At first this was just a bug, now it’s annoying, I don’t know why Cisco have not got round to fixing this, it’s still a problem in the latest (6.2.2 at time of writing,) version.
Solution
Configuration > ASA FirePOWER Configuration > Local > System Policy > Time > Synchronisation > Manually > Save Policy and Exit.
Deploy > Deploy FirePOWER Changes > Deploy.
To View Task Progress: Monitoring > ASA FirePOWER Monitoring > Ensure the policy has applied successfully, (go and have a coffee).
Configuration > ASA FirePOWER Configuration > Local > Configuration > Time > Select the time zone ‘Hyperlink’ > Set the correct zone > Save > Done.
Configuration > ASA FirePOWER Configuration > Local > System Policy > Time > Synchronisation > Via NTP From… > Type in a public NTP Server > Save Policy and Exit.
Now that we have the web console instead of the VI client, and don’t have a windows machine anymore, it would be better to use the web console.
Also, having your ESXi Server running the correct time/date is very important, before you follow this article I should suggest that by making sure the time is set in the ESX Servers BIOS, e.g. the internal clock is set correctly first!!! The amount of times that Windows Domains fail because the time had not been setup properly on the hosts and DC is more than you think! Last thing you want is a massive pain in the arse from your Boss!
Note: Due to the privacy of the customer, I have blurred out their information.
Solution
Note: For this to work the hosts need to be able to communicate with public time servers over NTP (UDP Port 123), ensure your firewall has this port open or time sync will fail.
Firstly, login into the ESX host itself and click on manage on the left-hand side.
Secondly, click on “Time and Date” and edit the settings.
Now, edit the boxes and dropdowns to look like the screenshot below (I am from the UK and typed in the NTP servers for my country, it will be different in other parts of the world) and then click save.
Now that we completed that, we have to start the service. So, go to Actions > NTP Service > Start.
After 30 seconds, you will have this message saying it has completed successfully.
Related Articles, References, Credits, or External Links
If you have arrived here, you have either noticed that the time is wrong on your server(s) or client PC(s), or you have looked in the event viewer and seen one of the following events being logged. Event ID’s 12, 22, 29, 36, 38, 47, and 50.
Event ID 12 (W32 Time Time Provider NtpClient: This machine is configured to use {text omitted}, but it is the PDC emulator…).
Event ID 29 (The time provider NtpClient is configured to acquire time from one or more time sources…).
Event ID 36 (The time service has not synchronized the system time for 86400 seconds…).
Event ID 38 (The time provider NtpClient cannot reach or is currently receiving invalid time data from…).
Event ID 47 (Time Provider NtpClient: No valid response has been received from manually configured peer…).
Time Problem Events – On Domain Members
Event ID 50 (The time service detected a time difference of greater than 5000 milliseconds for 900 seconds…).
Event ID 22 (The time provider NtpServer encountered an error while digitally signing the NTP response for peer…).
Solution
Setting domain time is a TWO-STEP process, set the time correctly on the PDC emulator, then let the clients take their time from the PDC emulator.
Locate the PDC Emulator
1. On a domain controller, Windows Key+R > netdom query fsmo {Enter}.
2. Take note of the PDC name and go to that server.
NTP Firewall config
1. Ensure UDP Port 123 is open outbound from the PDC Emulator. How this is done will vary depending on your firewall vendor. If you have a Cisco ASA or a Cisco PIX see my article here.
To Test Use NTPTool
Below either the port is blocked (or the hostname/IP of the external NTP server is incorrect);
This is how it should look, every-time you press query you should get a response, now you know the correct port is open;
Configure the PDC Emulator to collect Reliable Time
Of course our PDC Emulator is also a domain controller, so we need to link a GPO to the domain controllers OU. But we dont want all DC’s getting their time from an external source, so we will create a WMI filter to ensure the policy will only apply to the PDC emulator server.
Administrative tools > Group Policy Management > WMI Filter > New > PDC-Emulator-Only > Add > Select * from Win32_ComputerSystem where DomainRole = 5 > OK.
