13[User mng.] to set authentication

On the user management page, authentication registration is performed to restrict users and PCs (IP addresses) that can be accessed from a PC, mobile terminal, or tablet terminal.
User-managed pages consist of the [User auth.], [Host auth.], [IEEE 802.1X], and [Data encryption] tabs.
[Note:]

・The items that can be set differ depending on the function of the model.


・Refer to the catalog specifications for the functions installed in each model.


On the Users Administration page, press the [User auth.] tab. Refer to the following how to display and operate the Advanced menu.
5.1 How to display
5.2 How to operate
Here, authentication settings are made to restrict users who can access the computer from a PC, mobile terminal, or tablet terminal. Up to 24 users can be registered.
[Note:]

・If you fail user authentication (authentication error) five or more times in 10 seconds from a PC with the same IP address, you will not be able to access the machine for 30 seconds.


・You can change the conditions and period when the machine becomes inaccessible.
13.6 [Security] to configure security


[User auth.]
Use [On] and [Off] to set whether to authenticate users.
[Guest User]
Select whether to set unregistered users. Selecting [Use] enables you to configure both available and unavailable features for non-user-authenticated users.
[Authentication]
Set the authentication method to use for user authentication.
Digest or Basic:Use digest or basic authentication.
Digest:Use digest authentication.
Basic:Use basic authentication.
[Note:]

・To ensure security, [Digest] is recommended for [Authentication]. If you use [Digest or Basic] or [Basic], [User name] and [Password] may leak.


・If you change the [Authentication] setting, close the web browser and re-access it.


[User name registration]
At the time of new registration, a new username is registered in [User name]. By clicking [▼] on the [User name registration], you can check the registered users. Registered users are displayed in [Registered Username [Access level]]. (e.g., admin [1])
Clicking Change on the right-hand side displays the selected user [User name] and allows the user to change the password. You can delete the selected users by clicking [Delete].
[User name (1 to 32 characters)]
Provide User Name
Number of characters that can be entered:1 to 32 characters
Characters that cannot be entered:Double-byte and single-byte symbols " & : ; ¥
[Note:]

・Enter the registered user name and press [Register] to overwrite the user information.


[Password]/[Password (8 to 32 characters)]
Type a password.
Number of characters that can be entered:8 to 32 characters
Characters that cannot be entered:Double-byte and single-byte symbols " &
[Note:]

Enter case-sensitive data.


Use at least three of the following passwords: uppercase alphabetic characters, lowercase alphabetic characters, numbers, and symbols.


Configure the password so that it does not contain the user name.


[Access level]
Set the user access level from the following.
1. [Administrator]You can perform all of the operations of this product.
2. [Camera control]:Set the access level to camera control. The functions selected in [Access Level] can be operated.
3. [Live only]:Set the access level to live image display. The functions selected in [Access Level] can be operated.
[Access Level]
Select a function that can be used according to the user's access level (camera control, live image display, unregistered user).

If [User auth.] is set to [Off] and [Guest User] is set to [Not use]:
[Access Level] items cannot be set. In addition, all buttons are displayed in the live picture, but authentication is required for the [Set] button.


If [User auth.] is set to [Off] and [Guest User] is set to [Use]:
You can set the [Guest User] items.


If [User auth.] is set to [On]:
[Guest User] items cannot be set.


Configure these features:
Live image selection
Right to select the image to be displayed in live picture
Listen to
Setting authority of earpiece voice (heard on PC)
Speak to
Setting authority for voice transmission (speaking from PC)
Image update interval
Right to set the interval for updating the JPEG image
Snapshot
Snapshot operation privileges
Recording and playback (Log display)
Log display operation privileges
Manual recording/deletion
SD Memory Card saving/deletion privilege
Preset
Operation privileges for the preset position movement
Pan/tilt operation
Pan/tilt operation authority
Zoom operation
Zoom operation authority
Focus operation
Focus operation privileges
Automatic mode
Auto mode operation privileges
Brightness
Authority to set brightness
AUX
Aux setting authority
Preset position setting
Operation authority of preset position setting
[Note:]

・The items that can be set differ depending on the function of the model.


・Refer to the catalog specifications for the functions installed in each model.


