Introduction

The 802.1x protocol was proposed by the IEEE 802 LAN/WAN committee to address network security issues in wireless local area networks. Later, it was applied to Ethernet as a general access control mechanism for LAN ports. Its primary purpose is to address authentication and security issues within Ethernet networks by performing authentication and control of devices at the port level of LAN access equipment. 

For Milesight devices, EAP-TLS Support Overview:

Video Surveillance Network Camera

•  Only the firmware version XX.8.0.4 and above are supported
• Note: OpenVision Series camera & MS-C5321-FPE are excluded

Intelligent Traffic Series Camera

• Only the firmware version XX.8.0.4 and above are supported
•  Note: TrafficX Series & 4G Solar-powered Series Camera are excluded

System Architecture

The 802.1X system adopts a typical Client/Server architecture and consists of three entities:

1. Client: An entity within the local area network (LAN), typically a regular computer. The user initiates the 802.1X authentication through client software, and the connected network device performs the authentication. The client device must support 802.1X authentication.

2. Network Device (Authenticator): Usually a network device that supports the 802.1X protocol, such as a switch. It provides the physical or logical LAN port for the client to connect and performs authentication of the client.

3. Authentication Server: An entity that provides authentication services to the network device. For example, a RADIUS server can be used to implement the authentication and authorization functions. This server can store relevant information about clients and perform authentication and authorization. To ensure the stability of the authentication system, a backup authentication server can be configured. When the primary authentication server fails, the backup server can take over its tasks and maintain the stability of the system.

1.802.1X Authentication Mechanism

The authentication process can be initiated either by the client or by the network device. On one hand, when the device detects that an unauthenticated user is attempting to access the network, it actively sends an EAP-Request/Identity packet to the client to initiate authentication. On the other hand, the client can initiate authentication by sending an EAPOL-Start packet to the device through the client software.

The 802.1X system supports two modes of interaction with a remote RADIUS server to complete authentication: EAP relay mode and EAP termination mode. The following descriptions of both authentication modes assume that the client initiates the authentication process.

2.EAP-MD5 Authentication Process (EAP Relay Mode)

1. The client enters a pre-registered username and password and initiates the request (EAPOL-Start packet); the client software sends an authentication request packet to the device, initiating an authentication process.

2. After receiving the authentication request frame, the device sends a request (EAP-Request/Identity packet) asking the client software to send the entered username.

3. The client software responds to the device's request by sending the user information via a data frame (EAP-Response/Identity packet) to the device; the device then encapsulates the client's frame into a RADIUS Access-Request packet and forwards it to the authentication server for processing.

4. After the RADIUS server receives the username information forwarded by the device, it compares the information with the username database. Once it finds the corresponding password, it encrypts it using a randomly generated challenge value, and sends the challenge to the device via a RADIUS Access-Challenge packet, which the device then forwards to the client software.

5. After receiving the challenge value (EAP-Request/MD5 Challenge packet) from the device, the client software encrypts the password using the challenge. This encryption algorithm is irreversible, and the client generates an EAP-Response/MD5 Challenge packet, which is sent to the authentication server via the device.

6. The RADIUS server compares the encrypted password information it receives (RADIUS Access-Request packet) with the locally encrypted version of the stored password. If they match, the user is deemed legitimate, and the server responds with an authentication success message (RADIUS Access-Accept packet and EAP-Success packet).

7. Once the device receives the authentication success message, it changes the port to an authorized state, allowing the user to access the network through that port. During the session, the device periodically sends handshake packets to monitor the user's online status. By default, if the client fails to respond to two consecutive handshake requests, the device logs the user off to prevent undetected disconnection due to abnormal situations.

8. The client can also send an EAPOL-Logoff packet to the device to voluntarily request disconnection, and the device will then change the port state from authorized to unauthorized.

3.PAP Authentication Process (EAP Termination Mode)

Difference: In PAP mode, the switch encrypts the user's password information and then forwards the username, the randomly generated encryption key, and the encrypted password to the authentication server for processing. In contrast, in EAP-MD5 mode, the random encryption key is generated by the authentication server, and the switch only encapsulates and forwards the authentication message packets.

MD5 Test Method on Milesight Network Camera

A. Set Up the Authentication Server

https://sourceforge.net/projects/winradius/files/latest/download

1. Run WinRadius.exe, and create a user.

2. The log will display a success message confirming the user was added.

3. Use RadiusTest.exe to test whether the user can authenticate successfully.
As shown in the example below, authentication succeeds:

B. Install Client Software (Configure via Network Camera Web Interface)

Notes:

1. EAPOL Version: Select 1 for TP-Link switches, select 2 for Cisco switches.

2. Username/Password should match what was configured in the RADIUS Server (e.g., test/password).

C. Configure 802.1X Global Parameters
Network Security → 802.1X Authentication → Global Configuration

· TP-Link Interface Example:

· Cisco Interface Example:

D. Configure Authentication Server Parameters

Network Security → 802.1X Authentication → RADIUS Configuration

· TP-Link Interface Example:

· Cisco Interface Example:

Notes:

1. Ensure that the switch PC and Network Camera are on the same subnet.

2. Cisco: In the single selection box, check Plaintext, and enter the Server Secret Key from WinRadius, not the username/password.

3. Cisco: Once a server is added, it cannot be edited; you must delete the existing server and add a new one.

4. Cisco (Edit RADIUS Server):In the radio button section, select Plaintext and input the Server Secret Key from WinRadius.

E. Configure 802.1X Parameters for Each Port
Network Security → 802.1X Authentication → Port Configuration
Configure the 802.1X function parameters for each switch port according to the actual network setup.

· TP-Link Interface Example:

· Cisco Interface Example:

Notes:

1. TP-Link: Edit the port connected to the Network Camera -> Change Status to Enabled->Set Control Mode to Auto -> Set Control Type to Port-Based

2. Cisco: Edit the port connected to the Network Camera -> Enable Current Port Control

3. Cisco supports configuration of Reauthentication Period

F. Result Verification

1. When 802.1X is enabled and all configurations are completed, the PC should be able to access the Network Camera successfully.

2. If 802.1X is disabled on the Network Camera’s web interface, the PC will not be able to access the Network Camera.

3. If the port configuration for the Network Camera on the switch is changed:

    ·Set to Disabled → PC cannot access Network Camera

    ·Set to Force Authorized (Pass) → PC can access Network Camera regardless of 802.1X status on          Network Camera

    ·Set to Auto → PC can access Network Camera only after the Network Camera successfully authenticates

If you have any questions or concerns, please feel free to contact us at support@milesight.com .

———  END  ———