication-keys
#show ntp trusted-keys
(Aruba) (config) #show ipc statistics app-name ntp
Wed Sep 4 04:31:17 2013
Local Statistics
To application Tx Msg Tx Blk Tx Ret Tx Fail Rx Ack Rx Msg Rx Drop Rx Err Tx Ack
AMAPI Web Client 0 0 0 0 0 150 0 0 150
Layer2/3 1 0 0 0 0 1 0 0 0
AMAPI CLI Client 0 0 0 0 0 23 0 0 22
Configuration Man 9 8 2 0 9 35 0 0 32
Kernel PAPI Statistics
RxSockbufSize RxSockbufHimark CurRxQLen MaxRxQLen Drops
2097152 0 0 0 0
Allocated Buffers 0
Static Buffers 1
Static Buffer Size 1024