On the Users Administration page, press the [Host auth.] tab. Refer to the following how to display and operate the Advanced menu.
5.1 How to display
5.2 How to operate
Here, the host authentication setting that restricts the PC (IP address) to which the computer can be accessed is performed.
[Host auth.]
On/Off is used to specify whether or not to perform host authentication.
[Note:]

・Register the IP addresses of the PCs, and then set [Host auth.] to [On].


・User authentication is required when user authentication is [On], regardless of how hosted authentication is configured.


[IP address]
Enter the IP address of the PC to allow access to the computer. You cannot enter a host name as an IP address.
[Note:]

・If you enter IP Address/Mask Length for the subnet, you can restrict the PC that can be accessed for each subnet. For example, if you enter [192.168.0.1/24] and select [2. Camera control] as the access level, PCs [192.168.0.1] through [192.168.0.254] can access the computer at the [2. Camera control] access level.


・Enter the registered IP address and press [Register] to overwrite the host information.


・If the error message [Set Address] is displayed, the IP address of the PC may not be set correctly. Check the IP address of the PC.


・If you receive an error message [Register the [IP address] of the PC used for setting and then set [Host auth.] to [On]], the IP address of the PC may not be set correctly. Reaffirm the IP address setting of the PC.


[Access level]
Select the host access level from the following.
[1. Administrator]/[2. Camera control]/[3. Live only]
Please refer to the following for the access level.
13.1 [User auth.] to configure user-authentication
[Host check]
Click [▼] on the [Host check] to check the IP addresses of registered hosts.
Hosts are displayed as Registered IP Addresses [Access level]. (e.g. 192.168.0.21 [1])
You can delete the selected hosts (IP addresses) by clicking [Delete].
[Note:]

・[MULTI] The priority stream can be selected only for Multi-directional cameras.


On the Users Administration page, press the [System] tab.
5.1 How to display
5.2 How to operate
Here, you can configure a priority stream that delivers images without reducing image quality or image update speed, even if multiple users have access to it at the same time.
Priority stream
[Activation]
On/Off determines whether to use priority stream delivery.
[Note:]

・If [Activation] is set to [On], the number of accessible users might be limited.


[Destination IP address(1)]
Enter the IP address of the first destination.
[Destination IP address(2)]
Enter the IP address of the second destination.
[Note:]

・[MULTI2U] Only [Destination IP address(1)] can be set.


[Stream type]
Select either [Stream(1)] or [Stream(2)].
[Stream (1)]:The stream (1) image is delivered.
[Stream (2)]:The stream (2) image is delivered.
On the Users Admin page, press [IEEE 802.1X]. Refer to the following how to display and operate the Advanced menu.
5.1 How to display
5.2 How to operate
Here, settings are made for IEEE 802.1X.
This function can be used to build a secure network environment using the authentication LAN switch. For authentication LAN switches, contact your network administrator. The procedure varies depending on the [EAP method]. Follow the procedure below. If [IEEE 802.1X] is [On], start the setting with [IEEE 802.1X] set to [Off].
[IEEE 802.1X]
Configure on/off whether to perform port authentication by IEEE 802.1X.
[User name]
Enter the user name that accesses the authentication LAN switch or the user name registered with the server.
Enter any username if it is not registered on the server.
Number of characters that can be entered:1 to 32 characters
Characters that cannot be entered:Full-pitch and half-pitch alphanumeric characters " & : ; ¥
[Password] [Retype password]
Enter the password to access the authentication LAN switch.
Number of characters that can be entered:4 to 32 characters
Characters that cannot be entered:Full-pitch and half-pitch alphanumeric characters " &
[CA Certificate] ‑ [Certificate install]
Install the root CA certificate. Do not include intermediate CA certificates.
Only when [IEEE 802.1X] is [Off] can you install it.
■CA Certificate Specifications
Item
Specifications
Remarks
Data format
PEM format or DER format
Extension pem or der
Maximum number of certificates included in the PEM format
1 piece
Maximum certificate size
About 10 kB
[CA Certificate] ‑ [Information]
Not installed:Have no certificates installed
[CA certificate host name]:Displayed when installed
[Expired]:Certificate expired
The [Execute] buttons enable you to view more information about CA certificates.
You can delete a CA certificate by using the [Delete] buttons.
[Note:]

・Verify that the CA certificate has not expired. If you use an expired certificate, you may not be able to connect to the authentication LAN switch.


