AW: IP Camera does not work properly with 802.1X and 3COM 5500 Switch
Niklas.Klein at geutebrueck.com
Fri Jun 29 16:02:04 CEST 2018
Thanks to everyone so far, that is a lot of information in a short time. Haven't expected that much so fast😉.
As @Aarran implied, I assume that you can go around MBA with mac spoofing and the use of certificates is more secure in general right? Additional to that, we are reselling these cameras and therefore we need to ensure that this feature does work.
I have a more or less hot wire to the camera manufacturer, therefore I will ask for some more information about the actual implementation as suggested.
Besides that, @Arran, you wrote that I should use a "credential based EAP-Method". Do I have to set this in the RADIUS as a user attribute, or do you expect a setting in the camera firmware. If it’s the later, there is no such setting. For the camera to use 802.1X I have to provide a CA certificate, a client certificate, a private key and I can set an identity with a private key password. I cannot leave out the certificates as the firmware would not let me activate 802.1x then.
Of course, the log of the camera does not show anything related to 802.1X and I also cannot have terminal access to the camera to directly look up the files as its not one of the "cheap" IP cams and there is no terminal access over telnet or ssh. Probably I can somehow get a debug firmware somewhere with SSH activated, I have to look for this.
Geutebrueck GmbHTel:+49 2645 137-722
im Nassen 7-9Fax:+49 2645 137-999
D-53578 WindhagenEmail:niklas.klein at geutebrueck.com
Geschäftsführer/CEO: Katharina Geutebrück, Christoph Hoffmann; UST-Ident-Nr.: DE813443473; Handelsregister: HRB 14475 Montabaur
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail contains confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Weder die GEUTEBRÜCK GmbH noch der Absender (Niklas Klein) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen. Versand am 29.06.2018 16:02 UTC+02:00 von Klein, Niklas
Von: Freeradius-Users [mailto:freeradius-users-bounces+niklas.klein=geutebrueck.com at lists.freeradius.org] Im Auftrag von Arran Cudbard-Bell
Gesendet: Freitag, 29. Juni 2018 15:49
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: IP Camera does not work properly with 802.1X and 3COM 5500 Switch
> On Jun 29, 2018, at 9:47 AM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>> On Jun 29, 2018, at 9:43 AM, Vacheslav <m_zouhairy at skno.by> wrote:
>> Why don't you just use mab for stupid devices?
> Would you want to allow essentially unauthenticated access to the VLAN dealing with CCTV feeds and possibly building locks/other alarm systems?
As for the NAK, it's likely you don't have the certificates available on the camera to do EAP-TLS and that's why it's failing.
Switch to a credential based EAP-Method or install the right certs.
More information about the Freeradius-Users