Axis Communications 212 PTZ Security

AXIS 212 PTZ - System Options

Security - 802.1x

IEEE 802.1x is an IEEE standard for port-based Network Admission Control. It provides authentication to

devices attached to a network port (wired or wireless), establishing a point-to-point connection. If

authentication fails, access is prevented on the port. 802.1x is based on EAP (Extensible Authentication

Protocol).

In a 802.1x enabled network switch, clients equipped with the correct software can be authenticated and

allowed or denied network access at the Ethernet level.

Clients and servers in an 802.1x network may need to authenticate each other by some means. In the Axis

implementation this is done with the help of digital certificates provided by a Certification Authority. These are

then validated by a third-party entity, such as a RADIUS server, examples of which are Free Radius and

Microsoft Internet Authentication Service.

To perform the authentication, the RADIUS server uses various EAP methods/protocols, of which there are

many. The one used in the Axis implementation is EAP-TLS (EAP-Transport Layer Security).

The AXIS network video device presents its certificate to the network switch, which in turn forwards this to the

RADIUS server. The RADIUS server validates or rejects the certificate and responds to the switch, and sends its

own certificate to the client for validation. The switch then allows or denies network access accordingly, on a

pre-configured port.

The authentication process

RADIUS

RADIUS (Remote Authentication Dial In User Service) is an AAA (Authentication, Authorization and

Accounting) protocol for applications such as network access or IP mobility. It is intended to work in both local

and roaming situations.

Protected network

Axis video device

Q: Certificate OK?

Certificate

Authority (CA)

A: OK

RADIUS

server

Network

switch

Q: Certificate OK?

A: OK

Certificate

1. A CA server provides the required signed certificates.

2. The Axis video device requests access to the protected network at the network switch. The switch forwards

the video device’s CA certificate to the RADIUS server, which then replies to the switch.

3. The switch forwards the RADIUS server’s CA certificate to the video device, which also replies to the

switch.

4. The switch keeps track of all responses to the validation requests. If all certificates are validated, the Axis

video device is allowed access to the protected network via a pre-configured port.