IP Camera does not work properly with 802.1X and 3COM 5500 Switch

Peter Lambrechtsen peter at crypt.nz
Sat Jun 30 00:04:21 CEST 2018

Often CCTV cameras also have a SD card and that should support logging.

The issue you will face is since there won't be a serial port to diagnose
the issue the best you will have is logging the output somewhere before you
need to unplug it and factory reset it to get it back to standard unauthed

I would turn on all EAP methods as you would hope it supports at least TTLS
or PEAP since I would have assumed it supported EAP-MD5 like my camera
does. Not that I have setup EAP.

But the camera manufacturer should be able to tell you what EAP methods it

Also it could always be the switch you are using is busted so might be
worth trying another vendor.

On Sat, 30 Jun 2018, 02:17 Alan DeKok, <aland at deployingradius.com> wrote:

> On Jun 29, 2018, at 10:02 AM, Klein Niklas <Niklas.Klein at geutebrueck.com>
> wrote:
> >
> > Thanks to everyone so far, that is a lot of information in a short time.
> Haven't expected that much so fast😉.
>   We tend to answer questions faster than if you bought a commercial
> RADIUS server && support.
> > As @Aarran implied, I assume that you can go around MBA with mac
> spoofing and the use of certificates is more secure in general right?
> Additional to that, we are reselling these cameras and therefore we need to
> ensure that this feature does work.
> >
> > I have a more or less hot wire to the camera manufacturer, therefore I
> will ask for some more information about the actual implementation as
> suggested.
>   Ask them to have a debug interface which gives more useful information
> than "NAK".  Even a log visible on the admin interface would be genius.
> > Besides that, @Arran, you wrote that I should use a  "credential based
> EAP-Method". Do I have to set this in the RADIUS as a user attribute, or do
> you expect a setting in the camera firmware. If it’s the later, there is no
> such setting. For the camera to use 802.1X I have to provide a CA
> certificate, a client certificate, a private key and I can set an identity
> with a private key password. I cannot leave out the certificates as the
> firmware would not let me activate 802.1x then.
>   In order to do EAP without client certs, the firmware should allow you
> to set:
> CA cert
> username
> password
> EAP method (e.g. TTLS or PEAP)
> > Of course, the log of the camera does not show anything related to
> 802.1X and I also cannot have terminal access to the camera to directly
> look up the files as its not one of the "cheap" IP cams and there is no
> terminal access over telnet or ssh. Probably I can somehow get a debug
> firmware somewhere with SSH activated, I have to look for this.
>   If it has a web admin interface, they should make the logs available in
> that.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list