HPE Aruba Networking - Integration Guide

This integration guide aims to outline the best-practice configuration of how to onboard and operate Axis devices in HPE Aruba Networking powered networks. The configuration uses modern security standards and protocols such as IEEE 802.1X, IEEE 802.1AR, IEEE 802.1AE, and HTTPS.

Establishing proper automation for network integration can save time and money. It allows the removal of unnecessary system complexity when using Axis device management applications combined with HPE Aruba Networking infrastructure and applications. Below are some benefits that can be gained when combining Axis devices and software with a HPE Aruba Networking infrastructure:

• Minimize system complexity by removing device staging networks.

• Save costs by adding automating onboarding processes and device management.

• Take advantage of zero-touch network security controls provided by Axis devices.

• Increase overall network security by applying HPE and Axis expertise.

The network infrastructure must be prepared to securely verify the integrity of the Axis devices before starting the configuration. This allows a smooth software defined transition between logical networks throughout the on-boarding process. It’s necessary to have knowledge about the following areas before doing the configuration:

• Managing enterprise network IT-infrastructure from HPE Aruba Networking including HPE Aruba Networking access switches and HPE Aruba Networking ClearPass Policy Manager.

• Expertise in modern network access control techniques and network security policies.

• Basic knowledge about Axis products is desirable but is provided throughout the guide.

Connect the Axis Edge Vault supported Axis device to authenticate the device against the network. The device use the IEEE 802.1AR Axis device ID certificate through the IEEE 802.1X network access control to authenticate itself.

To grant access to the network, ClearPass Policy Manager verifies the Axis device ID together with other device specific fingerprints. The information, such as MAC-address and running AXIS OS, is used to make a policy-based decision.

The Axis device authenticates against the network using the IEEE 802.1AR compliant Axis device ID certificate.

1. Axis device ID
2. IEEE 802.1x EAP-TLS network authentication
3. Access switch (authenticator)
4. ClearPass Policy Manager

After authentication, the Axis device moves into the provisioning network (VLAN201) where AXIS Device Manager is installed. Through AXIS Device Manager, device configuration, security hardening, and AXIS OS updates can be performed. To complete the device provisioning, new customer specific production-grade certificates are uploaded onto the device for IEEE 802.1X and HTTPS.

1. Access switch
2. Provisioning network
3. ClearPass Policy Manager
4. Device management application

The provisioning of the Axis device with new IEEE 802.1X certificates triggers a new authentication attempt. ClearPass Policy Manager verifies the new certificates and decide whether to move the Axis device into the production network or not.

1. Axis device ID
2. IEEE 802.1x EAP-TLS network authentication
3. Access switch (authenticator)
4. ClearPass Policy Manager

After reauthentication, the Axis device moves into the production network (VLAN 202). In that network, the Video Management System (VMS) connects to the Axis device and starts to operate.

1. Access switch
2. Production network
3. ClearPass Policy Manager
4. Video management system

ClearPass Policy Manager provides role- and device based secure network access control for IoT, BYOD, corporate devices, employees, contractors, and guests across and multivendor wired, wireless, and VPN infrastructure.

1. Download the Axis-specific IEEE 802.1AR certificate chain from axis.com.

2. Upload the Axis-specific IEEE 802.1AR Root CA and Intermediate CA certificate chains into the trusted certificate store.

3. Enable ClearPass Policy Manager to authenticate Axis devices through IEEE 802.1X EAP-TLS.

4. Select EAP in the usage field. The certificates are used for IEEE 802.1X EAP-TLS authentication.

1. Add trusted network access devices, such as HPE Aruba Networking access switches, to ClearPass Policy Manager. ClearPass Policy Manager needs to know which access switches in the network are used for IEEE 802.1X communication.

2. Use the network device group configuration to group several trusted network access devices. Grouping trusted network access devices allows easier policy configuration.

3. The RADIUS shared secret needs to match the specific switch IEEE 802.1X configuration.

The Axis device can distribute device specific information, such as MAC-address and device software version, through network discovery. Use this information to create, update, or manage a device fingerprint in ClearPass Policy Manager. There you can also grant or deny access based on the AXIS OS version.

1. Go to Administration > Dictionaries > Device Fingerprints.

2. Select an existing device fingerprint or create a new device fingerprint.

3. Set the device fingerprint settings.

Information about the device fingerprint collected by ClearPass Policy Manager can be found in the Endpoints section.

