Secure integration of Axis devices into Aruba networks

Introduction

This integration guide aims to outline the best-practice configuration of how to onboard and operate Axis devices in Aruba networks. The configuration uses modern security standards and protocols such as IEEE 802.1X, IEEE 802.1AR, and HTTPS.

Establishing proper automation for network integration can save time and money. It allows the removal of unnecessary system complexity when using Axis device management applications combined with Aruba network equipment and applications. Below are just some benefits that can be gained when combining Axis devices and software with an Aruba network infrastructure:

  • Minimize system complexity by removing device staging networks.

  • Save costs by adding automating onboarding processes and device management.

  • Take advantage of zero-touch network security controls provided by Axis devices.

  • Increase overall network security by applying Aruba and Axis expertise.

The network infrastructure must be prepared to securely verify the integrity of the Axis devices before starting the configuration. This allows a smooth software defined transition between logical networks throughout the on-boarding process. It is necessary to have knowledge about the following areas before doing the configuration:

  • Managing Aruba enterprise network IT-infrastructure including Aruba access switches and Aruba ClearPass Policy Manager.

  • Expertise in modern network access control techniques and network security policies.

  • Basic knowledge about Axis products is desirable but will be provided throughout the guide.

Onboarding Axis devices

Initial authentication

Connect the Axis Edge Vault supported Axis device to authenticate the device against the Aruba network. The device will use the IEEE 802.1AR Axis device ID certificate through the IEEE 802.1X network access control to authenticate itself.

To grant access to the network, the Aruba ClearPass Policy Manager verifies the Axis device ID together with other device specific fingerprints. The information, such as MAC-address and running firmware, is used to make a policy-based decision.

The Axis device authenticates against the Aruba network using the IEEE 802.1AR compliant Axis device ID certificate.

The Axis device authenticates against the Aruba network using the IEEE 802.1AR-compliant Axis device ID certificate.
  1. Axis device ID
  2. IEEE 802.1x EAP-TLS network authentication
  3. Access switch (authenticator)
  4. ClearPass policy manager

Provisioning

After authentication, the Aruba network will move the Axis device into the provisioning network (VLAN201) where Axis Device Manager is installed. Through the Axis Device Manager, device configuration, security hardening, and firmware updates can be performed. To complete the device provisioning, new customer specific production-grade certificates are uploaded onto the device for IEEE 802.1X and HTTPS.

After successful authentication, the Axis device moves into a provisioning network for configuration.
  1. Access switch
  2. Provisioning network
  3. ClearPass policy manager
  4. Device management application

Production network

The provisioning of the Axis device with new IEEE 802.1X certificates will trigger a new authentication attempt. The Aruba ClearPass Policy Manager will verify the new certificates and decide whether to move the Axis device into the production network or not.

After the device configuration, the Axis device will leave the provisioning network and attempt to reauthenticate against the Aruba network.
  1. Axis device ID
  2. IEEE 802.1x EAP-TLS network authentication
  3. Access switch (authenticator)
  4. ClearPass Policy Manager

After reauthentication, the Axis device is moved into the production network (VLAN 202). In that network, the Video Management System (VMS) will connect to the Axis device and start to operate.

The Axis device is granted access to the production network.
  1. Access switch
  2. Production network
  3. ClearPass policy manager
  4. Video management system

Configuration guidance

Aruba ClearPass Policy Manager

Aruba’s ClearPass Policy Manager provides role- and device based secure network access control for IoT, BYOD, corporate devices, employees, contractors, and guests across and multivendor wired, wireless, and VPN infrastructure.

Trusted certificate store configuration

  1. Download the Axis-specific IEEE 802.1AR certificate chain from axis.com.

  2. Upload the Axis-specific IEEE 802.1AR Root CA and Intermediate CA certificate chains into the trusted certificate store.

  3. Enable the Aruba ClearPass Policy Manager to authenticate Axis devices through IEEE 802.1X EAP-TLS.

  4. Select EAP in the usage field. The certificates will be used for IEEE 802.1X EAP-TLS authentication.

Uploading the Axis-specific IEEE 802.1AR certificates to the trusted certificate store of the Aruba ClearPass Policy Manager.
The trusted certificate store in Aruba ClearPass Policy Manager with Axis-specific IEEE 802.1AR certificate chain included.

