SlideShare una empresa de Scribd logo

IEEE 802.1X and Axis’ Implementation

Axis Communications
Axis Communications

IEEE 802.1X is an authentication and authorization technique. Many Axis network video products support IEEE 802.1X as a security feature. In this white paper we will discuss the background as well as the working principle of IEEE 802.1X. We will also describe how 802.1X in Axis network camera products should be used, and when RADIUS (remote authentication dial-in user service) servers and switches are well configured.

Tecnología
1 de 6
Descargar para leer sin conexión
White paper ieee 802.1X and axis’ implementation
table of contents 1. introduction 3 2. General 3 3. Working principle 3 4. axis’ implementation of ieee 802.1X 4 5. Discussion and conclusion 5 6. helpful links 5
1. introduction Network security is a very important issue in the IP world. There are different levels of security when it comes to securing information being sent over IP networks. The first level is authentication and autho- rization. The user or device identifies itself to the network and the remote end by a username and pass- word, which are then verified before the device is allowed into the system. Added security can be achieved by encrypting the data to prevent others from using or reading the data. Common methods are HTTPS (also known as SSL/ TLS), VPN and WEP or WPA in wireless networks. IEEE 802.1X is an authentication and authorization technique. Many Axis network video products sup- port IEEE 802.1X as a security feature. In this white paper we will discuss the background as well as the working principle of IEEE 802.1X. We will also describe how 802.1X in Axis network camera products should be used, and when RADIUS (remote authentication dial-in user service) servers and switches are well configured. The intended audience of this document is technical personnel and system integrators. 2. General IEEE 802.1X is an IEEE Standard for port-based Network Access Control (“port” means the same physical connection to the LAN infrastructure). It is part of the IEEE 802.1 group of networking protocols. It pro- vides an authentication mechanism for devices to connect to a LAN, either establishing a connection or preventing the connection if authentication fails. IEEE 802.1X prevents what is called “port hi-jacking”; that is, when an unauthorized computer gets access to a network by getting to a network jack inside or outside a building. IEEE 802.1X is useful in, for example, network video applications since network cam- eras are often located in public spaces where a network jack can pose a security risk. In today’s enterprise networks, IEEE 802.1X is becoming a basic requirement for anything that is connected to a network. 3. Working principle There are three basic terms in 802.1X. The user or client that wants to be authenticated is called a sup- plicant. The actual server doing the authentication, typically a RADIUS server, is called the authentica- tion server. And the device in between, such as a switch, is called the authenticator. The protocol used in 802.1X is Extensible Authentication Protocol encapsulation over LANs (EAPOL). There are a number of modes of operation, but the most common case would look something like this (see Figure 1): 1. The authenticator sends an “EAP-Request/Identity” packet to the supplicant as soon as it detects that the network link is active (e.g., the supplicant, for example a network camera in a network video system, is connected to the switch). 2. The supplicant sends an “EAP-Response/Identity” packet to the authenticator. 3. The “EAP-Response/Identity” packet is then passed on to the authentication (RADIUS) server by the authenticator. 4. The authentication server sends back a challenge to the authenticator, such as with a token password system. 5. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. Different authentication methods will vary this message and the total number of messages. EAP supports client-only authentication and strong mutual authentication. 6. The supplicant responds to the challenge by the authenticator. 7. The authenticator passes the response to the challenge onto the authentication server. 8. If the supplicant provides proper identity, the authentication server responds with a success message to the authenticator. 9. The success message is then passed onto the supplicant by the authenticator. The authenticator now allows access of the supplicant to the LAN, possibly restricted based on attributes that came back from the authentication server. For example, the authenticator might switch the supplicant to a particular virtual LAN or install a set of firewall rules. 3
