SlideShare uma empresa Scribd logo

IEEE 802.1X and Axis’ Implementation

Axis Communications
Axis Communications

IEEE 802.1X is an authentication and authorization technique. Many Axis network video products support IEEE 802.1X as a security feature. In this white paper we will discuss the background as well as the working principle of IEEE 802.1X. We will also describe how 802.1X in Axis network camera products should be used, and when RADIUS (remote authentication dial-in user service) servers and switches are well configured.

Tecnologia
1 de 6
Baixar para ler offline
White paper ieee 802.1X and axis’ implementation
table of contents 1. introduction 3 2. General 3 3. Working principle 3 4. axis’ implementation of ieee 802.1X 4 5. Discussion and conclusion 5 6. helpful links 5
1. introduction Network security is a very important issue in the IP world. There are different levels of security when it comes to securing information being sent over IP networks. The first level is authentication and autho- rization. The user or device identifies itself to the network and the remote end by a username and pass- word, which are then verified before the device is allowed into the system. Added security can be achieved by encrypting the data to prevent others from using or reading the data. Common methods are HTTPS (also known as SSL/ TLS), VPN and WEP or WPA in wireless networks. IEEE 802.1X is an authentication and authorization technique. Many Axis network video products sup- port IEEE 802.1X as a security feature. In this white paper we will discuss the background as well as the working principle of IEEE 802.1X. We will also describe how 802.1X in Axis network camera products should be used, and when RADIUS (remote authentication dial-in user service) servers and switches are well configured. The intended audience of this document is technical personnel and system integrators. 2. General IEEE 802.1X is an IEEE Standard for port-based Network Access Control (“port” means the same physical connection to the LAN infrastructure). It is part of the IEEE 802.1 group of networking protocols. It pro- vides an authentication mechanism for devices to connect to a LAN, either establishing a connection or preventing the connection if authentication fails. IEEE 802.1X prevents what is called “port hi-jacking”; that is, when an unauthorized computer gets access to a network by getting to a network jack inside or outside a building. IEEE 802.1X is useful in, for example, network video applications since network cam- eras are often located in public spaces where a network jack can pose a security risk. In today’s enterprise networks, IEEE 802.1X is becoming a basic requirement for anything that is connected to a network. 3. Working principle There are three basic terms in 802.1X. The user or client that wants to be authenticated is called a sup- plicant. The actual server doing the authentication, typically a RADIUS server, is called the authentica- tion server. And the device in between, such as a switch, is called the authenticator. The protocol used in 802.1X is Extensible Authentication Protocol encapsulation over LANs (EAPOL). There are a number of modes of operation, but the most common case would look something like this (see Figure 1): 1. The authenticator sends an “EAP-Request/Identity” packet to the supplicant as soon as it detects that the network link is active (e.g., the supplicant, for example a network camera in a network video system, is connected to the switch). 2. The supplicant sends an “EAP-Response/Identity” packet to the authenticator. 3. The “EAP-Response/Identity” packet is then passed on to the authentication (RADIUS) server by the authenticator. 4. The authentication server sends back a challenge to the authenticator, such as with a token password system. 5. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. Different authentication methods will vary this message and the total number of messages. EAP supports client-only authentication and strong mutual authentication. 6. The supplicant responds to the challenge by the authenticator. 7. The authenticator passes the response to the challenge onto the authentication server. 8. If the supplicant provides proper identity, the authentication server responds with a success message to the authenticator. 9. The success message is then passed onto the supplicant by the authenticator. The authenticator now allows access of the supplicant to the LAN, possibly restricted based on attributes that came back from the authentication server. For example, the authenticator might switch the supplicant to a particular virtual LAN or install a set of firewall rules. 3
