Secure integration of Axis devices into Aruba networks

This integration guide aims to outline the best-practice configuration of how to onboard and operate Axis devices in Aruba networks. The configuration uses modern security standards and protocols such as IEEE 802.1X, IEEE 802.1AR, IEEE 802.1AE, and HTTPS.

Establishing proper automation for network integration can save time and money. It allows the removal of unnecessary system complexity when using Axis device management applications combined with Aruba network equipment and applications. Below are just some benefits that can be gained when combining Axis devices and software with an Aruba network infrastructure:

• Minimize system complexity by removing device staging networks.

• Save costs by adding automating onboarding processes and device management.

• Take advantage of zero-touch network security controls provided by Axis devices.

• Increase overall network security by applying Aruba and Axis expertise.

The network infrastructure must be prepared to securely verify the integrity of the Axis devices before starting the configuration. This allows a smooth software defined transition between logical networks throughout the on-boarding process. It is necessary to have knowledge about the following areas before doing the configuration:

• Managing Aruba enterprise network IT-infrastructure including Aruba access switches and Aruba ClearPass Policy Manager.

• Expertise in modern network access control techniques and network security policies.

• Basic knowledge about Axis products is desirable but will be provided throughout the guide.

Connect the Axis Edge Vault supported Axis device to authenticate the device against the Aruba network. The device will use the IEEE 802.1AR Axis device ID certificate through the IEEE 802.1X network access control to authenticate itself.

To grant access to the network, the Aruba ClearPass Policy Manager verifies the Axis device ID together with other device specific fingerprints. The information, such as MAC-address and running firmware, is used to make a policy-based decision.

The Axis device authenticates against the Aruba network using the IEEE 802.1AR compliant Axis device ID certificate.

After authentication, the Aruba network will move the Axis device into the provisioning network (VLAN201) where Axis Device Manager is installed. Through the Axis Device Manager, device configuration, security hardening, and firmware updates can be performed. To complete the device provisioning, new customer specific production-grade certificates are uploaded onto the device for IEEE 802.1X and HTTPS.

The provisioning of the Axis device with new IEEE 802.1X certificates will trigger a new authentication attempt. The Aruba ClearPass Policy Manager will verify the new certificates and decide whether to move the Axis device into the production network or not.

After reauthentication, the Axis device is moved into the production network (VLAN 202). In that network, the Video Management System (VMS) will connect to the Axis device and start to operate.

Aruba’s ClearPass Policy Manager provides role- and device based secure network access control for IoT, BYOD, corporate devices, employees, contractors, and guests across and multivendor wired, wireless, and VPN infrastructure.

1. Download the Axis-specific IEEE 802.1AR certificate chain from axis.com.

2. Upload the Axis-specific IEEE 802.1AR Root CA and Intermediate CA certificate chains into the trusted certificate store.

3. Enable the Aruba ClearPass Policy Manager to authenticate Axis devices through IEEE 802.1X EAP-TLS.

4. Select EAP in the usage field. The certificates will be used for IEEE 802.1X EAP-TLS authentication.

1. Add trusted network access devices, such as Aruba access switches, to the ClearPass Policy Manager. The ClearPass Policy Manager needs to know which Aruba access switches in the network will be used for IEEE 802.1X communication.

2. Use the network device group configuration to group several trusted network access devices. Grouping trusted network access devices allows easier policy configuration.

3. The RADIUS shared secret needs to match the specific switch IEEE 802.1X configuration.

The Axis device can distribute device specific information, such as MAC-address and firmware version, through network discovery. A device fingerprint can be created from the device fingerprints interface in the Aruba ClearPass Policy Manager. It is possible to update and manage the Device Fingerprint. One of the things that is possible to do is to grant or deny access depending on the AXIS OS version.

It is possible to update and manage the Device Fingerprint. One of the things that is possible to do is to grant or deny access depending on the AXIS OS version.

1. Go to Administration > Dictionaries > Device Fingerprints.

2. Select an existing device fingerprint or create a new device fingerprint.

3. Set the Device Fingerprint settings.

Information about the Device Fingerprint that has been collected by Aruba ClearPass Manager can be found in the Endpoints section.

1. Go to Configuration > Identity > Endpoints.

2. Select the device you want to view.

3. Click on the Device Fingerprints tab.

The Enforcement Profile is used to allow the Aruba ClearPass Policy Manager to assign a specific VLAN ID to an access port on the switch. It is a policy-based decision that applies to the network devices in the device group “switches”. The necessary number of enforcement profiles depends on the number of VLANs that will be used. In our setup there is a total of three VLANs (VLAN 201, 202, 203), that correlates to three enforcement profiles.