Don’t panic if you see this error > OK > Save.
Create a new GPO linked to the Domain Controllers OU.
Change the policy so it uses your WMI filter;
Edit The Policy, and navigate to;
[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]
Configure Windows NTP Client
Enable the policy > set the NtpServer setting to server-name(comma)stratum-type(space). If you get this wrong you wont sync, and you will see this error.
Enable Windows NTP Client
Enable the Policy (The server still needs to get its time from the external source!)
Enable Windows NTP Server
Enable the policy (The server also needs to provide time to the domain clients).
Save and exit the policy editor, then on the PDC emulator force a policy update and resync the time. Finally run rsop to make sure the settings have applied.
Setting PDC Emulator Time From Command Line
1. On the PDC emulator Windows Key+R > cmd {Enter}.
2. At command line execute the following four commands;
[box]
w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update
net stop "windows time"
net start "windows time"
w32tm /resync
[/box]
Note: If you are NOT in the UK or simply want to use a different NTP time server go here for alternatives.
3. Look in the servers Event log > System Log for Event ID 37.
---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time provider NtpClient is currently receiving valid time
data from ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————
4. You will also see Event ID 35.
---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time service is now synchronizing the system time with the time source
ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————
Step 2 Check the domain clients
This is all you should need to do, because, (by default) all Domain clients get their time from the PDC when they log on, but to check;
1. Windows Key+R > cmd {enter}.
2. Execute the following command;
[box] w32tm /monitor [/box]
3. You will see the time this client can see, on all the domain controllers.
(In the case above the time on server-dc is way out, address that first – (it was an old Windows 2000 server and running “net time server-pdc” {enter} fixed it).
4. Once all the domain controllers have a time that’s accurate (like the last three in the example above), then proceed.
5. Execute the following commands on a client machine;
[box]
net stop "windows time"
net start "windows time"
w32tm /resync
[/box]
6. The machines event log should show the following successful events;
Event ID 37 (The time provider NtpClient is currently receiving valid time data from..).
Event ID 35 (The time provider NtpClient is currently receiving valid time data from..).
Setting Domain Clients Time via GPO
As already outlined you should not need to do this, (as it’s the default setting,) but if there’s a problem you can force domain clients to look at your PDC emulator for reliable time.
Create a GPO, and link it to the OU containing the computers you want to sync’
Edit the policy and navigate to;
[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]
Configure Windows NTP Client
Enable the policy > Set the NtpServer to {Your-PDC-Name},0x9 > Set the Type to NT5DS.
Enable Windows NTP Client
Enable this policy.
Testing Client NTP Settings
Either run;
[box]w32tm /query /status[/box]
Or run RSOP.
Related Articles, References, Credits, or External Links
Starting test: Advertising
Warning: Server-Name is not advertising as a time server.
......................... Server-Name failed test Advertising
Running enterprise tests on : PeteNetLive.com Starting test: Intersite ……………………. PeteNetLive.com passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. ……………………. PeteNetLive.com failed test FsmoCheck
Solution
Note: Any one of the things below can cause this problem, I suggest you retry running dcdiag after each step until it runs without error.
1. In a windows domain, clients normally get their time from the domain controller that holds the PDC Emulator role. Locate that server and log on.
3. If you have got this far, then should already have the windows time service running, check!
4. From command line, remove and reinstall the Windows time service with the following two commands.
[box]w32tm /unregister<br />w32tm /register[/box]
Note: It’s not unusual to see the following error after you issue a ‘w32tm /unregister’ command,
Error
The following error occurred: Access is denied (0x80070005)
If this happens don’t panic, open the services console (Press F5) and the Windows Time Service may have disappeared (if so re-register it). If not manually stop the Windows Time service and try to unregister again, then re-register.
WARNING: After doing this, you will need to set the time service to get reliable time from an NTP External Server again.