Figure 1. EAP authentication procedure in IEEE 802.1X Authentication Server Authenticator Supplicant EAP Identity Request 1 RADIUS Access Request EAP Identity Response 3 2 RADIUS Access Challenge EAP Request/Challenge 4 5 RADIUS Access Request EAP Identity Response 7 6 RADIUS Access Accept EAP Success 8 9 What should be noted is that setting up and configuring 802.1X is a fairly complex procedure, and it is important that RADIUS servers, switches and clients (like Axis cameras) are set up correctly. 4. axis’ implementation of ieee 802.1X To gain access to a protected network, the AXIS P1344 Network Camera, for example, must have a CA certificate, a Client certificate, as well as a Client private key. They should be created by the servers and are uploaded via a web interface or ftp. When the camera is connected to the switch, the camera will present its certificate to the network switch. If the certificate is approved, the switch allows the camera access on a preconfigured port. As pointed out previously, in order to use port-based authentication, the network must be equipped with a RADIUS server and a network switch with support for 802.1X. You may also need to contact your net- work administrator for information on certificates, user ID’s and passwords. The settings here enable the AXIS P1344 Network Camera to access a network protected by 802.1X/ EAPOL (Extensible Authentication Protocol Over Lan). There are many EAP methods available to gain access to a network. The one used by Axis is EAP-TLS (EAP-Transport Layer Security). Figure 2. Web interface with AXIS P1344 4
The client and the RADIUS server authenticate each other using digital certificates provided by a PKI (Public Key Infrastructure) signed by a Certification Authority. Note that to ensure successful certificate validation, time synchronization should be performed on all clients and servers prior to configuration. Further configuration of network cameras should be performed on a safe network to avoid MITM (Man In The Middle) attacks. Terms used in the web interface are described as follows: CA Certificate - This certificate is created by the Certification Authority for the purpose of validating itself, so the AXIS P1344 Network Camera needs this certificate to check the server’s identity. Provide the path to the certificate directly, or use the browse button to locate it. Then click the Upload button. To remove a CA certificate, click the Remove button. Client certificate/private key - The AXIS P1344 Network Camera must also authenticate itself using a client certificate and a private key. Provide the path to the certificate in the first field, or use the Browse button to locate it. Then click the Upload button. To remove a client certificate, click the Remove button. Alternatively, it may be possible to upload the client certificate and key in one combined file, (e.g. a PFX file or PEM file). Provide the path to the file, or use the Browse button to locate it. Click Upload to load the file. To remove a client certificate and key, click the Remove button. EAPOL version - Select the EAPOL version (1 or 2) used in your network switch. EAP identity - Enter the user identity associated with your certificate. A maximum of 16 characters can be used. Private key password - Enter the password (maximum 16 characters) for your user identity. 5. Discussion and conclusion In today’s enterprise networks, IEEE 802.1X is more and more required as a gatekeeper. Many Axis net- work video products support IEEE 802.1X as a security feature. Setting up 802.1X is a fairly complex procedure, and it is important that Radius servers, switches and clients (like Axis cameras) are set up correctly. However, when RADIUS servers and switches are well configured for 802.1X, it is quite straight- forward to configure and integrate Axis network products into the 802.1X system. 6. helpful links > www.axis.com/products/video/ > www.axis.com/products/video/about_networkvideo/security.htm 5
www.axis.com 37589/EN/R1/0912 about axis Communications Axis is an IT company offering network video solutions for professional installations. The company is the global mar- ket leader in network video, driving the ongoing shift from analog to digital video surveillance. Axis products and so- lutions focus on security surveillance and remote moni- toring, and are based on innovative, open technology platforms. Axis is a Swedish-based company, operating worldwide with offices in more than 20 countries and cooperating with partners in more than 70 countries. Founded in 1984, Axis is listed on the NASDAQ OMX Stockholm under the ticker AXIS. For more information about Axis, please visit our website at www.axis.com ©2009 Axis Communications AB. AXIS COMMUNICATIONS, AXIS, ETRAX, ARTPEC and VAPIX are registered trademarks or trademark applications of Axis AB in various jurisdictions. All other company names and products are trademarks or registered trademarks of their respective companies. We reserve the right to introduce modifications without notice.

