Secure integration of Axis devices into Aruba networks

This integration guide aims to outline the best-practice configuration of how to onboard and operate Axis devices in Aruba networks. The configuration uses modern security standards and protocols such as IEEE 802.1X, IEEE 802.1AR, and HTTPS.

Establishing proper automation for network integration can save time and money. It allows the removal of unnecessary system complexity when using Axis device management applications combined with Aruba network equipment and applications. Below are just some benefits that can be gained when combining Axis devices and software with an Aruba network infrastructure:

• Minimize system complexity by removing device staging networks.

• Save costs by adding automating onboarding processes and device management.

• Take advantage of zero-touch network security controls provided by Axis devices.

• Increase overall network security by applying Aruba and Axis expertise.

The network infrastructure must be prepared to securely verify the integrity of the Axis devices before starting the configuration. This allows a smooth software defined transition between logical networks throughout the on-boarding process. It is necessary to have knowledge about the following areas before doing the configuration:

• Managing Aruba enterprise network IT-infrastructure including Aruba access switches and Aruba ClearPass Policy Manager.

• Expertise in modern network access control techniques and network security policies.

• Basic knowledge about Axis products is desirable but will be provided throughout the guide.

Connect the Axis Edge Vault supported Axis device to authenticate the device against the Aruba network. The device will use the IEEE 802.1AR Axis device ID certificate through the IEEE 802.1X network access control to authenticate itself.

To grant access to the network, the Aruba ClearPass Policy Manager verifies the Axis device ID together with other device specific fingerprints. The information, such as MAC-address and running firmware, is used to make a policy-based decision.

The Axis device authenticates against the Aruba network using the IEEE 802.1AR compliant Axis device ID certificate.

After authentication, the Aruba network will move the Axis device into the provisioning network (VLAN201) where Axis Device Manager is installed. Through the Axis Device Manager, device configuration, security hardening, and firmware updates can be performed. To complete the device provisioning, new customer specific production-grade certificates are uploaded onto the device for IEEE 802.1X and HTTPS.

The provisioning of the Axis device with new IEEE 802.1X certificates will trigger a new authentication attempt. The Aruba ClearPass Policy Manager will verify the new certificates and decide whether to move the Axis device into the production network or not.

After reauthentication, the Axis device is moved into the production network (VLAN 202). In that network, the Video Management System (VMS) will connect to the Axis device and start to operate.

Aruba’s ClearPass Policy Manager provides role- and device based secure network access control for IoT, BYOD, corporate devices, employees, contractors, and guests across and multivendor wired, wireless, and VPN infrastructure.

1. Download the Axis-specific IEEE 802.1AR certificate chain from axis.com.

2. Upload the Axis-specific IEEE 802.1AR Root CA and Intermediate CA certificate chains into the trusted certificate store.

3. Enable the Aruba ClearPass Policy Manager to authenticate Axis devices through IEEE 802.1X EAP-TLS.

4. Select EAP in the usage field. The certificates will be used for IEEE 802.1X EAP-TLS authentication.

1. Add trusted network access devices, such as Aruba access switches, to the ClearPass Policy Manager. The ClearPass Policy Manager needs to know which Aruba access switches in the network will be used for IEEE 802.1X communication.

2. Use the network device group configuration to group several trusted network access devices. Grouping trusted network access devices allows easier policy configuration.

3. The RADIUS shared secret needs to match the specific switch IEEE 802.1X configuration.

The Axis device can distribute device specific information, such as MAC-address and firmware version, through network discovery. A device fingerprint can be created from the device fingerprints interface in the Aruba ClearPass Policy Manager. It is possible to update and manage the Device Fingerprint. One of the things that is possible to do is to grant or deny access depending on the AXIS OS version.

It is possible to update and manage the Device Fingerprint. One of the things that is possible to do is to grant or deny access depending on the AXIS OS version.

1. Go to Administration > Dictionaries > Device Fingerprints.

2. Select an existing device fingerprint or create a new device fingerprint.

3. Set the Device Fingerprint settings.

Information about the Device Fingerprint that has been collected by Aruba ClearPass Manager can be found in the Endpoints section.

1. Go to Configuration > Identity > Endpoints.

2. Select the device you want to view.

3. Click on the Device Fingerprints tab.

The Enforcement Profile is used to allow the Aruba ClearPass Policy Manager to assign a specific VLAN ID to an access port on the switch. It is a policy-based decision that applies to the network devices in the device group “switches”. The necessary number of enforcement profiles depends on the number of VLANs that will be used. In our setup there is a total of three VLANs (VLAN 201, 202, 203), that correlates to three enforcement profiles.

