IP Camera does not work properly with 802.1X and 3COM 5500 Switch

Alan DeKok aland at deployingradius.com
Fri Jun 29 16:16:57 CEST 2018


On Jun 29, 2018, at 10:02 AM, Klein Niklas <Niklas.Klein at geutebrueck.com> wrote:
> 
> Thanks to everyone so far, that is a lot of information in a short time. Haven't expected that much so fast😉.

  We tend to answer questions faster than if you bought a commercial RADIUS server && support.

> As @Aarran implied, I assume that you can go around MBA with mac spoofing and the use of certificates is more secure in general right? Additional to that, we are reselling these cameras and therefore we need to ensure that this feature does work.
> 
> I have a more or less hot wire to the camera manufacturer, therefore I will ask for some more information about the actual implementation as suggested.

  Ask them to have a debug interface which gives more useful information than "NAK".  Even a log visible on the admin interface would be genius.

> Besides that, @Arran, you wrote that I should use a  "credential based EAP-Method". Do I have to set this in the RADIUS as a user attribute, or do you expect a setting in the camera firmware. If it’s the later, there is no such setting. For the camera to use 802.1X I have to provide a CA certificate, a client certificate, a private key and I can set an identity with a private key password. I cannot leave out the certificates as the firmware would not let me activate 802.1x then.

  In order to do EAP without client certs, the firmware should allow you to set:

CA cert
username
password
EAP method (e.g. TTLS or PEAP)

> Of course, the log of the camera does not show anything related to 802.1X and I also cannot have terminal access to the camera to directly look up the files as its not one of the "cheap" IP cams and there is no terminal access over telnet or ssh. Probably I can somehow get a debug firmware somewhere with SSH activated, I have to look for this.

  If it has a web admin interface, they should make the logs available in that.

  Alan DeKok.




More information about the Freeradius-Users mailing list