Recomendados

Real-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesReal-world 802.1X Deployment Challenges
Real-world 802.1X Deployment Challenges
Aruba, a Hewlett Packard Enterprise company
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
802.1x
802.1x802.1x
802.1x
akruthi k
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
Alberto Rivai
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateway
 
Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching
Eketerina Dyakova
 
VNX Overview
VNX Overview VNX Overview
VNX Overview
bluechipper
 

Recomendados

Real-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesReal-world 802.1X Deployment Challenges
Real-world 802.1X Deployment Challenges
Aruba, a Hewlett Packard Enterprise company
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
802.1x
802.1x802.1x
802.1x
akruthi k
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
Alberto Rivai
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateway
 
Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching
Eketerina Dyakova
 
VNX Overview
VNX Overview VNX Overview
VNX Overview
bluechipper
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 
Cisco Security portfolio update
Cisco Security portfolio updateCisco Security portfolio update
Cisco Security portfolio update
Atanas Gergiminov
 
Wi-fi Hacking
Wi-fi HackingWi-fi Hacking
Wi-fi Hacking
Paul Gillingwater, MBA
 
Aruba clearpass ebook_chpt1_final
Aruba clearpass ebook_chpt1_finalAruba clearpass ebook_chpt1_final
Aruba clearpass ebook_chpt1_final
Aruba, a Hewlett Packard Enterprise company
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
Sandeep Patil
 
Radius1
Radius1Radius1
Radius1
balamurugan.k Kalibalamurugan
 
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access SwitchVoice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Aruba, a Hewlett Packard Enterprise company
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass Workshop
Aruba, a Hewlett Packard Enterprise company
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust Strategy
Okta-Inc
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
Netwax Lab
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPass
Paulo Eduardo Sibalde
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
thebigredhemi
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
Okta-Inc
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
 
4 palo alto licenses
4 palo alto licenses4 palo alto licenses
4 palo alto licenses
Mostafa El Lathy
 
Check Point NGFW
Check Point NGFWCheck Point NGFW
Check Point NGFW
Group of company MUK
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x
Aruba, a Hewlett Packard Enterprise company
 
Active Directory_グループポリシー基礎
Active Directory_グループポリシー基礎Active Directory_グループポリシー基礎
Active Directory_グループポリシー基礎
F DANKI
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
Swapnil Kapate
 
802.1x
802.1x802.1x
802.1x
Alp isik
 

Mais conteúdo relacionado

Mais procurados

Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access SwitchVoice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Aruba, a Hewlett Packard Enterprise company
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
thebigredhemi
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 

Mais procurados (20)

Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
 
Cisco Security portfolio update
Cisco Security portfolio updateCisco Security portfolio update
Cisco Security portfolio update
 
Wi-fi Hacking
Wi-fi HackingWi-fi Hacking
Wi-fi Hacking
 
Aruba clearpass ebook_chpt1_final
Aruba clearpass ebook_chpt1_finalAruba clearpass ebook_chpt1_final
Aruba clearpass ebook_chpt1_final
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
 
Radius1
Radius1Radius1
Radius1
 
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access SwitchVoice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass Workshop
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust Strategy
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPass
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
 
4 palo alto licenses
4 palo alto licenses4 palo alto licenses
4 palo alto licenses
 
Check Point NGFW
Check Point NGFWCheck Point NGFW
Check Point NGFW
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x
 
Active Directory_グループポリシー基礎
Active Directory_グループポリシー基礎Active Directory_グループポリシー基礎
Active Directory_グループポリシー基礎
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
 

Destaque

802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
Dan Miller
 

Destaque (12)

Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
 
802.1x
802.1x802.1x
802.1x
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authentication
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
Cisco switch setup with cppm v1.2
Cisco switch setup with cppm v1.2Cisco switch setup with cppm v1.2
Cisco switch setup with cppm v1.2
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
 
Holistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimizationHolistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimization
 

Semelhante a IEEE 802.1X and Axis’ Implementation

802 11 3
802 11 3802 11 3
802 11 3
rphelps
 
Wireless security
Wireless securityWireless security
Wireless security
paripec
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
Warren Bent
 

Semelhante a IEEE 802.1X and Axis’ Implementation (20)