Network device/group configuration

  1. Add trusted network access devices, such as Aruba access switches, to the ClearPass Policy Manager. The ClearPass Policy Manager needs to know which Aruba access switches in the network will be used for IEEE 802.1X communication.

  2. Use the network device group configuration to group several trusted network access devices. Grouping trusted network access devices allows easier policy configuration.

  3. The RADIUS shared secret needs to match the specific switch IEEE 802.1X configuration.

The trusted network devices interface in Aruba ClearPass Policy Manager.
Adding the Aruba access switch as trusted network device in Aruba ClearPass Policy Manager. Please note that the RADIUS shared secret needs to match the specific switch IEEE 802.1X configuration.
The Aruba ClearPass Policy Manager with one trusted network device configured.
The trusted network device groups interface in Aruba ClearPass Policy Manager.
Adding a trusted network access device into a new device group in Aruba ClearPass Policy Manager.
The Aruba ClearPass Policy Manager with configured network device group that includes one or several trusted network devices.

Device fingerprint configuration

The Axis device can distribute device specific information, such as MAC-address and firmware version, through network discovery. A device fingerprint can be created from the device fingerprints interface in the Aruba ClearPass Policy Manager. It is possible to update and manage the Device Fingerprint. One of the things that is possible to do is to grant or deny access depending on the AXIS OS version.

It is possible to update and manage the Device Fingerprint. One of the things that is possible to do is to grant or deny access depending on the AXIS OS version.

  1. Go to Administration > Dictionaries > Device Fingerprints.

  2. Select an existing device fingerprint or create a new device fingerprint.

  3. Set the Device Fingerprint settings.

The device fingerprint configuration in Aruba ClearPass Policy Manager. Axis devices running any other firmware version other than 10.12 are considered unsupported.
The device fingerprint configuration in Aruba ClearPass Policy Manager. Axis devices running firmware 10.12 are considered supported in above example.

Information about the Device Fingerprint that has been collected by Aruba ClearPass Manager can be found in the Endpoints section.

  1. Go to Configuration > Identity > Endpoints.

  2. Select the device you want to view.

  3. Click on the Device Fingerprints tab.

Note

SNMP is disabled by default in Axis devices and collected from the Aruba access switch.

An Axis device that has been profiled by the Aruba ClearPass Policy Manager.
The detailed device fingerprints of a profiled Axis device. Please note that SNMP is disabled by default in Axis devices. LLDP, CDP and DHCP-specific discovery information are shared by the Axis device in factory defaulted state and relayed by the Aruba access switch to the ClearPass Policy Manager.

Enforcement profile configuration

The Enforcement Profile is used to allow the Aruba ClearPass Policy Manager to assign a specific VLAN ID to an access port on the switch. It is a policy-based decision that applies to the network devices in the device group “switches”. The necessary number of enforcement profiles depends on the number of VLANs that will be used. In our setup there is a total of three VLANs (VLAN 201, 202, 203), that correlates to three enforcement profiles.

After the enforcement profiles for the VLAN are configured, the actual enforcement policy can be configured. The enforcement policy configuration in the Aruba ClearPass Policy Manager defines if Axis devices are granted access to Aruba networks based on four example policy profiles.

An example enforcement profile to allow access to VLAN 201.
The enforcement policy configuration in Aruba ClearPass Policy Manager.

The four enforcement policies and their actions are listed below:

Denied network access

Access to the network is denied when no IEEE 802.1X network access control authentication is performed.

Guest-network (VLAN 203)

The Axis device is granted access to a limited, isolated network if the IEEE 802.1X network access control authentication fails. Manual inspection of the device is required to take appropriate actions.

Provisioning network (VLAN 201)

The Axis device is granted access to a provisioning network. This is to provide Axis device management capabilities through Axis Device Manager and Axis Device Manager Extend. It also makes it possible to configure Axis devices with firmware updates, production-grade certificates, and other configurations. The following conditions are verified by the Aruba ClearPass Policy Manager:

  • The Axis device’s firmware version.

  • The MAC-address of the device matches the vendor-specific Axis MACaddress scheme with the serial number attribute of the Axis device ID certificate.

  • The Axis device ID certificate is verifiable and matches the Axis-specific attributes such as issuer, organization, location, country.