1. Go to Configuration > Identity > Endpoints.

2. Select the device you want to view.

3. Click on the Device Fingerprints tab.

Enforcement Profile is used to allow ClearPass Policy Manager to assign a specific VLAN ID to an access port on the switch. It’s a policy-based decision that applies to the network devices in the device group “switches”. The necessary number of enforcement profiles depends on the number of used VLANs. In our setup there is a total of three VLANs (VLAN 201, 202, 203), that correlates to three enforcement profiles.

After the enforcement profiles for the VLAN are configured, the actual enforcement policy can be configured. The enforcement policy configuration in ClearPass Policy Manager defines if Axis devices are granted access to HPE Aruba Networking powered networks based on four example policy profiles.

The four enforcement policies and their actions are listed below:

Denied network access

Access to the network is denied when no IEEE 802.1X network access control authentication is performed.

Guest-network (VLAN 203)

The Axis device is granted access to a limited, isolated network if the IEEE 802.1X network access control authentication fails. Manual inspection of the device is required to take appropriate actions.

Provisioning network (VLAN 201)

The Axis device is granted access to a provisioning network. This is to provide Axis device management capabilities through AXIS Device Manager and AXIS Device Manager Extend. It also makes it possible to configure Axis devices with AXIS OS updates, production-grade certificates, and other configurations. The following conditions are verified by ClearPass Policy Manager:

• The Axis device’s AXIS OS version.

• The MAC-address of the device matches the vendor-specific Axis MAC-address scheme with the serial number attribute of the Axis device ID certificate.

• The Axis device ID certificate is verifiable and matches the Axis-specific attributes such as issuer, organization, location, and country.

Production network (VLAN 202)

The Axis device is granted access to the production network where the Axis device should operate. Access is granted after the device provisioning is completed from within the provisioning network (VLAN 201). The following conditions are verified by ClearPass Policy Manager:

• The MAC-address of the device matches the vendor-specific Axis MAC-address scheme with the serial number attribute of the Axis device ID certificate.

• The Axis device’s AXIS OS version.

• The production-grade certificate is verifiable by the trusted certificate store.

In the authentication method it’s defined how an Axis device attempts to authenticate against the network. The preferred method of authentication should be IEEE 802.1X EAP-TLS since Axis devices with support for Axis Edge Vault come with IEEE 802.1X EAP-TLS enabled by default.

On the Services page, the configuration steps are combined into one single service that handles the authentication and authorization of Axis devices in HPE Aruba Networking powered networks.

Axis devices are either directly connected to PoE-capable access switches or via compatible Axis PoE midspans. To securely onboard Axis devices into HPE Aruba Networking powered networks, the access switch needs to be configured for IEEE 802.1X communication. The Axis device relays IEEE 802.1x EAP-TLS communication to ClearPass Policy Manager that acts as a RADIUS server.

Refer to the below example global and port configuration for HPE Aruba Networking access switches.

radius-server host MyRADIUSIPAddress key "MyRADIUSKey"

aaa authentication port-access eap-radius
aaa port-access authenticator 18-19
aaa port-access authenticator 18 reauth-period 300
aaa port-access authenticator 19 reauth-period 300
aaa port-access authenticator active

Axis devices with support for Axis Edge Vault are manufactured with a secure device identity, called Axis device ID. The Axis device ID is based on the international IEEE 802.1AR standard, which defines a method for automated, secure device identification and network onboarding through IEEE 802.1X.

1. Axis device ID key infrastructure (PKI)
2. Axis device ID

The hardware-protected secure keystore provided by a secure element of the Axis device is factory provisioned with a device-unique certificate and corresponding keys (Axis device ID) that globally can prove the authenticity of the Axis device. The Axis Product Selector can be used to learn which Axis devices have support for Axis Edge Vault and Axis device ID.

The IEEE 802.1AR-compliant Axis device ID certificate includes information about the serial number and other Axis-vendor specific information. The information is used by ClearPass Policy Manager for analysis and decision making to grant access to the network. Please refer to the below information that can be obtained from an Axis device ID certificate

The common name is constructed by a combination of Axis company name, the serial number of the device followed by the crypto algorithm (ECC P256, RSA 2048, RSA 4096) used. Since AXIS OS 10.1 (2020-09), IEEE 802.1X is enabled by default with the Axis device ID pre-configured. This enables the Axis device to authenticate itself onto IEEE 802.1X-enabled networks.

AXIS Device Manager and AXIS Device Manager Extend can be used on the network to configure and manage multiple Axis devices in a cost-effective way. AXIS Device Manager is a Microsoft Windows®-based application that can be installed locally on a machine in the network, while AXIS Device Manager Extend relies on cloud infrastructure to do multi-site device management. Both offer easy management and configuration capabilities for Axis devices such as:

• Installation of AXIS OS updates.