Figure 1. EAP authentication procedure in IEEE 802.1X Authentication Server Authenticator Supplicant EAP Identity Request 1 RADIUS Access Request EAP Identity Response 3 2 RADIUS Access Challenge EAP Request/Challenge 4 5 RADIUS Access Request EAP Identity Response 7 6 RADIUS Access Accept EAP Success 8 9 What should be noted is that setting up and configuring 802.1X is a fairly complex procedure, and it is important that RADIUS servers, switches and clients (like Axis cameras) are set up correctly. 4. axis’ implementation of ieee 802.1X To gain access to a protected network, the AXIS P1344 Network Camera, for example, must have a CA certificate, a Client certificate, as well as a Client private key. They should be created by the servers and are uploaded via a web interface or ftp. When the camera is connected to the switch, the camera will present its certificate to the network switch. If the certificate is approved, the switch allows the camera access on a preconfigured port. As pointed out previously, in order to use port-based authentication, the network must be equipped with a RADIUS server and a network switch with support for 802.1X. You may also need to contact your net- work administrator for information on certificates, user ID’s and passwords. The settings here enable the AXIS P1344 Network Camera to access a network protected by 802.1X/ EAPOL (Extensible Authentication Protocol Over Lan). There are many EAP methods available to gain access to a network. The one used by Axis is EAP-TLS (EAP-Transport Layer Security). Figure 2. Web interface with AXIS P1344 4
The client and the RADIUS server authenticate each other using digital certificates provided by a PKI (Public Key Infrastructure) signed by a Certification Authority. Note that to ensure successful certificate validation, time synchronization should be performed on all clients and servers prior to configuration. Further configuration of network cameras should be performed on a safe network to avoid MITM (Man In The Middle) attacks. Terms used in the web interface are described as follows: CA Certificate - This certificate is created by the Certification Authority for the purpose of validating itself, so the AXIS P1344 Network Camera needs this certificate to check the server’s identity. Provide the path to the certificate directly, or use the browse button to locate it. Then click the Upload button. To remove a CA certificate, click the Remove button. Client certificate/private key - The AXIS P1344 Network Camera must also authenticate itself using a client certificate and a private key. Provide the path to the certificate in the first field, or use the Browse button to locate it. Then click the Upload button. To remove a client certificate, click the Remove button. Alternatively, it may be possible to upload the client certificate and key in one combined file, (e.g. a PFX file or PEM file). Provide the path to the file, or use the Browse button to locate it. Click Upload to load the file. To remove a client certificate and key, click the Remove button. EAPOL version - Select the EAPOL version (1 or 2) used in your network switch. EAP identity - Enter the user identity associated with your certificate. A maximum of 16 characters can be used. Private key password - Enter the password (maximum 16 characters) for your user identity. 5. Discussion and conclusion In today’s enterprise networks, IEEE 802.1X is more and more required as a gatekeeper. Many Axis net- work video products support IEEE 802.1X as a security feature. Setting up 802.1X is a fairly complex procedure, and it is important that Radius servers, switches and clients (like Axis cameras) are set up correctly. However, when RADIUS servers and switches are well configured for 802.1X, it is quite straight- forward to configure and integrate Axis network products into the 802.1X system. 6. helpful links > www.axis.com/products/video/ > www.axis.com/products/video/about_networkvideo/security.htm 5
www.axis.com 37589/EN/R1/0912 about axis Communications Axis is an IT company offering network video solutions for professional installations. The company is the global mar- ket leader in network video, driving the ongoing shift from analog to digital video surveillance. Axis products and so- lutions focus on security surveillance and remote moni- toring, and are based on innovative, open technology platforms. Axis is a Swedish-based company, operating worldwide with offices in more than 20 countries and cooperating with partners in more than 70 countries. Founded in 1984, Axis is listed on the NASDAQ OMX Stockholm under the ticker AXIS. For more information about Axis, please visit our website at www.axis.com ©2009 Axis Communications AB. AXIS COMMUNICATIONS, AXIS, ETRAX, ARTPEC and VAPIX are registered trademarks or trademark applications of Axis AB in various jurisdictions. All other company names and products are trademarks or registered trademarks of their respective companies. We reserve the right to introduce modifications without notice.