After the enforcement profiles for the VLAN are configured, the actual enforcement policy can be configured. The enforcement policy configuration in the Aruba ClearPass Policy Manager defines if Axis devices are granted access to Aruba networks based on four example policy profiles.

The four enforcement policies and their actions are listed below:

Denied network access

Access to the network is denied when no IEEE 802.1X network access control authentication is performed.

Guest-network (VLAN 203)

The Axis device is granted access to a limited, isolated network if the IEEE 802.1X network access control authentication fails. Manual inspection of the device is required to take appropriate actions.

Provisioning network (VLAN 201)

The Axis device is granted access to a provisioning network. This is to provide Axis device management capabilities through Axis Device Manager and Axis Device Manager Extend. It also makes it possible to configure Axis devices with firmware updates, production-grade certificates, and other configurations. The following conditions are verified by the Aruba ClearPass Policy Manager:

• The Axis device’s firmware version.

• The MAC-address of the device matches the vendor-specific Axis MACaddress scheme with the serial number attribute of the Axis device ID certificate.

• The Axis device ID certificate is verifiable and matches the Axis-specific attributes such as issuer, organization, location, country.

Production network (VLAN 202)

The Axis device is granted access to the production network where the Axis device will operate in. Access is granted after the device provisioning is completed from within the provisioning network (VLAN 201). The following conditions are verified by the Aruba ClearPass Policy Manager:

• The MAC-address of the device matches the vendor-specific Axis MAC address scheme with the serial number attribute of the Axis device ID certificate.

• The Axis device’s firmware version.

• The production-grade certificate is verifiable by the trusted certificate store.

In the authentication method it is defined how an Axis device will attempt to authenticate against the Aruba network. The preferred method of authentication should be IEEE 802.1X EAP-TLS since Axis devices with support for Axis Edge Vault come with IEEE 802.1X EAP-TLS enabled by default.

In the Services interface, the configuration steps are combined into one single service that handles the authentication and authorization of Axis devices in Aruba networks.

Axis devices are either directly connected to PoE-capable Aruba access switches or via compatible Axis PoE midspans. To securely onboard Axis devices into Aruba networks, the access switch needs to be configured for IEEE 802.1X communication. The Axis device relays IEEE 802.1x EAP-TLS communication to the Aruba ClearPass Policy Manager that acts as a RADIUS server.

Refer to the below example global and port configuration for Aruba access switches.

radius-server host MyRADIUSIPAddress key "MyRADIUSKey"

aaa authentication port-access eap-radius
aaa port-access authenticator 18-19
aaa port-access authenticator 18 reauth-period 300
aaa port-access authenticator 19 reauth-period 300
aaa port-access authenticator active

Axis devices with support for Axis Edge Vault are manufactured with a secure device identity, called Axis device ID. The Axis device ID is based on the international IEEE 802.1AR standard, which defines a method for automated, secure device identification and network onboarding through IEEE 802.1X.

The hardware-protected secure keystore provided by a secure element of the Axis device is factory provisioned with a device-unique certificate and corresponding keys (Axis device ID) that globally can prove the authenticity of the Axis device. The Axis Product Selector can be used to learn which Axis devices have support for Axis Edge Vault and Axis device ID.

The IEEE 802.1AR-compliant Axis device ID certificate includes information about the serial number and other Axis-vendor specific information. The information is used by the Aruba ClearPass Policy Manager for analysis and decision making to grant access to the network. Please refer to the below information that can be obtained from an Axis device ID certificate

The common name is constructed by a combination of Axis company name, the serial number of the device followed by the crypto algorithm (ECC P256, RSA 2048, RSA 4096) used. Since AXIS OS 10.1 (2020-09), IEEE 802.1X is enabled by default with the Axis device ID pre-configured. This enables the Axis device to authenticate itself onto IEEE 802.1X-enabled networks.

AXIS Device Manager and AXIS Device Manager Extend can be used on the network to configure and manage multiple Axis devices in a cost-effective way. Axis Device Manager is a Microsoft Windows-based application that can be installed locally on a machine in the network, while Axis Device Manager Extend relies on cloud infrastructure to do multi-site device management. Both offer easy management and configuration capabilities for Axis devices such as:

• Installation of firmware updates.

• Apply cybersecurity configuration such as HTTPS and IEEE 802.1X certificates.

• Configuration of device-specific settings such as Images Settings and others.