5. Press Windows Key+R > regedit {enter} > Navigate to the following registry key;
Ensure the Type value it set to NTP, the restart the Windows time service and check again.
5. Whilst still in the registry editor navigate to;
[box]HKLM > System > CurrentControlSet > services > W32Time > Config[/box]
Set the AnnounceFlags value to 5.
6. Whilst still in the registry editor navigate to;
[box]HKLM > System > CurrentControlSet > services > W32Time > Time Providers > NtpServer[/box]
Make sure the Enabled value is set to 1 (one).
7. If the problem persists, on the PDC Emulator run gpedit.msc > Navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]
Make sure ‘Global Configuration Settings’ is set to ‘Not Configured’.
Navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]
Make ALL the settings are to ‘Not Configured’.
If you changed anything, run ‘gpupdate /force’ and try again.
8. On the PDC Emulator, Open a command window (Note: You must Run as Administrator!) > In the Computer Settings section locate all the policies that are applying to the server.
Note: As a shortcut to find the offending policy, you could run ‘gpresult /v > c:gpresult.txt’ then search that text file, for any instance of w32tm, (here’s an example).
As above navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]
Make sure Global Configuration Settings is set to ‘Not Configured’.
Navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]
Make ALL the settings are set to ‘Not Configured’.
If you changed anything, run ‘gpupdate /force’ and try again.
Related Articles, References, Credits, or External Links
For network identification I have tended to use RADIUS (in a Windows NPS or IAS flavour), in the past. I turned my back on Cisco TACACS+ back in my ‘Studying for CCNA’ days, because back then it was clunky and awful. I have a client that will be installing ACS in the near future, so I thought I would take a look at it again, and was surprised at how much more polished it is. As Cisco plans to roll ACS into Cisco ISE in the future, I’m not sure if it will remain as a separate product. So we may find people using version 5 for a long time yet.
Solution
I’m deploying ACS version 5.5 as a virtual appliance, remember to give it at least 60GB of hard drive or the install will fail. If you are installing on VMware workstation, choose the ‘I will install the operating system later’ option and manually present the CD image or it will also fail.
When you have run through the initial setup on the appliance it will set;
1. Join the ACS appliance to your domain. Users and Identity Stores > External Identity Stores > Active Directory > Join/Test Connection > Enter Domain Credentials > Join.
2. Be patient it can take a couple of minutes, wait till it says ‘Joined and Connected’.
3. Make sure you already have some groups in active directory that you want to grant access to, here I’ve got a full-access group and a read-only access group.
Note: I’m going to grant privilege level 15 to full-access, and privilege level 1 to read-only, (yes I know they can still escalate to configure terminal mode, but you can always restrict level 1 so it can only use the show command if you like).
4. Back in ACS > Directory Groups > Add > Add in your Groups > OK.
5. Create a Shell Policy: Policy Elements > Authorization and Permissions > Shell Profiles > Create > First create one for level 15 (full-access).
12. Add > Shell Profile > Select > Select the full-access profile > OK.
13. Repeat for the read-only group.
14. Set the shell profile to read-only access > OK.
15. Access Policies > Service Selection Rules > Create > Set to Match Protocol TACACS > Set the service to Default Device Admin > OK.
16. Network Resources > Network Devices and AAA Clients > Enter the details of your Cisco device and set a shared key, (here I’m using 666999) > Submit.
