Thanks, I am currently not sending any session timeout to my security cameras, and my acct update is 7 hours. But I am seeing re-auths on these things every couple minutes. We got a login to one of the cameras and will check into it to see if its doing anything weird.

Of course, if we statically set the port without any radius config, the camera works just fine with no issues. 

I too am having issues with Axis cameras staying connected to ports that we have ISE configured on. Once we remove the ISE authentication statements from the port, the cameras work correctly and do not disconnect. The symptom seen is the port is up, up (connected) but the authorized session loses its IP address, states Unknown for both IPv4 and IPv6. The dACL is in place and everything else looks good, just loses the IP address.

What type of authentications are you seeing in ISE?  I have noticed lately that newer cameras from factory are coming with 802.1X enabled by default, and this will cause the camera to constantly try 802.1X and fail (because it's not setup correctly and RADIUS server is not able to handle such a state). Then the cam fails back to MAB, and then 60 seconds later the 802.1X kicks in again, and repeats ad nauseum.  I then have to remove NAC commands on the interface, tell the Axis admins to disable 802.1X on the camera, and then re-enable NAC commands. 

The ideal situation is for cameras to have 802.1X enabled with certificates - if you can do this successfully then you have a good situation on your hands - and I would even go as far as disabling MAB on those interfaces for the ultimate port security.

Hi Arne,

Most interesting. I stumbled upon this thread as I've been pouring over the Axis network onboarding documentation, which is Aruba focused, so thought I'd give a little Google to Axis and ISE.

We currently have around 700 IP cameras across two fabric sites which we onboard with MAB and have done successfully since we migrated to SD-Access in 2021. We're about to refresh the cameras and have started recieving new Axis cameras today. 

We're planning on leveraging 802.1x to enable faster onboarding and to reduce the risk of MAC fraud. We're running ISE 3.3 Patch 4 with mainly IOS-XE 17.9.5 (although we've started testing 17.15.2)

I'll be back to this thread to see any updates and also share anything interesting we find.

Hi @StevieC666 

Keep an eye on those newer Axis cameras - in my recent experience with a MAB scenario, the camera vendor ships them with 802.1X enabled, and this is not great because the certs are self-signed etc.  and you get 802.1X failed errors in ISE every minute until 802.1X is disabled on that camera.

If you can swing a unique cert onto each camera using the Axis management tool, I'd be interested to know how it has evolved - the last time I checked, there was no enterprise grade way of managing a large fleet of cameras.  I am imagining something like what Cisco/Avaya do with deskphones (where the phones auto-enrol for a cert to their management platform via SCEP protocol) - creating thousands of certs manually is reason enough to not want to do this - so the vendors have to be "persuaded" to make their products more useable.

It sounds like authentication works but when a re-authentication occurs that the camera is disconnected and never comes back. This could be an issue with your ISE Authorization Profile which you have not included.

In your Authorization Profile for you cameras, verify you are using Reauthentication (1800 is the default but I would go with at least 60 * 60 * 8 = 28800) and ensure Maintain Connectivity During Reauthentication is set to RADIUS-Request. This is actually controlling RADIUS attribute 29 for Termination-Action where the default is to disconnect then perform a reauthentication.  Using RADIUS-Request instead of Default tells it to maintain the connection (do not disconnect) while performing the re-authentication.

Thank you for reaching out. Here is the configuration on all switch access ports on the 9300 Catalyst switch:

switchport access vlan 2
switchport mode access
switchport voice vlan 102
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server dead action reinitialize vlan 2
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
trust device cisco-phone
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 5
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

Here is my list of Axis Cameras with current firmware:

Axis P1447-LE = 11.11.124
Axis P12 Mkll = 9.80.85
Axis M3206-LVE = 10.12.262

The first two don't seem to have an issue at this time, just the M3206-LVE model.