V-242644

Fix Text

1. Choose Administration >> System >> Settings >> System Time.
2. Enter unique IP addresses (IPv4/IPv6/FQDN) for the NTP servers.
3. Check the "Only allow authenticated NTP servers" box to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time. DOD requires NTP authentication where available, so configure the NTP server using private keys. 
4. Click the "NTP Authentication Keys" tab and specify one or more authentication keys if any of the specified servers requires authentication via an authentication key, as follows:
    - Click "Add".
    - Enter the necessary Key ID and Key Value. Specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click "OK". The Key ID field supports numeric  values between 1 and 65535, and the Key Value field supports up to 15 alphanumeric characters.
    - Return to the NTP Server Configuration tab when finished entering the NTP Server Authentication Keys.
5. Click "Save".

Note: If authentication settings are no longer available, then a DOD-approved solution must be used. Use of MD5 results in a CAT 2 finding since NTP authentication is required. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.