• Apply cybersecurity configuration such as HTTPS and IEEE 802.1X certificates.

• Configuration of device-specific settings such as images settings and others.

IEEE 802.1AE MACsec (Media Access Control Security) is a well-defined network protocol that cryptographically secures point-to-point Ethernet links on network layer 2. It ensures the confidentiality and integrity of data transmissions between two hosts.

The IEEE 802.1AE MACsec standard describes two modes of operation:

• Manually configurable Pre-Shared Key/Static CAK mode

• Automatic Master Session/Dynamic CAK mode using IEEE 802.1X EAP-TLS

In AXIS OS 10.1 (2020-09) and later, IEEE 802.1X is enabled by default for devices that are compatible with Axis device ID. In AXIS OS 11.8 and later, we support MACsec with automatic dynamic mode using IEEE 802.1X EAP-TLS enabled by default. When you connect an Axis device with factory default values, IEEE 802.1X network authentication is performed and when successful, MACsec Dynamic CAK mode is tried as well.

The securely stored Axis device ID (1), an IEEE 802.1AR-compliant secure device identity, is used to authenticate into the network (4, 5) through IEEE 802.1X EAP-TLS port-based network access control (2). Through the EAP-TLS session, MACsec keys are exchanged automatically to set up a secure link (3), protecting all network traffic from the Axis device to the HPE Aruba Networking access switch.

IEEE 802.1AE MACsec requires both HPE Aruba Networking access switch and ClearPass Policy Manager configuration preparations. No configuration is required on the Axis device to allow IEEE 802.1AE MACsec encrypted communication via EAP-TLS.

If the HPE Aruba Networking access switch doesn’t support MACsec using EAP-TLS, then the Pre-Shared Key mode can be used and manually configured.

By default, Axis devices use the EAP identity format “axis-serialnumber”. The serial number of an Axis device is its MAC-address. For example “axis-b8a44f45b4e6”.

In addition to the secure onboarding configuration described in HPE Aruba Networking access switch, refer to the below example port configuration for the HPE Aruba Networking access switch to configure IEEE 802.1AE MACsec.

macsec policy macsec-eap
cipher-suite gcm-aes-128

port-access role AxisDevice
associate macsec-policy macsec-eap
auth-mode client-mode

aaa authentication port-access dot1x authenticator
macsec
mkacak-length 16
enable

You can use MAC Authentication Bypass (MAB) to onboard Axis devices that don’t support IEEE 802.1AR onboarding with the Axis device ID certificate and IEEE 802.1X enabled in factory default state. If 802.1X onboarding fails, ClearPass Policy Manager validates the Axis device’s MAC address and grant access to the network.

MAB requires both access switch and ClearPass Policy Manager configuration preparations. On the Axis device, no configuration is required to allow MAB for onboarding.

The enforcement policy configuration in ClearPass Policy Manager defines if Axis devices are granted access to HPE Aruba Networking powered networks based on the following two example policy conditions.

Denied network access

When the Axis device doesn’t meet the configured enforcement policy, it’s denied access to the network.

Guest-network (VLAN 203)

The Axis device is granted access to a limited, isolated network if the following conditions are met:

• It’s a weekday between Monday and Friday

• It’s between 09:00 and 17:00

• The MAC address vendor matches with Axis Communications.

Since MAC addresses can be spoofed, access to the regular provisioning network isn’t granted. We recommend that you only use MAB for initial onboarding, and to manually inspect the device further.

On the Sources page, a new authentication source is created to allow only manually imported MAC addresses.

On the Services page, the configuration steps are combined into one single service that handles the authentication and authorization of Axis devices in HPE Aruba Networking powered networks.

Axis Communications uses the following MAC address OUIs:

• B8:A4:4F:XX:XX:XX

• AA:C8:3E:XX:XX:XX

• 00:40:8C:XX:XX:XX

In addition to the secure onboarding configuration described in HPE Aruba Networking access switch, refer to the below example port configuration for the HPE Aruba Networking access switch to allow for MAB.

aaa port-access authenticator 18 tx-period 5
aaa port-access authenticator 19 tx-period 5
aaa port-access authenticator 18 max-requests 3
aaa port-access authenticator 19 max-requests 3
aaa port-access authenticator 18 client-limit 1
aaa port-access authenticator 19 client-limit 1
aaa port-access mac-based 18-19
aaa port-access 18 auth-order authenticator mac-based
aaa port-access 19 auth-order authenticator mac-based
aaa port-access 18 auth-priority authenticator mac-based
aaa port-access 19 auth-priority authenticator mac-based