0

I have a closed network for security cameras. I want only for authorized cameras to be able to connect to the Network Switch. If the Switch supports 802.1x authentication, and so do the cameras, could I use a RADIUS Server to control access of these cameras to the network?

What I want to achieve is that when a security camera that is not registered in the RADIUS Server connects to the Switch, it doesn't get access (the Switch port denies the connection), so it gets no access at all.

Note that there's no users logging in at any point, just the cameras connecting to the Switch.

HelloExchangers
  • 1
  • Yes, that's what a RADIUS server does. – Michael Hampton Jul 28 '16 at 22:42
  • @MichaelHampton I have been searching for information on the web, but all I find are examples when the RADIUS is part of a Domain, and there are users logging in (e.g. Wireless AP). Could you please shed some light on how could I do what I wrote in my question? – HelloExchangers Jul 28 '16 at 22:49
  • It'd help if you described what type of computers/network you're using. Within Windows, one option is NPS, but that requires Active Directory for a user database. You create a service account in your AD, and then configure the device to use those credentials to authenticate to the switch. In Linux, FreeRADIUS seems to be a popular choice, with a wider range of sources. – DarkMoon Jul 28 '16 at 23:09
  • @DarkMoon The thing is that there's no Active Directory nor there are computers in this network. I only have a Windows Server 2012 R2 with RADIUS Server features installed. The other network components are the Switch(es) and the Security Cameras, and that's it. Can I still use RADIUS to permit access to the cameras connecting to the Switch(es)? – HelloExchangers Jul 28 '16 at 23:14
  • https://technet.microsoft.com/en-us/library/dd197535%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 – Michael Hampton Jul 28 '16 at 23:17
  • When you say "Windows Server 2012 R2 with RADIUS Server", I presume you mean NPS? AFAIK, NPS can only use AD as a user database; without AD, it won't work. However, FreeRADIUS has a Windows version; I tried it before moving to NPS, but couldn't make AD, Samba and FreeRADIUS play nice together. Since you don't have to worry about that, you can create your authentication accounts right within FreeRADIUS. Having said that, there's a bit of a learning curve to RADIUS and 802.1X; be ready to do a lot of reading. :-) – DarkMoon Jul 28 '16 at 23:18
  • @Michael Hampton: MAC address authentication is a very poor alternative. I've only ever used it if I absolutely can't use anything else, because it's better than nothing, but not by much. Sniffing the MAC address from the packets coming out of the device and spoofing it is trivial these days. Physical security is better than this. – DarkMoon Jul 28 '16 at 23:20
  • @DarkMoon If you have a better idea for authenticating a relatively stupid IP camera, I'm all ears. – Michael Hampton Jul 28 '16 at 23:21
  • @Michael Hampton: He mentions that the switch and cameras both support 802.1X; I take that to mean that he can configure it with an account and some sort of security (EAP, MS-CHAP, etc) on both sides. – DarkMoon Jul 28 '16 at 23:25
  • Sorry for my poor use of technical terminology. But yes, in the end I need what @MichaelHampton said... I need to authenticate the IP Security Camera against the RADIUS Server and either allow or deny access to the Switch. If I have to create an user for it, I can, even if no one will ever actually use it, just for the "user logging" requirement. – HelloExchangers Jul 28 '16 at 23:28

0 Answers0