17. Make the necessary changes on your Cisco devices, like so;
Cisco IOS TACACS+ Config
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default group tacacs+ local
Petes-Router(config)#aaa authorization exec default group tacacs+ local
Petes-Router(config)#aaa authorization console
Petes-Router(config)#tacacs-server host 10.254.254.22
Petes-Router(config)#tacacs-server key 666999
Petes-Router(config)#end
Petes-Router#
*Mar 1 00:10:24.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router#
[/box]
Cisco ASA 5500 (and Next Generation) TACACS+ Config
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-AAA-TACACS protocol tacacs+
Petes-ASA(config-aaa-server-group)# aaa-server PNL-AAA-TACACS (inside) host 10.254.254.22
Petes-ASA(config-aaa-server-host)# key 666999
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#
-=-=-=-=-Authentication-=-=-=-=-ASDM Authentication
Petes-ASA(config)# aaa authentication http console PNL-AAA-TACACS LOCAL Console Authentication
Petes-ASA(config)# aaa authentication serial console PNL-AAA-TACACS LOCALSSH Authentication
Petes-ASA(config)# aaa authentication ssh console PNL-AAA-TACACS LOCALTelnet Authentication
Petes-ASA(config)# aaa authentication telnet console PNL-AAA-TACACS LOCAL
Enable Mode Command Protection Authentication
Petes-ASA(config)# aaa authentication enable console PNL-AAA-TACACS LOCAL-=-=-=-=-Authorisation-=-=-=-=-
Petes-ASA(config)# aaa authorization command PNL-AAA-TACACS LOCAL
Petes-ASA(config)# privilege show level 5 mode configure configure command aaa
<repeat as necessary - Note: Turn it on with the ASDM with command preview enables and you can copy paste all the commands out and edit them accordingly>-=-=-=-=-Accounting-=-=-=-=-
Petes-ASA(config)# aaa accounting command PNL-AAA-TACACS
[/box]
18. Now you can test, here I connect as a user with read-only access (Note: I have a greater than prompt, I’m in user EXEC mode). Then when I connect as a full-access user (Note: I have a hash prompt. I’m in privileged EXEC mode).
19. The results are the same if I connect via SSH.
Enabling TACACS+ Though a Firewall
Sometimes, e.g. you have a switch in a DMZ or a router outside your firewall that you want to secure with TACACS. To enable this you simply need to open TCP port 49, from the device you are securing with TACACS to the ACS server.
Related Articles, References, Credits, or External Links
To get your Cisco Router or Switch to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.
Solution
When dealing with certificates, it’s important that your device is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.
Setting IOS Time (Manually and via NTP)
1. Choose either of the options below, (as applicable). Note: I’m in the UK so my time is GMT, and I need to allow for daylight saving time, (so your settings ma vary depending on your locale).
[box]
Setting Time Manually
Petes-RTR(config)#clock timezone GMT 0
Petes-RTR(config)#clock summer-time BST recurring last Sunday March 01:00 last Sunday October 01:00
Petes-RTR(config)#exit
Petes-RTR#clock set 10:47:00 Apr 30 2014
Petes-RTR#show clock10:47:05.499 BST Wed Apr 30 2014
Petes-RTR#
Setting Time via NTP
Petes-RTR#show clock
*15:36:38.383 PCTime Mon Feb 16 2009
Petes-RTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-RTR(config)#ntp server 87.124.126.49APPLY THE 'CUP Of COFFEE RULE'
Petes-RTR#show clock
10:09:52.437 PCTime Wed Apr 30 2014
Petes-RTR#
[/box]
Enrolling via NDES
1. Make sure the device can contact the NDES server, (simply pinging it should suffice). Then set a hostname and domain name. These are required to generate an RSA Key-pair on the device before we start.
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#hostname RTR-1
RTR-1(config)#ip domain-name testbench.local
RTR-1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: RTR-1.testbench.local
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
RTR-1(config)#
*Mar 1 01:01:47.491: %SSH-5-ENABLED: SSH 1.99 has been enabled
[/box]
2. Create a set of CA settings (a trustpoint), then authenticate to it.
[box]
RTR-1(config)#crypto pki trustpoint PNL-TRUSTPOINT
RTR-1(ca-trustpoint)# enrollment url http://192.168.80.130/CertSrv/mscep/mscep.dll
RTR-1(ca-trustpoint)#enrollment mode ra
RTR-1(ca-trustpoint)#revocation-check crl
RTR-1(ca-trustpoint)#enrollment retry count 3
RTR-1(ca-trustpoint)#enrollment retry period 5
RTR-1(ca-trustpoint)#fqdn RTR-1.testbench.local
RTR-1(ca-trustpoint)#exit
RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
Certificate has the following attributes:
Fingerprint MD5: 0454B8F4 73374DE8 2FB034CB B887B1D4
Fingerprint SHA1: 2A542238 0CF3856B D0EF3E1A CBB57003 21C114F5
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
RTR-1(config)#
[/box]
3. If your NDES Server requires a password you can embed that.
If it looks like (below), then password enforcement has been disabled, and you can skip the next step.