Recomendados

ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
Emerson Barros Rivas
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
Anwesh Dixit
 
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access SwitchVoice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Aruba, a Hewlett Packard Enterprise company
 
Real-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesReal-world 802.1X Deployment Challenges
Real-world 802.1X Deployment Challenges
Aruba, a Hewlett Packard Enterprise company
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
Mostafa El Lathy
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass Workshop
Aruba, a Hewlett Packard Enterprise company
 
Radius
RadiusRadius
Radius
Alicia Murillo
 

Recomendados

ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
Emerson Barros Rivas
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
Anwesh Dixit
 
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access SwitchVoice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Aruba, a Hewlett Packard Enterprise company
 
Real-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesReal-world 802.1X Deployment Challenges
Real-world 802.1X Deployment Challenges
Aruba, a Hewlett Packard Enterprise company
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
Mostafa El Lathy
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass Workshop
Aruba, a Hewlett Packard Enterprise company
 
Radius
RadiusRadius
Radius
Alicia Murillo
 
VSICM8_M02.pptx
VSICM8_M02.pptxVSICM8_M02.pptx
VSICM8_M02.pptx
MazharUddin34
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service Providers
BAKOTECH
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
mohannadalhanahnah
 
Aruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba CentralAirheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
Aruba, a Hewlett Packard Enterprise company
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
Cisco Canada
 
SD WAN
SD WANSD WAN
SD WAN
Bri Molina
 
6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCP
Hameda Hurmat
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
CommScope RUCKUS ICX Switching Configuration
CommScope RUCKUS ICX Switching ConfigurationCommScope RUCKUS ICX Switching Configuration
CommScope RUCKUS ICX Switching Configuration
Carla Nadin
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
NetProtocol Xpert
 
An Introduction to VMware NSX
An Introduction to VMware NSXAn Introduction to VMware NSX
An Introduction to VMware NSX
Scott Lowe
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN Technology
Cisco Canada
 
Ccna PPT
Ccna PPTCcna PPT
Ccna PPT
AIRTEL
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
Mahzad Zahedi
 
EMEA Airheads - Multi zone ap and centralized image upgrade
EMEA Airheads - Multi zone ap and centralized image upgradeEMEA Airheads - Multi zone ap and centralized image upgrade
EMEA Airheads - Multi zone ap and centralized image upgrade
Aruba, a Hewlett Packard Enterprise company
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran Workshop
Luca Matteo Ruberto
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
Swapnil Kapate
 
802.1x
802.1x802.1x
802.1x
Alp isik
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

VSICM8_M02.pptx
VSICM8_M02.pptxVSICM8_M02.pptx
VSICM8_M02.pptx
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service Providers
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
 
Aruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User Guide
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba CentralAirheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
SD WAN
SD WANSD WAN
SD WAN
 
6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCP
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User Guide
 
CommScope RUCKUS ICX Switching Configuration
CommScope RUCKUS ICX Switching ConfigurationCommScope RUCKUS ICX Switching Configuration
CommScope RUCKUS ICX Switching Configuration
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 
An Introduction to VMware NSX
An Introduction to VMware NSXAn Introduction to VMware NSX
An Introduction to VMware NSX
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN Technology
 
Ccna PPT
Ccna PPTCcna PPT
Ccna PPT
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
EMEA Airheads - Multi zone ap and centralized image upgrade
EMEA Airheads - Multi zone ap and centralized image upgradeEMEA Airheads - Multi zone ap and centralized image upgrade
EMEA Airheads - Multi zone ap and centralized image upgrade
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran Workshop
 

Destacado

802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
Dan Miller
 

Destacado (12)

Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
 
802.1x
802.1x802.1x
802.1x
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authentication
 
802.1x
802.1x802.1x
802.1x
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
Cisco switch setup with cppm v1.2
Cisco switch setup with cppm v1.2Cisco switch setup with cppm v1.2
Cisco switch setup with cppm v1.2
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
 
Holistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimizationHolistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimization
 

Similar a IEEE 802.1X and Axis’ Implementation

802 11 3
802 11 3802 11 3
802 11 3
rphelps
 
Wireless security
Wireless securityWireless security
Wireless security
paripec
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
Warren Bent
 

Similar a IEEE 802.1X and Axis’ Implementation (20)