8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guide
 
Sw8021x
Sw8021xSw8021x
Sw8021x
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdfConfiguring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
 
AAA server
AAA serverAAA server
AAA server
 
WiFi Hotspot Password
WiFi Hotspot PasswordWiFi Hotspot Password
WiFi Hotspot Password
 
802 11 3
802 11 3802 11 3
802 11 3
 
Ali shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1XAli shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1X
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis ise
 
WLAN and IP security
WLAN and IP securityWLAN and IP security
WLAN and IP security
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
 
Wireless security
Wireless securityWireless security
Wireless security
 
Wireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best PracticesWireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best Practices
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
Wi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and PrivacyWi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and Privacy
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
 

Mais de Axis Communications

Mais de Axis Communications (20)

I principali benefici della soluzione per la protezione anti-intrusione
I principali benefici della soluzione per la protezione anti-intrusioneI principali benefici della soluzione per la protezione anti-intrusione
I principali benefici della soluzione per la protezione anti-intrusione
 
Infografica: perchè scegliere l'audio di rete?
Infografica: perchè scegliere l'audio di rete?Infografica: perchè scegliere l'audio di rete?
Infografica: perchè scegliere l'audio di rete?
 
Illuminazione ad infrarossi
Illuminazione ad infrarossi Illuminazione ad infrarossi
Illuminazione ad infrarossi
 
Come proteggere i piccoli esercizi dagli attacchi informatici
Come proteggere i piccoli esercizi dagli attacchi informatici Come proteggere i piccoli esercizi dagli attacchi informatici
Come proteggere i piccoli esercizi dagli attacchi informatici
 
I principali benefici della soluzione per la protezione anti-intrusione
I principali benefici della soluzione per la protezione anti-intrusioneI principali benefici della soluzione per la protezione anti-intrusione
I principali benefici della soluzione per la protezione anti-intrusione
 
Cybersecurity axis webinar_smallbusiness_it
Cybersecurity axis webinar_smallbusiness_itCybersecurity axis webinar_smallbusiness_it
Cybersecurity axis webinar_smallbusiness_it
 
Satisfaction survey_Italy
Satisfaction survey_ItalySatisfaction survey_Italy
Satisfaction survey_Italy
 
10 Tendencias tecnológicas que marcarán el 2018
10 Tendencias tecnológicas que marcarán el 201810 Tendencias tecnológicas que marcarán el 2018
10 Tendencias tecnológicas que marcarán el 2018
 
Infographie des 10 tendances technologiques 2018
Infographie des 10 tendances technologiques 2018Infographie des 10 tendances technologiques 2018
Infographie des 10 tendances technologiques 2018
 
I 10 trend tecnologici che definiranno il mercato della sicurezza nel 2018
I 10 trend tecnologici che definiranno il mercato della sicurezza nel 2018I 10 trend tecnologici che definiranno il mercato della sicurezza nel 2018
I 10 trend tecnologici che definiranno il mercato della sicurezza nel 2018
 
10 technology trends that will shape security industry 2018
10 technology trends that will shape security industry 201810 technology trends that will shape security industry 2018
10 technology trends that will shape security industry 2018
 
Smart City 44 use cases for IP video
Smart City 44 use cases for IP videoSmart City 44 use cases for IP video
Smart City 44 use cases for IP video
 
How safe is your city?
How safe is your city?How safe is your city?
How safe is your city?
 
Whitepaper perimeter protection
Whitepaper perimeter protectionWhitepaper perimeter protection
Whitepaper perimeter protection
 
Axis deployable 4G/LTE solution
Axis deployable 4G/LTE solutionAxis deployable 4G/LTE solution
Axis deployable 4G/LTE solution
 
Case studies Safe Cities
Case studies Safe CitiesCase studies Safe Cities
Case studies Safe Cities
 
Flyer Axis Lte4G_Sierra_Wireless_1505
Flyer Axis Lte4G_Sierra_Wireless_1505Flyer Axis Lte4G_Sierra_Wireless_1505
Flyer Axis Lte4G_Sierra_Wireless_1505
 