[box]
Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# password 24033E4BFF217D60[/box]
4. Enroll for a certificate.
[box]
RTR-1(config)#crypto pki enroll PNL-TRUSTPOINT
%
% Start certificate enrollment ..
% The subject name in the certificate will include: RTR-1.testbench.local
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX0945W0MY
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate PNL-TRUSTPOINT verbose' commandwill show the fingerprint.
RTR-1(config)#
May 14 10:46:46.479: CRYPTO_PKI: Certificate Request Fingerprint MD5: 25E06B18 2BF6E2B7 780AA427 89AB9A15
May 14 10:46:46.483: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 044725E7 B34F6AF8 EFB4C28B 8E7CE192 230BDC9E
RTR-1(config)#
May 14 10:46:47.875: %PKI-6-CERTRET: Certificate received from Certificate Authority
RTR-1(config)#
[/box]
5. If you have a look on the Certificate Server you will also see that the certificate has been issued.
RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
% Error in saving certificate: status = FAIL
RTR-1(config)#%CRYPTO_PKI: Cert not yet valid or is expired -
start date: 13:18:46 UTC May 12 2014
end date: 13:28:46 UTC May 12 2019
[/box]
Certificates are time specific, make sure the device has its clock set correctly, (preferably via NTP). And the time on the Certificate Services Server is set correctly.
I’ve been posting domain time articles for a long time, and on more than one occasion I’ve really needed to take my Windows time from a Cisco Device and failed miserably. I’ve even used third party NTP software to solve this problem on my own test network.
On a client network, my colleague deployed ACS5 this week, I secured the ASA5585-X for AAA and it failed authentication. Logging revealed a clock skew error, so we manually set the time on the domain PDC. Within half an hour it was failing. The network topology prevented me syncing to a public NTP server from the domain PDC.
We did however have all the network devices syncing from a public time source, if only we could use one of those?
Solution
Step 1 Configure NTP on your Cisco Device.
Here I’m using a 7200 Router in GNS3, the NTPIP addresses I use are UK based NTP servers, I suggest you replace them with some public NTP servers on your own continent. I’m using two for redundancy.
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ntp server 130.88.202.49 prefer
Petes-Router(config)#ntp server 194.35.252.7
[/box]
NOTE: You need to force the Cisco device to advertise itself with a low stratum, typically the lower the stratum, the closer to atomic time you are supposed to be, (so we are actually forcing the device to lie, but if we don’t, Windows wont trust it!)
[box]
Petes-Router(config)#ntp master 5
[/box]
It can take a while for NTP, (go and have a coffee), then check it’s synchronised, DO NOT proceed until the Cisco device has synchronised.
[box]
R1#show ntp statusClock is synchronized, stratum 5, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
ntp uptime is 364600 (1/100 of seconds), resolution is 4000
reference time is D898D3A0.319A96D4 (23:05:04.193 GMT Wed Feb 25 2015)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.26 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000000 s/s
system poll interval is 16, last update was 3 sec ago.
[/box]
Step 2 Configure Windows to use Cisco NTP Time
In the past I’ve said “Windows Does not use NTP, it uses Win32 Time” This is not strictly true, it does use NTP, but by default it uses ‘Symmetric Active Mode NTP’ and your Cisco Device expects its NTP requests to be submitted via ‘Client Mode NTP‘. (See MS KB 875424 for more info).
Note: By default Windows Domains take their time from the PDC emulator, carry this procedure out on that server!