8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guide
 
Sw8021x
Sw8021xSw8021x
Sw8021x
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdfConfiguring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
 
AAA server
AAA serverAAA server
AAA server
 
WiFi Hotspot Password
WiFi Hotspot PasswordWiFi Hotspot Password
WiFi Hotspot Password
 
802 11 3
802 11 3802 11 3
802 11 3
 
Ali shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1XAli shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1X
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis ise
 
WLAN and IP security
WLAN and IP securityWLAN and IP security
WLAN and IP security
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
 
Wireless security
Wireless securityWireless security
Wireless security
 
Wireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best PracticesWireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best Practices
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
Wi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and PrivacyWi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and Privacy
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
 

Más de Axis Communications

Más de Axis Communications (20)

I principali benefici della soluzione per la protezione anti-intrusione
I principali benefici della soluzione per la protezione anti-intrusioneI principali benefici della soluzione per la protezione anti-intrusione
I principali benefici della soluzione per la protezione anti-intrusione
 
Infografica: perchè scegliere l'audio di rete?
Infografica: perchè scegliere l'audio di rete?Infografica: perchè scegliere l'audio di rete?
Infografica: perchè scegliere l'audio di rete?
 
Illuminazione ad infrarossi
Illuminazione ad infrarossi Illuminazione ad infrarossi
Illuminazione ad infrarossi
 
Come proteggere i piccoli esercizi dagli attacchi informatici
Come proteggere i piccoli esercizi dagli attacchi informatici Come proteggere i piccoli esercizi dagli attacchi informatici
Come proteggere i piccoli esercizi dagli attacchi informatici
 
I principali benefici della soluzione per la protezione anti-intrusione
I principali benefici della soluzione per la protezione anti-intrusioneI principali benefici della soluzione per la protezione anti-intrusione
I principali benefici della soluzione per la protezione anti-intrusione
 
Cybersecurity axis webinar_smallbusiness_it
Cybersecurity axis webinar_smallbusiness_itCybersecurity axis webinar_smallbusiness_it
Cybersecurity axis webinar_smallbusiness_it
 
Satisfaction survey_Italy
Satisfaction survey_ItalySatisfaction survey_Italy
Satisfaction survey_Italy
 
10 Tendencias tecnológicas que marcarán el 2018
10 Tendencias tecnológicas que marcarán el 201810 Tendencias tecnológicas que marcarán el 2018
10 Tendencias tecnológicas que marcarán el 2018
 
Infographie des 10 tendances technologiques 2018
Infographie des 10 tendances technologiques 2018Infographie des 10 tendances technologiques 2018
Infographie des 10 tendances technologiques 2018
 
I 10 trend tecnologici che definiranno il mercato della sicurezza nel 2018
I 10 trend tecnologici che definiranno il mercato della sicurezza nel 2018I 10 trend tecnologici che definiranno il mercato della sicurezza nel 2018
I 10 trend tecnologici che definiranno il mercato della sicurezza nel 2018
 
10 technology trends that will shape security industry 2018
10 technology trends that will shape security industry 201810 technology trends that will shape security industry 2018
10 technology trends that will shape security industry 2018
 
Smart City 44 use cases for IP video
Smart City 44 use cases for IP videoSmart City 44 use cases for IP video
Smart City 44 use cases for IP video
 
How safe is your city?
How safe is your city?How safe is your city?
How safe is your city?
 
Whitepaper perimeter protection
Whitepaper perimeter protectionWhitepaper perimeter protection
Whitepaper perimeter protection
 
Axis deployable 4G/LTE solution
Axis deployable 4G/LTE solutionAxis deployable 4G/LTE solution
Axis deployable 4G/LTE solution
 
Case studies Safe Cities
Case studies Safe CitiesCase studies Safe Cities
Case studies Safe Cities
 
Flyer Axis Lte4G_Sierra_Wireless_1505
Flyer Axis Lte4G_Sierra_Wireless_1505Flyer Axis Lte4G_Sierra_Wireless_1505
Flyer Axis Lte4G_Sierra_Wireless_1505
 
