Axis Camera discovery and profiling
Endpoints or hosts that connect to IE switches access ports or RPoP gateway (IR1101) in CCI are authenticated and authorized for network access by Cisco ISE in the shared services network. Endpoints or hosts that are initially connecting to CCI are quarantined in the network (as untrusted devices) using a VLAN or subnet in a CCI fabric overlay, the Quarantine VN. The endpoints or hosts that support 802.1X become trusted devices in the network after their successful 802.1X authentication with ISE by presenting its device identities like user/password or X.509 certificates.
The cameras in the quarantine network in the CCI PoP or RPoP are discovered using ADM. To discover the cameras from ADM, the cameras and ADM require IP reachability in the quarantine network. Axis cameras that connect to IE switch port or IR1101 FE port (on non-PoE port and the camera powered through PoE injector) are initially authenticated using the MAC Authentication Bypass (MAB) method and the switch port is assigned a quarantine network VLAN by ISE. The cameras are profiled by ISE using a built-in Cisco provided “Axis-Device” profile available in ISE.
The following prerequisite configurations are required in CCI for Axis cameras onboarding and initial discovery in the network:
- Install and Configure ADM application in CCI Shared Services network (for Day 0 provisioning and Day N management of cameras) in a separate VLAN or subnet with access to quarantine network.
- Ensure a separate Quarantine VN is created for untrusted hosts in the CCI network and subnets in Quarantine VN are created for cameras in each PoP.
- Ensure a centralized DHCP server is configured in quarantine network for providing IP addresses to cameras in the quarantine network. This is required for initial discovery of cameras in ADM.
- Ensure ADM is network access permitted to access quarantine network for Day 0 provisioning of the cameras.
- Cisco ISE is configured with appropriate 802.1X and MAB authentication and authorization policies for the cameras in different sites.
Note: The ADM application can also be connected to an IE switch port in the PoP access ring where cameras are connected for initial discovery and provisioning of cameras (Day 0 provisioning) in a PoP site. In this case, another ADM application could be configured in either Shared Services network or Camera VN network (Eg., SnS_VN) for Day N management of the Axis cameras in CCI.
Figure 5 illustrates the Day 0 provisioning of Axis Cameras for initial discovery and onboarding steps in CCI.
Figure 5 Axis Cameras Day 0 Onboarding
In Axis Cameras Day 0 Onboarding:
1. Axis Camera in a CCI PoP or a RPoP plugged in to 802.1X and MAB enabled Ethernet access port of an IE switch in the access ring or FE port in RPoP IR1101 gateway.
2. IE switch or IR1101 receives MAC address of the camera from the initial packets sent by the camera to the switch (MAC learning process) and initiates MAB authentication with Cisco ISE as AAA or RADIUS authentication server.
3. Cisco ISE verifies the device profile and authenticates the camera using MAB method. The device profile “Axis-Device” is built-in the Cisco ISE application.
Note: Axis camera connected to RPoP IR1101 FE port requires a power recycle to initiate MAB during initial onboarding since the camera is connected to a non PoE port and powered through an external power injector.
4. Axis Camera sends DHCP messages to request for a new IP address in quarantine VLAN.
Note: There is limited access between the quarantine VLAN and the rest of the network.
5. DHCP server in quarantine network allocates IP address to the camera and the camera receives the IP address for its request.
6. After the IP address is assigned to the camera, ADM can discover the camera in the network using Universal Plug-and-Play (UPnP) protocol. UPnP protocol is by default enabled on Axis cameras for network discovery by ADM. UPnP in turn uses Simple Service Discovery Protocol (SSDP) to discover the cameras in the network. ADM searches for the camera(s) using a specific IP address or a subnet or a range of IP addresses in a subnet.
Axis Cameras Onboarding Messages Flow Diagram depicts a sequence of messages flow for Axis Camera onboarding in a CCI PoP.
Figure 6 Axis Cameras Onboarding Messages Flow Diagram
Note: In case of an Axis camera connected to RPoP IR1101, the IR1101 will act as an authenticator sending RADIUS authentication requests to Cisco ISE in the above flow instead of an IE switch in a CCI PoP.
Provisioning cameras with X.509 certificates and enabling IEEE 802.1X
Axis cameras support IEEE 802.1X open standard based device authentication with a RADIUS and policy server. Axis Cameras support X.509 certificates for device identity. An X.509 is a digital certificate that uses a widely accepted X.509 Public Key Infrastructure (PKI) standard to verify that a public key belongs to a user, host (computer) or endpoint identity within the certificate.