Open an elevated command prompt and execute the following commands (the Cisco device IP is shown in red, change accordingly);
[box]
w32tm /config /manualpeerlist:"123.123.123.148",0x8 /syncfromflags:MANUAL
net stop "windows time"
net start "windows time"
w32tm /resync
Note: If you want to specify TWO Cisco devices, use the following syntax
w32tm /config /manualpeerlist:"123.123.123.148,123.123.123.149",0x8 /syncfromflags:MANUAL
[/box]
Now in the Servers System log, you should see the following two events logged.
Event ID 37
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:33:19
Event ID: 37
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time provider NtpClient is currently receiving valid time data from 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).
Event ID 35
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:21:17
Event ID: 35
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time service is now synchronizing the system time with the time source 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).
Windows and Cisco NTP Problems and Errors
Event ID 47
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:11:07
Event ID: 47
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
Time Provider NtpClient: No valid response has been received from manually configured
peer 123.123.123.148 after 8 attempts to contact it. This peer will be discarded as a
time source and NtpClient will attempt to discover a new peer with this DNS name. The
error was: The peer is unreachable.
On your Cisco Device you will see debug output like so, (it will repeat 8 times);
[box]
Petes-Router#debug ntp all
NTP events debugging is on
NTP core messages debugging is on
NTP clock adjustments debugging is on
NTP reference clocks debugging is on
NTP packets debugging is on
Petes-Router#
000031: Feb 25 22:07:45.831: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000032: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: message received
000033: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#
000034: Feb 25 22:07:54.967: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000035: Feb 25 22:07:54.967: NTP Core(DEBUG): ntp_receive: message received
000036: Feb 25 22:07:54.971: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#
[/box]
Causes:
This is a pretty generic error, but in this case, one of the following situations can cause this;
1. UDP Port 123 is blocked between Windows and the Cisco NTP device.
2. The Cisco NTP device has not synchronised form a reliable NTP source.
3. The stratum of the Cisco NTP device is to high.
4. Windows is attempting to sync time using ‘Symmetric Active Mode NTP‘ See my comments above.
Related Articles, References, Credits, or External Links
The Cisco ISENFR appliance is for demos and test bench use, I’m currently building a test lab for ISE so I spun a copy up. I looked at the associated ReadMe.pdf for instructions on the basic setup, and found a hyper-link to the instructions, that didn’t work! bah.
Solution
The appliance comes as an OVA file for importation into vSphere/ESX, I’m assuming you have already imported the appliance.
[box] ise/admin(config-GigabitEthernet)# exit ise/admin(config)# ip default-gateway 192.168.200.1[/box]
Cisco ISE NFR Set Hostname and DNS Information
6. To change the appliances default domain;
[box]
ise/admin(config)# ip domain-name pnltest1.com
Enter ‘Y’ to restart the services.
[/box]
7. To set the DNS server to use for local lookups;
[box]ise/admin(config)# ip name-server 192.168.200.10
Enter ‘yes’ to restart the services.
[/box]
8. To set the Hostname, simply use the following syntax;
[box]ise/admin(config)# hostname ISE-01 [/box]
Cisco ISE NFR Set NTP Information
9. To set the timezone;
[box]ise/admin(config)# clock timezone GB [/box]
10. To set the NTP servers it’s a little more convoluted, you can have up to three, two are already configured. If you try and delete the pre-configured ones it will error. So you need to add one, then delete the two factory ones, then you can add up to another two.
[box]
To Add an NTP Server
ise/admin(config)# ntp server 123.123.123.123To Remove an NTP Server
ise/admin(config)# no ntp server 123.123.123.123
[/box]
11. As usual NTP can take a while to synchronise, I’d go and have a coffee at this point, to test;
[box]ise/admin(config)# show ntp [/box]
12. Save your changes.
13. At this point you should be able to get to the web console.
14. Logged in successfully.
Related Articles, References, Credits, or External Links
You want to set up a Cisco ASA to authenticate users (VPN access for example).