Ppt safecities axis_ agentvi_jvp_en_1505
Ppt safecities axis_ agentvi_jvp_en_1505Ppt safecities axis_ agentvi_jvp_en_1505
Ppt safecities axis_ agentvi_jvp_en_1505
 
Flyer axis agentvi_jvp_en_1505
Flyer axis agentvi_jvp_en_1505Flyer axis agentvi_jvp_en_1505
Flyer axis agentvi_jvp_en_1505
 
Whitepaper networkvideo safecity
Whitepaper networkvideo safecityWhitepaper networkvideo safecity
Whitepaper networkvideo safecity
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

IEEE 802.1X and Axis’ Implementation

  • 1. White paper ieee 802.1X and axis’ implementation
  • 2. table of contents 1. introduction 3 2. General 3 3. Working principle 3 4. axis’ implementation of ieee 802.1X 4 5. Discussion and conclusion 5 6. helpful links 5
  • 3. 1. introduction Network security is a very important issue in the IP world. There are different levels of security when it comes to securing information being sent over IP networks. The first level is authentication and autho- rization. The user or device identifies itself to the network and the remote end by a username and pass- word, which are then verified before the device is allowed into the system. Added security can be achieved by encrypting the data to prevent others from using or reading the data. Common methods are HTTPS (also known as SSL/ TLS), VPN and WEP or WPA in wireless networks. IEEE 802.1X is an authentication and authorization technique. Many Axis network video products sup- port IEEE 802.1X as a security feature. In this white paper we will discuss the background as well as the working principle of IEEE 802.1X. We will also describe how 802.1X in Axis network camera products should be used, and when RADIUS (remote authentication dial-in user service) servers and switches are well configured. The intended audience of this document is technical personnel and system integrators. 2. General IEEE 802.1X is an IEEE Standard for port-based Network Access Control (“port” means the same physical connection to the LAN infrastructure). It is part of the IEEE 802.1 group of networking protocols. It pro- vides an authentication mechanism for devices to connect to a LAN, either establishing a connection or preventing the connection if authentication fails. IEEE 802.1X prevents what is called “port hi-jacking”; that is, when an unauthorized computer gets access to a network by getting to a network jack inside or outside a building. IEEE 802.1X is useful in, for example, network video applications since network cam- eras are often located in public spaces where a network jack can pose a security risk. In today’s enterprise networks, IEEE 802.1X is becoming a basic requirement for anything that is connected to a network. 3. Working principle There are three basic terms in 802.1X. The user or client that wants to be authenticated is called a sup- plicant. The actual server doing the authentication, typically a RADIUS server, is called the authentica- tion server. And the device in between, such as a switch, is called the authenticator. The protocol used in 802.1X is Extensible Authentication Protocol encapsulation over LANs (EAPOL). There are a number of modes of operation, but the most common case would look something like this (see Figure 1): 1. The authenticator sends an “EAP-Request/Identity” packet to the supplicant as soon as it detects that the network link is active (e.g., the supplicant, for example a network camera in a network video system, is connected to the switch). 2. The supplicant sends an “EAP-Response/Identity” packet to the authenticator. 3. The “EAP-Response/Identity” packet is then passed on to the authentication (RADIUS) server by the authenticator. 4. The authentication server sends back a challenge to the authenticator, such as with a token password system. 5. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. Different authentication methods will vary this message and the total number of messages. EAP supports client-only authentication and strong mutual authentication. 6. The supplicant responds to the challenge by the authenticator. 7. The authenticator passes the response to the challenge onto the authentication server. 8. If the supplicant provides proper identity, the authentication server responds with a success message to the authenticator. 9. The success message is then passed onto the supplicant by the authenticator. The authenticator now allows access of the supplicant to the LAN, possibly restricted based on attributes that came back from the authentication server. For example, the authenticator might switch the supplicant to a particular virtual LAN or install a set of firewall rules. 3