Ppt safecities axis_ agentvi_jvp_en_1505
Ppt safecities axis_ agentvi_jvp_en_1505Ppt safecities axis_ agentvi_jvp_en_1505
Ppt safecities axis_ agentvi_jvp_en_1505
 
Flyer axis agentvi_jvp_en_1505
Flyer axis agentvi_jvp_en_1505Flyer axis agentvi_jvp_en_1505
Flyer axis agentvi_jvp_en_1505
 
Whitepaper networkvideo safecity
Whitepaper networkvideo safecityWhitepaper networkvideo safecity
Whitepaper networkvideo safecity
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Último (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

IEEE 802.1X and Axis’ Implementation

  • 1. White paper ieee 802.1X and axis’ implementation
  • 2. table of contents 1. introduction 3 2. General 3 3. Working principle 3 4. axis’ implementation of ieee 802.1X 4 5. Discussion and conclusion 5 6. helpful links 5
  • 3. 1. introduction Network security is a very important issue in the IP world. There are different levels of security when it comes to securing information being sent over IP networks. The first level is authentication and autho- rization. The user or device identifies itself to the network and the remote end by a username and pass- word, which are then verified before the device is allowed into the system. Added security can be achieved by encrypting the data to prevent others from using or reading the data. Common methods are HTTPS (also known as SSL/ TLS), VPN and WEP or WPA in wireless networks. IEEE 802.1X is an authentication and authorization technique. Many Axis network video products sup- port IEEE 802.1X as a security feature. In this white paper we will discuss the background as well as the working principle of IEEE 802.1X. We will also describe how 802.1X in Axis network camera products should be used, and when RADIUS (remote authentication dial-in user service) servers and switches are well configured. The intended audience of this document is technical personnel and system integrators. 2. General IEEE 802.1X is an IEEE Standard for port-based Network Access Control (“port” means the same physical connection to the LAN infrastructure). It is part of the IEEE 802.1 group of networking protocols. It pro- vides an authentication mechanism for devices to connect to a LAN, either establishing a connection or preventing the connection if authentication fails. IEEE 802.1X prevents what is called “port hi-jacking”; that is, when an unauthorized computer gets access to a network by getting to a network jack inside or outside a building. IEEE 802.1X is useful in, for example, network video applications since network cam- eras are often located in public spaces where a network jack can pose a security risk. In today’s enterprise networks, IEEE 802.1X is becoming a basic requirement for anything that is connected to a network. 3. Working principle There are three basic terms in 802.1X. The user or client that wants to be authenticated is called a sup- plicant. The actual server doing the authentication, typically a RADIUS server, is called the authentica- tion server. And the device in between, such as a switch, is called the authenticator. The protocol used in 802.1X is Extensible Authentication Protocol encapsulation over LANs (EAPOL). There are a number of modes of operation, but the most common case would look something like this (see Figure 1): 1. The authenticator sends an “EAP-Request/Identity” packet to the supplicant as soon as it detects that the network link is active (e.g., the supplicant, for example a network camera in a network video system, is connected to the switch). 2. The supplicant sends an “EAP-Response/Identity” packet to the authenticator. 3. The “EAP-Response/Identity” packet is then passed on to the authentication (RADIUS) server by the authenticator. 4. The authentication server sends back a challenge to the authenticator, such as with a token password system. 5. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. Different authentication methods will vary this message and the total number of messages. EAP supports client-only authentication and strong mutual authentication. 6. The supplicant responds to the challenge by the authenticator. 7. The authenticator passes the response to the challenge onto the authentication server. 8. If the supplicant provides proper identity, the authentication server responds with a success message to the authenticator. 9. The success message is then passed onto the supplicant by the authenticator. The authenticator now allows access of the supplicant to the LAN, possibly restricted based on attributes that came back from the authentication server. For example, the authenticator might switch the supplicant to a particular virtual LAN or install a set of firewall rules. 3