Solution
Kerberos can only be used as an authentication protocol on the ASA, so its fine for allowing VPN connections but not for assigning policies etc. To work both the ASA and the domain need to be showing accurate time.
Step 1: Set the ASA to get time from an External NTP Server
1. Log onto the ASA > Go to “Enable Mode” > Issue the following command;
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside
[/box]
Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.
2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,
[box]
If you see a message like the following, go and have a coffee.Petes-ASA(config)# show ntp statusClock isunsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msecWhat you are looking for is "Clock is Syncronized"Petes-ASA(config)# show ntp statusClock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cdd7b741.119bcc72 (16:13:53.068 UTC Mon Jun 8 2009)
clock offset is 15.0836 msec, root delay is 56.50 msec
root dispersion is 15931.63 msec, peer dispersion is 15890.63 msec
[/box]
3. Save the update to your firewall with a “write mem” command.
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ntp server 130.88.212.143 source outside
[/box] Note that’s a public time server in the UK (Manchester University) that I use. you may want to use another.
2. To check the ASA has synchronised issue the a ‘show ntp status‘ command,
2. Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups (top Section) > Select the Kerberos Group.
3. In the bottom section click Test.
4. Enter the username and password > OK.
5. It should say that the test was successful.
If It says “Error: Authentication Rejected: Clock skew greater than 300 Seconds” then steps 1 and 2 did not work.
Kerberos Pre-Authentication
Also Note: You may need to turn of “Require pre-authentication” on a user by user basis. If so, log onto the domain controller > Start > Run > dsa.msc > Locate the user > Right Click > Properties > account > Account options (scroll down) > Select “Do Not require Kerberos preauthentication”.
Related Articles, References, Credits, or External Links
With NTP, there will be two things you want to do, 1) Allow a device behind the ASA to take its time from a public NTP server, and 2) Set the ASA to take its system time from a public NTP sever (for accurate date stanps on the logs, and for time critical things like Kerberos authentication.)
Solution
Allow internal host(s) to get system time though the firewall.
1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#
[/box]
2. To rules are being applied to traffic going OUT through the firewall, run a “show run access-group” command.
[box]
PetesASA(config)# show run access-group
Sample Output
access-group outbound in interface inside
access-group inbound in interface outside
[/box]
Note: If it returns nothing then outbound traffic is NOT being filtered, and NTP should work anyway, but in the example above I can see the traffic that is going IN the inside interface (That’s traffic going out if you think about it!) Is being filtered by an access list called ‘outbound’ (Because I give the ACL’s sensible names, yours could be called anything!)
3. To allow ALL hosts use the word any, for a specific host use the keyword host.
[box]
Allow all hosts access to NTP
PetesASA(config)# access-list outbound permit udp any any eq 123
Allow one host (192.168.1.1)
to NTP
PetesASA(config)# access-list outbound permit udp host 10.254.254.1 any eq 123
[/box]
4. Finally save the updated config.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Set the ASA to get its System Time from an External NTP Source
1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#
[/box]
2. The IP address I’m using is in the UK if you want one more local look here.
[box]
PetesASA(config)# ntp server 130.88.212.143 source outside
[/box]
3. To check on its status, simply execute a “show ntp status” command. BUT it will take a few minutes to synchronise, until it does you will see;
[box]
PetesASA(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a01de.60ad92ea (13:04:30.377 UTC Fri May 25 2012)
clock offset is 3414265.0854 msec, root delay is 26.09 msec
root dispersion is 3430186.81 msec, peer dispersion is 16000.00 msec
PetesASA(config)#
[/box]
When it is finally synchronised it will say;
[box]
PetesASA(config)# show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a0f74.a34d5dde (14:02:28.637 UTC Fri May 25 2012)
clock offset is -9.1688 msec, root delay is 25.91 msec
root dispersion is 15915.95 msec, peer dispersion is 15890.63 msec
PetesASA(config)#
[/box]
4. Finally save the updated config.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Related Articles, References, Credits, or External Links