1-11The access-control right mechanism provides only a minimum degree of security protection for the localswitch. A more secure method is identity authentication.Configuring NTP AuthenticationIn networks with higher security requirements, the NTP authentication function must be enabled to runNTP. Through password authentication on the client and the server, the clock of the client issynchronized only to that of the server that passes the authentication. This improves network security.Table 1-2 shows the roles of devices in the NTP authentication function.Table 1-2 Description on the roles of devices in NTP authentication functionRole of device Working modeClient in the server/client modeClient in the broadcast modeClient in the multicast modeClientSymmetric-active peer in the symmetric peer modeServer in the server/client modeServer in the broadcast modeServer in the multicast modeServerSymmetric-passive peer in the symmetric peer modeConfiguration PrerequisitesNTP authentication configuration involves:z Configuring NTP authentication on the clientz Configuring NTP authentication on the serverObserve the following principles when configuring NTP authentication:z If the NTP authentication function is not enabled on the client, the clock of the client can besynchronized to a server no matter whether the NTP authentication function is enabled on theserver (assuming that other related configurations are properly performed).z For the NTP authentication function to take effect, a trusted key needs to be configured on both theclient and server after the NTP authentication is enabled on them.z The local clock of the client is only synchronized to the server that provides a trusted key.z In addition, for the server/client mode and the symmetric peer mode, you need to associate aspecific key on the client (the symmetric-active peer in the symmetric peer mode) with thecorresponding NTP server (the symmetric-passive peer in the symmetric peer mode); for the NTPbroadcast/multicast mode, you need to associate a specific key on the broadcast/multicast serverwith the corresponding NTP broadcast/multicast client. Otherwise, NTP authentication cannot beenabled normally.z Configurations on the server and the client must be consistent.