Meraki

Community

clock synchronization for Meraki MR with NTP server

DarioGustin
Conversationalist
‎Jun 28 2018 9:25 PM
‎Jun 28 2018 9:25 PM

clock synchronization for Meraki MR with NTP server

Is there an option in the Meraki Dashboard to sync the clock with NTP servers? not to convert the device (Access Point in an NTP server but only sync the AP with a NTP server

0 Kudos
19 Replies 19
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 28 2018 10:54 PM
‎Jun 28 2018 10:54 PM

It already does this.

0 Kudos
In response to PhilipDAth
DarioGustin
Conversationalist
‎Jun 28 2018 11:39 PM
‎Jun 28 2018 11:39 PM

Thanks Philip. Where is the option to define the NTP server? How can I get to it? Do you know the path of this option (configure the external NTP server)?

0 Kudos
In response to DarioGustin
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 29 2018 12:13 AM
‎Jun 29 2018 12:13 AM

You can't define it.  It is "baked" in.

0 Kudos
In response to DarioGustin
Rudi
Getting noticed
‎Jun 29 2018 10:56 AM
‎Jun 29 2018 10:56 AM

Hi Dario - you can check on your "Firewall Info" tab (Help -> Firewall Info) to see that the Merakis would like UDP port 123 open for an NTP connection, mine doesn't show a destination (just "Any" destination). I believe there is no option to select a specific NTP server.

0 Kudos
In response to Rudi
Jim1
New here
‎Oct 15 2019 9:34 AM
‎Oct 15 2019 9:34 AM

Meraki devices use pool.ntp.org as the NTP servers

0 Kudos
In response to Jim1
MConradt
Conversationalist
‎Feb 28 2020 9:05 AM
‎Feb 28 2020 9:05 AM

I have this same question.  For PCI DSS compliance network devices need to get their NTP from an internal NTP server, not all over the known world of internet NTP servers.  It is kind of like advertising to any NTP server around the world, HEY! OVER HERE, I have a network to attack!  Provided a malicious actor decided to join the NTP pool, but that would never happen.

0 Kudos
In response to MConradt
cmr
Kind of a big deal
Kind of a big deal
‎Feb 28 2020 12:31 PM
‎Feb 28 2020 12:31 PM

If you need an internal ntp server, create a zone for ntp.org on internal DNS and create a host record called pool that points to your own internal NTP server.

 

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to MConradt
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 28 2020 1:25 PM
‎Feb 28 2020 1:25 PM

>For PCI DSS compliance network devices need to get their NTP from an internal NTP server

 

This sounds wrong.  I just took a quick look over the specification and can't find anything referencing this.  So you are saying you can't even use a Government run rubidium based NTP clock source - a clock source more secure and more  heavily protected and managed than any internal NTP server you could hope to run yourself?

 

I can see references about being "allowed" to use an internal NTP server - but nothing saying you "must" use an internal NTP server.

0 Kudos
In response to PhilipDAth
MConradt
Conversationalist
‎Feb 28 2020 1:59 PM
‎Feb 28 2020 1:59 PM

PCI DSS 10.4.1 has the following.
Are the following processes implemented for critical systems to have the correct and consistent time:
(a) Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC?

 

I do not mind having a known official external clock source(s) for a few designated servers.

What I do not like is using ntp.pool.org and having all my access points getting time from NTP servers all over the world.

It doesn't make sense to me from a security perspective.

0 Kudos
In response to MConradt
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 28 2020 2:05 PM
‎Feb 28 2020 2:05 PM

That seems to be a two parter to me.

 

>(a) Do only designated central time server(s) receive time signals from external sources

 

You can tick this one.  Meraki will be external.

 

>and are time signals from external sources based on International Atomic Time or UTC?

 

This is an (a) or (b) answer.  It doesn't appear to have any wrong answer.

0 Kudos
In response to PhilipDAth
MinnesotaKid
Conversationalist
‎Aug 26 2020 8:42 AM
‎Aug 26 2020 8:42 AM

Little late to the conversation on this one, but @PhilipDAth - would you happen to know of a whitepaper from Meraki that details the NTP configuration or settings that are baked in on the MR side of things? I've been looking around but only found a few forum posts on it. 

0 Kudos
In response to MinnesotaKid
cmr
Kind of a big deal
Kind of a big deal
‎Aug 26 2020 11:03 AM
‎Aug 26 2020 11:03 AM

@MinnesotaKid there seem to be quite a few in use, just checked two networks of mine in the UK and the below are all used as NTP servers for APs:

 

185.120.34.123 - time.netweaver.uk
176.58.109.199 - time.videxio.net
185.83.169.27
195.219.205.9
85.199.214.98
81.21.65.168 - ns3.turbodns.co.uk
185.53.93.157 - ntp2.wirehive.net
51.89.151.183 - 183.ip-51.89.151.eu

 

Seems a bit of a mixed bag to me...

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Aug 26 2020 12:00 PM
‎Aug 26 2020 12:00 PM

I assume it will simply point to some (sub-) pool.ntp.org.

0 Kudos
In response to MinnesotaKid
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 26 2020 2:56 PM
‎Aug 26 2020 2:56 PM

@MinnesotaKid  I don't know if any published list of NTP servers.  I would be tempted to do a packet capture of port 53 and examine the DNS entries being asked for.

In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Aug 28 2020 9:59 AM
‎Aug 28 2020 9:59 AM

@PhilipDAth that's what I did and was somewhat surprised to find one network with all ~25 APs using two Ip addresses and a second network with ~10 APs using six different ones...

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 28 2020 4:27 PM
‎Aug 28 2020 4:27 PM

I just did a packet capture of an MR access point in bridge mode just after power cycling it.

 

It made zero NTP queries.

 

Perhaps the NTP queries being seen are from an SSID in bridge mode, and it is the clients making the NTP queries.

0 Kudos
In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Aug 30 2020 2:47 AM
‎Aug 30 2020 2:47 AM

@PhilipDAth the SSIDs on the APs I listed the NTP queries from are in bridge mode.  I guess I must be missing something, but why would the client NTP traffic appear to come from the APs management IP address when all other client traffic comes from the client's IP?  Does the MR proxy or relay the NTP traffic?  

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 30 2020 12:23 PM
‎Aug 30 2020 12:23 PM

You would only see client NTP queries coming from the AP IP address if one of the SSIDs (such as guest) was in NAT mode.

In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Aug 30 2020 1:13 PM
‎Aug 30 2020 1:13 PM

@PhilipDAth all the NTP calls I traced were from APs where every SSID is in bridge mode, so it looks to me then like the APs themselves make a lot of different NTP calls...

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.