  • 4. Figure 1. EAP authentication procedure in IEEE 802.1X Authentication Server Authenticator Supplicant EAP Identity Request 1 RADIUS Access Request EAP Identity Response 3 2 RADIUS Access Challenge EAP Request/Challenge 4 5 RADIUS Access Request EAP Identity Response 7 6 RADIUS Access Accept EAP Success 8 9 What should be noted is that setting up and configuring 802.1X is a fairly complex procedure, and it is important that RADIUS servers, switches and clients (like Axis cameras) are set up correctly. 4. axis’ implementation of ieee 802.1X To gain access to a protected network, the AXIS P1344 Network Camera, for example, must have a CA certificate, a Client certificate, as well as a Client private key. They should be created by the servers and are uploaded via a web interface or ftp. When the camera is connected to the switch, the camera will present its certificate to the network switch. If the certificate is approved, the switch allows the camera access on a preconfigured port. As pointed out previously, in order to use port-based authentication, the network must be equipped with a RADIUS server and a network switch with support for 802.1X. You may also need to contact your net- work administrator for information on certificates, user ID’s and passwords. The settings here enable the AXIS P1344 Network Camera to access a network protected by 802.1X/ EAPOL (Extensible Authentication Protocol Over Lan). There are many EAP methods available to gain access to a network. The one used by Axis is EAP-TLS (EAP-Transport Layer Security). Figure 2. Web interface with AXIS P1344 4
  • 5. The client and the RADIUS server authenticate each other using digital certificates provided by a PKI (Public Key Infrastructure) signed by a Certification Authority. Note that to ensure successful certificate validation, time synchronization should be performed on all clients and servers prior to configuration. Further configuration of network cameras should be performed on a safe network to avoid MITM (Man In The Middle) attacks. Terms used in the web interface are described as follows: CA Certificate - This certificate is created by the Certification Authority for the purpose of validating itself, so the AXIS P1344 Network Camera needs this certificate to check the server’s identity. Provide the path to the certificate directly, or use the browse button to locate it. Then click the Upload button. To remove a CA certificate, click the Remove button. Client certificate/private key - The AXIS P1344 Network Camera must also authenticate itself using a client certificate and a private key. Provide the path to the certificate in the first field, or use the Browse button to locate it. Then click the Upload button. To remove a client certificate, click the Remove button. Alternatively, it may be possible to upload the client certificate and key in one combined file, (e.g. a PFX file or PEM file). Provide the path to the file, or use the Browse button to locate it. Click Upload to load the file. To remove a client certificate and key, click the Remove button. EAPOL version - Select the EAPOL version (1 or 2) used in your network switch. EAP identity - Enter the user identity associated with your certificate. A maximum of 16 characters can be used. Private key password - Enter the password (maximum 16 characters) for your user identity. 5. Discussion and conclusion In today’s enterprise networks, IEEE 802.1X is more and more required as a gatekeeper. Many Axis net- work video products support IEEE 802.1X as a security feature. Setting up 802.1X is a fairly complex procedure, and it is important that Radius servers, switches and clients (like Axis cameras) are set up correctly. However, when RADIUS servers and switches are well configured for 802.1X, it is quite straight- forward to configure and integrate Axis network products into the 802.1X system. 6. helpful links > www.axis.com/products/video/ > www.axis.com/products/video/about_networkvideo/security.htm 5
  • 6. www.axis.com 37589/EN/R1/0912 about axis Communications Axis is an IT company offering network video solutions for professional installations. The company is the global mar- ket leader in network video, driving the ongoing shift from analog to digital video surveillance. Axis products and so- lutions focus on security surveillance and remote moni- toring, and are based on innovative, open technology platforms. Axis is a Swedish-based company, operating worldwide with offices in more than 20 countries and cooperating with partners in more than 70 countries. Founded in 1984, Axis is listed on the NASDAQ OMX Stockholm under the ticker AXIS. For more information about Axis, please visit our website at www.axis.com ©2009 Axis Communications AB. AXIS COMMUNICATIONS, AXIS, ETRAX, ARTPEC and VAPIX are registered trademarks or trademark applications of Axis AB in various jurisdictions. All other company names and products are trademarks or registered trademarks of their respective companies. We reserve the right to introduce modifications without notice.