After the enforcement profiles for the VLAN are configured, the actual enforcement policy can be configured. The enforcement policy configuration in the Aruba ClearPass Policy Manager defines if Axis devices are granted access to Aruba networks based on four example policy profiles.

The four enforcement policies and their actions are listed below:

Denied network access

Access to the network is denied when no IEEE 802.1X network access control authentication is performed.

Guest-network (VLAN 203)

The Axis device is granted access to a limited, isolated network if the IEEE 802.1X network access control authentication fails. Manual inspection of the device is required to take appropriate actions.

Provisioning network (VLAN 201)

The Axis device is granted access to a provisioning network. This is to provide Axis device management capabilities through Axis Device Manager and Axis Device Manager Extend. It also makes it possible to configure Axis devices with firmware updates, production-grade certificates, and other configurations. The following conditions are verified by the Aruba ClearPass Policy Manager:

• The Axis device’s firmware version.

• The MAC-address of the device matches the vendor-specific Axis MACaddress scheme with the serial number attribute of the Axis device ID certificate.

• The Axis device ID certificate is verifiable and matches the Axis-specific attributes such as issuer, organization, location, country.

Production network (VLAN 202)

The Axis device is granted access to the production network where the Axis device will operate in. Access is granted after the device provisioning is completed from within the provisioning network (VLAN 201). The following conditions are verified by the Aruba ClearPass Policy Manager:

• The MAC-address of the device matches the vendor-specific Axis MAC address scheme with the serial number attribute of the Axis device ID certificate.

• The Axis device’s firmware version.

• The production-grade certificate is verifiable by the trusted certificate store.

In the authentication method it is defined how an Axis device will attempt to authenticate against the Aruba network. The preferred method of authentication should be IEEE 802.1X EAP-TLS since Axis devices with support for Axis Edge Vault come with IEEE 802.1X EAP-TLS enabled by default.

In the Services interface, the configuration steps are combined into one single service that handles the authentication and authorization of Axis devices in Aruba networks.

Axis devices are either directly connected to PoE-capable Aruba access switches or via compatible Axis PoE midspans. To securely onboard Axis devices into Aruba networks, the access switch needs to be configured for IEEE 802.1X communication. The Axis device relays IEEE 802.1x EAP-TLS communication to the Aruba ClearPass Policy Manager that acts as a RADIUS server.

Refer to the below example global and port configuration for Aruba access switches.

radius-server host MyRADIUSIPAddress key "MyRADIUSKey"

aaa authentication port-access eap-radius
aaa port-access authenticator 18-19
aaa port-access authenticator 18 reauth-period 300
aaa port-access authenticator 19 reauth-period 300
aaa port-access authenticator active

Axis devices with support for Axis Edge Vault are manufactured with a secure device identity, called Axis device ID. The Axis device ID is based on the international IEEE 802.1AR standard, which defines a method for automated, secure device identification and network onboarding through IEEE 802.1X.

The hardware-protected secure keystore provided by a secure element of the Axis device is factory provisioned with a device-unique certificate and corresponding keys (Axis device ID) that globally can prove the authenticity of the Axis device. The Axis Product Selector can be used to learn which Axis devices have support for Axis Edge Vault and Axis device ID.

The IEEE 802.1AR-compliant Axis device ID certificate includes information about the serial number and other Axis-vendor specific information. The information is used by the Aruba ClearPass Policy Manager for analysis and decision making to grant access to the network. Please refer to the below information that can be obtained from an Axis device ID certificate

The common name is constructed by a combination of Axis company name, the serial number of the device followed by the crypto algorithm (ECC P256, RSA 2048, RSA 4096) used. Since AXIS OS 10.1 (2020-09), IEEE 802.1X is enabled by default with the Axis device ID pre-configured. This enables the Axis device to authenticate itself onto IEEE 802.1X-enabled networks.

AXIS Device Manager and AXIS Device Manager Extend can be used on the network to configure and manage multiple Axis devices in a cost-effective way. Axis Device Manager is a Microsoft Windows-based application that can be installed locally on a machine in the network, while Axis Device Manager Extend relies on cloud infrastructure to do multi-site device management. Both offer easy management and configuration capabilities for Axis devices such as:

• Installation of firmware updates.