  • 4. Figure 1. EAP authentication procedure in IEEE 802.1X Authentication Server Authenticator Supplicant EAP Identity Request 1 RADIUS Access Request EAP Identity Response 3 2 RADIUS Access Challenge EAP Request/Challenge 4 5 RADIUS Access Request EAP Identity Response 7 6 RADIUS Access Accept EAP Success 8 9 What should be noted is that setting up and configuring 802.1X is a fairly complex procedure, and it is important that RADIUS servers, switches and clients (like Axis cameras) are set up correctly. 4. axis’ implementation of ieee 802.1X To gain access to a protected network, the AXIS P1344 Network Camera, for example, must have a CA certificate, a Client certificate, as well as a Client private key. They should be created by the servers and are uploaded via a web interface or ftp. When the camera is connected to the switch, the camera will present its certificate to the network switch. If the certificate is approved, the switch allows the camera access on a preconfigured port. As pointed out previously, in order to use port-based authentication, the network must be equipped with a RADIUS server and a network switch with support for 802.1X. You may also need to contact your net- work administrator for information on certificates, user ID’s and passwords. The settings here enable the AXIS P1344 Network Camera to access a network protected by 802.1X/ EAPOL (Extensible Authentication Protocol Over Lan). There are many EAP methods available to gain access to a network. The one used by Axis is EAP-TLS (EAP-Transport Layer Security). Figure 2. Web interface with AXIS P1344 4
  • 5. The client and the RADIUS server authenticate each other using digital certificates provided by a PKI (Public Key Infrastructure) signed by a Certification Authority. Note that to ensure successful certificate validation, time synchronization should be performed on all clients and servers prior to configuration. Further configuration of network cameras should be performed on a safe network to avoid MITM (Man In The Middle) attacks. Terms used in the web interface are described as follows: CA Certificate - This certificate is created by the Certification Authority for the purpose of validating itself, so the AXIS P1344 Network Camera needs this certificate to check the server’s identity. Provide the path to the certificate directly, or use the browse button to locate it. Then click the Upload button. To remove a CA certificate, click the Remove button. Client certificate/private key - The AXIS P1344 Network Camera must also authenticate itself using a client certificate and a private key. Provide the path to the certificate in the first field, or use the Browse button to locate it. Then click the Upload button. To remove a client certificate, click the Remove button. Alternatively, it may be possible to upload the client certificate and key in one combined file, (e.g. a PFX file or PEM file). Provide the path to the file, or use the Browse button to locate it. Click Upload to load the file. To remove a client certificate and key, click the Remove button. EAPOL version - Select the EAPOL version (1 or 2) used in your network switch. EAP identity - Enter the user identity associated with your certificate. A maximum of 16 characters can be used. Private key password - Enter the password (maximum 16 characters) for your user identity. 5. Discussion and conclusion In today’s enterprise networks, IEEE 802.1X is more and more required as a gatekeeper. Many Axis net- work video products support IEEE 802.1X as a security feature. Setting up 802.1X is a fairly complex procedure, and it is important that Radius servers, switches and clients (like Axis cameras) are set up correctly. However, when RADIUS servers and switches are well configured for 802.1X, it is quite straight- forward to configure and integrate Axis network products into the 802.1X system. 6. helpful links > www.axis.com/products/video/ > www.axis.com/products/video/about_networkvideo/security.htm 5
  • 6. www.axis.com 37589/EN/R1/0912 about axis Communications Axis is an IT company offering network video solutions for professional installations. The company is the global mar- ket leader in network video, driving the ongoing shift from analog to digital video surveillance. Axis products and so- lutions focus on security surveillance and remote moni- toring, and are based on innovative, open technology platforms. Axis is a Swedish-based company, operating worldwide with offices in more than 20 countries and cooperating with partners in more than 70 countries. Founded in 1984, Axis is listed on the NASDAQ OMX Stockholm under the ticker AXIS. For more information about Axis, please visit our website at www.axis.com ©2009 Axis Communications AB. AXIS COMMUNICATIONS, AXIS, ETRAX, ARTPEC and VAPIX are registered trademarks or trademark applications of Axis AB in various jurisdictions. All other company names and products are trademarks or registered trademarks of their respective companies. We reserve the right to introduce modifications without notice.