Production network (VLAN 202)

The Axis device is granted access to the production network where the Axis device will operate in. Access is granted after the device provisioning is completed from within the provisioning network (VLAN 201). The following conditions are verified by the Aruba ClearPass Policy Manager:

  • The MAC-address of the device matches the vendor-specific Axis MAC address scheme with the serial number attribute of the Axis device ID certificate.

  • The Axis device’s firmware version.

  • The production-grade certificate is verifiable by the trusted certificate store.

Authentication method configuration

In the authentication method it is defined how an Axis device will attempt to authenticate against the Aruba network. The preferred method of authentication should be IEEE 802.1X EAP-TLS since Axis devices with support for Axis Edge Vault come with IEEE 802.1X EAP-TLS enabled by default.

The authentication method interface of the Aruba ClearPass Policy Manager where the EAP-TLS authentication method for Axis devices is defined.

Service configuration

In the Services interface, the configuration steps are combined into one single service that handles the authentication and authorization of Axis devices in Aruba networks.

A dedicated Axis services is created that defines IEEE 802.1X as connection method.
In the next step, the earlier created EAP-TLS authentication method is configured to the service.
In the last step, the earlier created enforcement policy is configured to the service.

Aruba access switch

Axis devices are either directly connected to PoE-capable Aruba access switches or via compatible Axis PoE midspans. To securely onboard Axis devices into Aruba networks, the access switch needs to be configured for IEEE 802.1X communication. The Axis device relays IEEE 802.1x EAP-TLS communication to the Aruba ClearPass Policy Manager that acts as a RADIUS server.

Note

A periodic re-authentication of 300 seconds for the Axis device is configured as well to increase overall port-access security.

Refer to the below example global and port configuration for Aruba access switches.

radius-server host MyRADIUSIPAddress key "MyRADIUSKey"
aaa authentication port-access eap-radius
aaa port-access authenticator 18-19
aaa port-access authenticator 18 reauth-period 300
aaa port-access authenticator 19 reauth-period 300
aaa port-access authenticator active

Axis network device

Axis devices with support for Axis Edge Vault are manufactured with a secure device identity, called Axis device ID. The Axis device ID is based on the international IEEE 802.1AR standard, which defines a method for automated, secure device identification and network onboarding through IEEE 802.1X.

Axis devices are manufactured with the IEEE 802.1AR-compliant Axis device ID certificate for trusted device identity services
  1. Axis device ID key infrastructure (PKI)
  2. Axis device ID

The hardware-protected secure keystore provided by a secure element of the Axis device is factory provisioned with a device-unique certificate and corresponding keys (Axis device ID) that globally can prove the authenticity of the Axis device. The Axis Product Selector can be used to learn which Axis devices have support for Axis Edge Vault and Axis device ID.

Note

The serial number of an Axis device is its MAC-address.

The certificate store of the Axis device in factory defaulted state with Axis Device ID.

The IEEE 802.1AR-compliant Axis device ID certificate includes information about the serial number and other Axis-vendor specific information. The information is used by the Aruba ClearPass Policy Manager for analysis and decision making to grant access to the network. Please refer to the below information that can be obtained from an Axis device ID certificate

CountrySE
LocationLund
Issuer OrganizationAxis Communications AB
Issuer Common NameAxis device ID intermediate
OrganizationAxis Communications AB
Common Nameaxis-b8a44f279511-eccp256-1
Serial Numberb8a44f279511

The common name is constructed by a combination of Axis company name, the serial number of the device followed by the crypto algorithm (ECC P256, RSA 2048, RSA 4096) used. Since AXIS OS 10.1 (2020-09), IEEE 802.1X is enabled by default with the Axis device ID pre-configured. This enables the Axis device to authenticate itself onto IEEE 802.1X-enabled networks.

The Axis device in factory defaulted state with IEEE 802.1X enabled and Axis Device ID certificate pre-selected.

Axis Device Manager

AXIS Device Manager and AXIS Device Manager Extend can be used on the network to configure and manage multiple Axis devices in a cost-effective way. Axis Device Manager is a Microsoft Windows-based application that can be installed locally on a machine in the network, while Axis Device Manager Extend relies on cloud infrastructure to do multi-site device management. Both offer easy management and configuration capabilities for Axis devices such as:

  • Installation of firmware updates.

  • Apply cybersecurity configuration such as HTTPS and IEEE 802.1X certificates.

  • Configuration of device-specific settings such as Images Settings and others.