• Apply cybersecurity configuration such as HTTPS and IEEE 802.1X certificates.

• Configuration of device-specific settings such as Images Settings and others.

IEEE 802.1AE MACsec (Media Access Control Security) is a well-defined network protocol that cryptographically secures point-to-point Ethernet links on network layer 2. It ensures the confidentiality and integrity of data transmissions between two hosts.

The IEEE 802.1AE MACsec standard describes two modes of operation:

• Manually configurable Pre-Shared Key/Static CAK mode

• Automatic Master Session/Dynamic CAK mode using IEEE 802.1X EAP-TLS

In AXIS OS 10.1 (2020-09) and later, IEEE 802.1X is enabled by default for devices that are compatible with Axis device ID. In AXIS OS 11.8 and later, we support MACsec with automatic dynamic mode using IEEE 802.1X EAP-TLS enabled by default. When you connect an Axis device with factory default values, IEEE 802.1X network authentication is performed and when successful, MACsec Dynamic CAK mode is tried as well.

The securely stored Axis device ID (1), an IEEE 802.1AR-compliant secure device identity, is used to authenticate into Aruba network (4, 5) through IEEE 802.1X EAP-TLS port-based network access control (2). Through the EAP-TLS session, MACsec keys are exchanged automatically to set up a secure link (3), protecting all network traffic from the Axis device to the Aruba switch.

IEEE 802.1AE MACsec requires both Aruba access switch and ClearPass Policy Manager configuration preparations. No configuration is required on the Axis device to allow IEEE 802.1AE MACsec encrypted communication via EAP-TLS.

If the Aruba access switch doesn’t support MACsec using EAP-TLS, then the Pre-Shared Key mode can be used and manually configured.

By default, Axis devices use the EAP identity format “axis-serialnumber”. The serial number of an Axis device is its MAC-address. For example “axis-b8a44f45b4e6”.

In addition to the secure onboarding configuration described in Aruba access switch, refer to the below example port configuration for the Aruba access switch to configure IEEE 802.1AE MACsec.

macsec policy macsec-eap
cipher-suite gcm-aes-128

port-access role AxisDevice
associate macsec-policy macsec-eap
auth-mode client-mode

aaa authentication port-access dot1x authenticator
macsec
mkacak-length 16
enable

You can use MAC Authentication Bypass (MAB) to onboard Axis devices that don’t support IEEE 802.1AR onboarding with the Axis device ID certificate and IEEE 802.1X enabled in factory default state. If 802.1X onboarding fails, Aruba ClearPass Policy Manager validates the Axis device’s MAC address and grant access to the network.

MAB requires both Aruba access switch and ClearPass Policy Manager configuration preparations. On the Axis device, no configuration is required to allow MAB for onboarding.

The enforcement policy configuration in the Aruba ClearPass Policy Manager defines if Axis devices are granted access to Aruba networks based on the following two example policy conditions.

Denied network access

When the Axis device doesn’t meet the configured enforcement policy, it’s denied access to the network.

Guest-network (VLAN 203)

The Axis device is granted access to a limited, isolated network if the following conditions are met:

• It is a weekday between Monday and Friday

• It is between 09:00 and 17:00

• The MAC address vendor matches with Axis Communications AB.

Since MAC addresses can be spoofed, access to the regular provisioning network isn’t granted. We recommend that you only use MAB for initial onboarding, and to manually inspect the device further.

In the Sources interface, a new authentication source is created to allow only manually imported MAC addresses.

In the Services inferface, the configuration steps are combined into one single service that handles the authentication and authorization of Axis devices in Aruba networks.

Axis Communications AB uses the following MAC address OUIs:

• B8:A4:4F:XX:XX:XX

• AA:C8:3E:XX:XX:XX

• 00:40:8C:XX:XX:XX

In addition to the secure onboarding configuration described in Aruba access switch, refer to the below example port configuration for the Aruba access switch to allow for MAB.

aaa port-access authenticator 18 tx-period 5
aaa port-access authenticator 19 tx-period 5
aaa port-access authenticator 18 max-requests 3
aaa port-access authenticator 19 max-requests 3
aaa port-access authenticator 18 client-limit 1
aaa port-access authenticator 19 client-limit 1
aaa port-access mac-based 18-19
aaa port-access 18 auth-order authenticator mac-based
aaa port-access 19 auth-order authenticator mac-based
aaa port-access 18 auth-priority authenticator mac-based
aaa port-access 19 auth-priority authenticator mac-based