The Cisco ISE must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242644	CSCO-NM-000390	SV-242644r1025183_rule		Medium

Description

If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.

STIG	Date
Cisco ISE NDM Security Technical Implementation Guide	2024-09-10

Details

Check Text (C-45919r1025181_chk)

1. Choose Administration >> System >> Settings >> System Time.
2. Review the configuration of the NTP servers.
3. Verify "Only allow authenticated NTP servers" is checked.

If the Cisco ISE is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.

Fix Text (F-45876r1025182_fix)

1. Choose Administration >> System >> Settings >> System Time.
2. Enter unique IP addresses (IPv4/IPv6/FQDN) for the NTP servers.
3. Check the "Only allow authenticated NTP servers" check box if you want to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time. DOD requires NTP authentication where available, so configure the NTP server using private keys. Click the "NTP Authentication Keys" tab and specify one or more authentication keys if any of the specified servers requires authentication via an authentication key, as follows:
4. Click "Add".
5. Enter the necessary Key ID and Key Value. Specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click "OK". The Key ID field supports numeric values between 1 and 65535, and the Key Value field supports up to 15 alphanumeric characters.
6. Return to the NTP Server Configuration tab when finished entering the NTP Server Authentication Keys.
7. Click "Save".