Bosch IP cameras: authentication failed in RADIUS server due to unsupported certificate

Possible causes and solution(s)

Symptoms

During the authentication process with Bosch cameras to a RADIUS server, the event “5400 Authentication failed” occurs.

Even that the certificates were generated, uploaded to camera, uploaded to server, in the authentication process in the last step, this message is displayed.

Solution

To be able to make the dot1.x work with the certificate, you have to modify the Certificate:

• the Enhanced Key Usage to only “Client Authentication”
• and add a Subject Alternative Name: your EAP identity
  note: According to RFC5216 the EAP-TLS Identity must be identical to the 'subjectAltName' field in the certificate

Then, the Bosch camera should authenticate via 802.1x

  Nice to know:

• How to setup Certificate based authentication with Bosch? 
• How to create CA signed certificates for cameras and distribute CA certificate in large systems

If the above recommendation doesn’t solve the failure, please provide the Central Technical Support team with the following:

• Wire-shark from port mirror where camera gets connected to

• First start the capture before plugin the camera to the switch

• Gather all used certificates + passwords if needed
• Camera Config file (pull at time off other logs) + passwords for service and loading
• Camera maintenance log
• Network diagram
• Configuration/settings + used certificates of authenticating server
• Install on the Wireshark PC a syslog server and configure printouts: syslog_dbg; eapol; ssl; this way the syslog server starts automatically collecting when camera gets connected to the switch and is in sync with the matching WireShark
• Are there other cameras that work with EAP-TLS? If yes, please let us know the model of the other camera that are working with these certificates.
• a screenshot showing the client and server certificates and its usage that has been assigned. Similar with: