Axis Communications 214 PTZ Security Camera User Manual


  Open as PDF
of 52
 
31
AXIS 214 PTZ
Security - 802.1x
IEEE 802.1x is an IEEE standard for port-based Network Admission Control. It provides authentication to
devices attached to a network port (wired or wireless), establishing a point-to-point connection, or, if
authentication fails, preventing access on that port. 802.1x is based on EAP (Extensible Authentication
Protocol).
In a 802.1x enabled network switch, clients equipped with
the correct software can be authenticated and
allowed or denied network access at the Ethernet level.
Clients and servers in an 802.1x network may need to authenticate each other by
some means. In the Axis
implementation this is done with the help of digital certificates provided by a Certification Authority.
These are then validated by a third-party entity, such as a RADIUS server, examples of which are Free
Radius and Microsoft Internet Authentication Service.
To perform the authentication, the RADIUS server uses various
EAP methods/protocols, of which there are
many. The one used in the Axis implementation is EAP-TLS (EAP-Transport Layer Security).
The AXIS network video device presents
its certificate to the network switch, which in turn forwards this to
the RADIUS server. The RADIUS server validates or rejects the certificate and responds to the switch, and
sends its own certificate to the client for validation. The switch then allows or denies network access
accordingly, on a preconfigured port.
The authentication process
RAD
IUS
RADIUS (Remote Authentication Dial In User Service) is
an AAA (Authentication, Authorization and
Accounting) protocol for applications such as network access or IP mobility. It is intended to work in both
local and roaming situations.
Protected network
Axis video device
Q: Certificate OK?
Certificate
Authority (CA)
3
1
2
4
A: OK
RADIUS
server
Network
switch
Q: Certificate OK?
A: OK
Certificate
Certificate
1. A CA server provides the required signed certificates.
2. The Axis video device requests access to the protected network at the network switch.
The switch forwards the video device’s CA certificate to the RADIUS server, which then
replies to the switch.
3. The switch forwards the RADIUS server’s CA certificate to the video device, which
also replies to the switch.
4. The switch keeps track of all responses to the validation requests. If all certificates are
validated, the Axis video device is allowed access to the protected network via a
preconfigured port.
 previous next