topic Re: Axis security cameras on ISE, authenticating too often in Network Access Control

Axis security cameras on ISE, authenticating too often

Josh Morris — Thu, 15 Oct 2020 14:44:25 GMT

I am running ISE 2.2 p16.

I have a bunch of Axis security cameras, and all of them appear to be trying to reauth every minute or so. Typically, this isn't a problem, but some cameras will drop offline. I can see the following message in ISE.

FailureReason

12929 NAS sends RADIUS accounting update messages too frequently

Here is my switchport config...

interface GigabitEthernet2/5
 switchport access vlan 42
 switchport mode access
 switchport voice vlan 74
 ip device tracking maximum 10
 logging event link-status
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 42
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 300
 dot1x timeout tx-period 10
 dot1x timeout ratelimit-period 300
 service-policy input QoS-Input-Policy
 service-policy output QoS-Host-Port-Output-Policy
end

The ISE policy uses MAB and moves the endpoint to a group and changes VLAN.

Does anyone know why this is happening and how I can stop it?

Re: Axis security cameras on ISE, authenticating too often

Arne Bier — Thu, 15 Oct 2020 22:38:00 GMT

Do you send a customer Session-Timeout with each successful camera authentication? Perhaps you should not return a Session-Timeout value

In my case (802.1X/MAB on a Cisco 9300) I have not sent a Session-Timeout from ISE and the switch tells me:

Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A

There is of course still an Accounting update, which I set to 2880 minutes (2 days) so that any active session over 2 days will still send Accounting to ISE (for session keepalive)

Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 171250s
Common Session ID: 0702A8C0000001F72E4CBE3A
Acct Session ID: 0x000000c9
Handle: 0x520001ec
Current Policy: ISE_AUTH_POLICY

Re: Axis security cameras on ISE, authenticating too often

Josh Morris — Fri, 16 Oct 2020 13:12:50 GMT

Thanks, I am currently not sending any session timeout to my security cameras, and my acct update is 7 hours. But I am seeing re-auths on these things every couple minutes. We got a login to one of the cameras and will check into it to see if its doing anything weird.

Of course, if we statically set the port without any radius config, the camera works just fine with no issues.

Re: Axis security cameras on ISE, authenticating too often

hogoqo — Mon, 17 Jun 2024 19:47:55 GMT

I am having a similar issue with the Axis Cameras. Did you guys find a solution to this issue?

Re: Axis security cameras on ISE, authenticating too often

mgweston1 — Fri, 03 Jan 2025 20:57:14 GMT

I too am having issues with Axis cameras staying connected to ports that we have ISE configured on. Once we remove the ISE authentication statements from the port, the cameras work correctly and do not disconnect. The symptom seen is the port is up, up (connected) but the authorized session loses its IP address, states Unknown for both IPv4 and IPv6. The dACL is in place and everything else looks good, just loses the IP address.

Re: Axis security cameras on ISE, authenticating too often

PSM — Sun, 05 Jan 2025 18:14:36 GMT

@mgweston1 can you paste full config from the interface and what model and firmware Axis cameras has ? Have a lot cameras and working without any issue.

Re: Axis security cameras on ISE, authenticating too often

mgweston1 — Mon, 06 Jan 2025 16:55:14 GMT

Thank you for reaching out. Here is the configuration on all switch access ports on the 9300 Catalyst switch:

switchport access vlan 2
switchport mode access
switchport voice vlan 102
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server dead action reinitialize vlan 2
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
trust device cisco-phone
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 5
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

Here is my list of Axis Cameras with current firmware:

Axis P1447-LE = 11.11.124
Axis P12 Mkll = 9.80.85
Axis M3206-LVE = 10.12.262

The first two don't seem to have an issue at this time, just the M3206-LVE model.

Re: Axis security cameras on ISE, authenticating too often

Arne Bier — Tue, 07 Jan 2025 21:04:21 GMT

What type of authentications are you seeing in ISE? I have noticed lately that newer cameras from factory are coming with 802.1X enabled by default, and this will cause the camera to constantly try 802.1X and fail (because it's not setup correctly and RADIUS server is not able to handle such a state). Then the cam fails back to MAB, and then 60 seconds later the 802.1X kicks in again, and repeats ad nauseum. I then have to remove NAC commands on the interface, tell the Axis admins to disable 802.1X on the camera, and then re-enable NAC commands.

The ideal situation is for cameras to have 802.1X enabled with certificates - if you can do this successfully then you have a good situation on your hands - and I would even go as far as disabling MAB on those interfaces for the ultimate port security.

Re: Axis security cameras on ISE, authenticating too often

thomas — Wed, 08 Jan 2025 20:04:20 GMT

It sounds like authentication works but when a re-authentication occurs that the camera is disconnected and never comes back. This could be an issue with your ISE Authorization Profile which you have not included.

In your Authorization Profile for you cameras, verify you are using Reauthentication (1800 is the default but I would go with at least 60 * 60 * 8 = 28800) and ensure Maintain Connectivity During Reauthentication is set to RADIUS-Request. This is actually controlling RADIUS attribute 29 for Termination-Action where the default is to disconnect then perform a reauthentication. Using RADIUS-Request instead of Default tells it to maintain the connection (do not disconnect) while performing the re-authentication.

Re: Axis security cameras on ISE, authenticating too often

StevieC666 — Tue, 25 Feb 2025 20:28:06 GMT

Hi Arne,

Most interesting. I stumbled upon this thread as I've been pouring over the Axis network onboarding documentation, which is Aruba focused, so thought I'd give a little Google to Axis and ISE.

We currently have around 700 IP cameras across two fabric sites which we onboard with MAB and have done successfully since we migrated to SD-Access in 2021. We're about to refresh the cameras and have started recieving new Axis cameras today.

We're planning on leveraging 802.1x to enable faster onboarding and to reduce the risk of MAC fraud. We're running ISE 3.3 Patch 4 with mainly IOS-XE 17.9.5 (although we've started testing 17.15.2)

I'll be back to this thread to see any updates and also share anything interesting we find.

Re: Axis security cameras on ISE, authenticating too often

Arne Bier — Tue, 25 Feb 2025 21:34:26 GMT

Hi @StevieC666

Keep an eye on those newer Axis cameras - in my recent experience with a MAB scenario, the camera vendor ships them with 802.1X enabled, and this is not great because the certs are self-signed etc. and you get 802.1X failed errors in ISE every minute until 802.1X is disabled on that camera.

If you can swing a unique cert onto each camera using the Axis management tool, I'd be interested to know how it has evolved - the last time I checked, there was no enterprise grade way of managing a large fleet of cameras. I am imagining something like what Cisco/Avaya do with deskphones (where the phones auto-enrol for a cert to their management platform via SCEP protocol) - creating thousands of certs manually is reason enough to not want to do this - so the vendors have to be "persuaded" to make their products more useable.

Re: Axis security cameras on ISE, authenticating too often

Arne Bier — Fri, 03 Oct 2025 06:14:58 GMT

Been fighting with Axis camera 802.1X for some hours - it turns out that I had a Security Setting disabled in ISE 3.4 - I think the ISE default had this enabled - but it seemed "sensible" to disable it to improve security - but Axis cameras don't authenticate without this - neither the latest Device Manager signed certs, nor the Axis 802.1AR factory certs. Either they are violating the best practices, or the RFCs are too loose - I don't know. Axis seem to know what they're doing.