Once a camera is successfully onboarded in the CCI network, the next step is to authenticate and authorize the camera for the correct VN access. Cameras in CCI are required to have access to a vertical service VN (Eg., Safety and Security VN or simply SnS_VN) to stream live video feeds to a VMS system in the VN for video surveillance and other video analytics-based use cases in CCI. This is achieved using 802.1X authentication and followed by authorization of cameras using Cisco ISE.
Axis cameras use IEEE 802.1X Extensibe Authentication Protocol over LAN (EAPoL) as an authentication method to authenticate with Cisco ISE as a RADIUS authentication and Network Policy Server (NPS). There are many EAP methods available to gain access to a network. The protocol used by Axis is EAP-TLS (EAP-Transport Layer Security) for wired and wireless 802.1X authentication.
Using EAP-TLS, to gain access to a network, the Axis device must have a Certificate Authority (CA) certificate, a client certificate and a client private key. They should be created by servers and uploaded via ADM to all the Axis cameras in the network. When the Axis device is connected to the network switch, the device will present its certificate to the switch. If the certificate is approved, the switch allows the device access to the trusted SnS VN.
ADM can also be used as a Root-CA server to provide certificates. In order to successfully authenticate Axis cameras in CCI using 802.1X, the following pre-requisite PKI configuration is required to provide necessary certificates needed for the authentication.
- Configure ADM in quarantine network as Root-CA server to provide client certificates to Axis Cameras and Cisco ISE as the RADIUS server in CCI.
- Install ADM Root CA certificate chain in Cisco ISE trusted certificate store.
- Configure ISE certificate as authentication server certificate in ADM.
- Centralized DHCP server in Shared Services network is configured with DHCP scope options in a respective vertical service VN (Eg., SnS_VN) for the cameras.
Refer to the following URL for more details on IEEE 802.1X in Axis products:
Figure 7 shows the Axis Cameras 802.1X authentication steps in a CCI PoP or RPoP.
Figure 7 Axis Cameras 802.1X Authentication in CCI
In Axis Cameras 802.1X Authentication in CCI:
1. Once ADM discovers all the cameras in the quarantine network, the ADM install Root-CA, client and authentication server certificates configured in ADM on all the cameras. Note that, ADM generates unique client certificate for each of the cameras in the network which are installed on the camera during the certificate installation step in ADM. ADM enables 802.1X on all the cameras and restarts the cameras.
2. The cameras (802.1X supplicants) initiate the 802.1X process by sending EAPoL start message to IE switch (in CCI PoP) or IR1101 (in RPoP).
3. IE switch or IR1101 as 802.1X authenticators sends RADIUS protocol access request message to ISE and also request the device identity from the cameras using EAPoL Request-Identity message.
4. ISE as 802.1X authentication server verifies client and ADM certificates by sending RADIUS messages (a sequence of RADIUS messages explained as a flow diagram in Figure 84). Upon successful verification of certificates, the ISE authorizes the cameras and switch port in the network and assigns a VLAN (Eg., a subnet in SnS_VN) configured in an authorization profile in ISE.
Note: If the 802.1X authentication fails, the MAB authentication will trigger as fallback authentication method and the camera will be authorized to access only the quarantine network.
5. The cameras send DHCP messages in the VLAN (SnS_VN) and a centralized DHCP server in shared services network receives DHCP requests and allocates IP addresses to cameras in the respective VLAN DHCP scope.
6. The cameras receive IP addresses allocated by DHCP server and assigned with IP address in the respective VLAN for network access. Once, cameras are assigned with IP addresses they can communicate with all devices in the respective VN (for example, SnS_VN). This completes the Axis Cameras onboarding use case in CCI.
Note: ADM in shared services network must re-discover all the cameras using new IP address or range of IP addresses of the cameras for the Day N management of the cameras using ADM. Alternatively, the ADM which can also be placed in the respective vertical service VN in CCI (Eg., SnS_VN) along with a VMS system, can discover the cameras for Day N management.
Axis Cameras 802.1X Authentication Messages Flow Diagram lists a sequence of Axis Cameras 802.1X authentication messages and DHCP messages flow in the CCI network.
Figure 8 Axis Cameras 802.1X Authentication Messages Flow Diagram
Note: In case of an Axis camera connected to RPoP IR1101, the R1101 will act as an authenticator sending RADIUS authentication requests to Cisco ISE in the above flow instead of an IE switch in a CCI PoP.