[Private key or Client Certificate including private key]-[Installation]
Install a client certificate that contains a private key or private key.
Only when [IEEE 802.1X] is [Off] can you install it.
■Specification of Client Certificate with Private Key or Private Key
Item
Specifications
Remarks
Data format
PEM format or PFX format
Extension pem or pfx
Key length [bit]
1024/ 1536/ 2048/ 3072/ 4096
Maximum number of certificates included in the PEM format
6 pieces
Maximum certificate size (including intermediate CA certificates)
About 10 kB

[Private key or Client Certificate including private key]-[Password(0 to 30 characters)]
Enter the password if the private key is encrypted or if the password is set on a PFX client certificate. If it is not encrypted, leave it blank.
Number of characters that can be entered:0 to 30 characters


[Private key or Client Certificate including private key]-[Install status of private key]
Not installed:If not installed
Installed:If installed
The [Delete] buttons allow you to delete private keys.


[Client Certificate] ‑ [Installation]
Install the client certificate.
If it is signed by an intermediate CA, install it with the intermediate CA certificate on the client certificate.
Only when [IEEE 802.1X] is [Off] can you install it.


Client Certificate Specifications
Item
Specifications
Remarks
Data format
PEM format
Extension pem
Maximum number of certificates included in the PEM format
6 pieces
Maximum certificate size (including intermediate CA certificates)
About 10 kB
[Client Certificate] ‑ [Information]
Not installed:Have no certificates installed
[Host name of the certificate]:Displayed when installed
[Expired]:Certificate expired
The [Execute] buttons enable you to view more information about client certificates.
You can delete client certificates by using the [Delete] buttons.
[Note:]

・Make sure the client certificate has not expired. If you use an expired certificate, you may not be able to connect to the authentication LAN switch.


[EAP method]
Select the authentication method from [EAP-PEAP], and [EAP-TLS].
EAP‑PEAP
1
Select [On] in [IEEE 802.1X].
2
Select [EAP-PEAP] in [EAP method].
3
Enter [User name] and [Password]/[Retype password] and press [Set].
[Note:]

・If you upgrade while [EAP-MD5] is set in [EAP method], the [EAP method] operates using [EAP-MD5]. Click the [Set] button to change [EAP method] to the selected EAP method.


EAP‑TLS
1
In the [CA Certificate] [Certificate install], click the Select Files button, select the CA certificate, and then click the [Execute] button.
[Information] displays the host name (Common Name) you specified when creating certificates.
2
Click the File button on the Client Certificate that contains the private key or private key and select the client certificate that contains the private key or private key.
3
Enter [Password] if the private key is encrypted or if the password is set to a PFX-based client certificate. If it is not encrypted, leave it blank.
4
You install by clicking [Execute].
[Installed] is displayed on the [Install status of private key].
For Client Certificates containing private keys, the [Client Certificate] [Information] also displays [Installed].
5
If you installed a private key in step 2, click the Select Files button on the [Client Certificate], select the client certificate, and then click the [Execute] button.
[Information] displays the host name (Common Name) you specified when creating certificates.
6
Select [On] in [IEEE 802.1X] and select [EAP-TLS] in [EAP method].
7
Enter the user name registered with the server in [User name] and press [Set].
Enter any username if it is not registered on the server.
You do not need to enter [Password]/[Retype password].
[Note:]

・To delete individual certificates, set [IEEE 802.1X] to [Off].


・Confirm that the CA and client certificates have not expired. The port authentication feature may not be available if it is expired.


Example of [CA Certificate Confirmation] window
[Client Certificate Confirmation Screen] example
[Important]

・If the camera cannot be accessed for some reason after the camera is set to [On] by [IEEE 802.1X], connect the camera to an unauthenticated switch or port. IEEE802.1X will be disabled and the camera will be accessible.


・If the client certificate contains an intermediate CA certificate, the client certificate must be first followed by the order of the intermediate CA certificate.


・When a certificate exceeding 10 kB is installed, no error is displayed during installation, but error may occur during connection.


On the Users Admin page, press [Data encryption]. Refer to the following how to display and operate the Advanced menu.
5.1 How to display
5.2 How to operate
Here, the data encryption settings are made.
The data encryption settings for each camera are described below.
PTZ camera, Fixed cameras
Click + on the left side of the setting screen to expand the item and display the detailed setting.
Click-> on the left of each expanded item to return to the previous window.

[Data encryption (Batch change)]Use [On]/[Off] to enable/disable encryption.
[On]:Enable data encryption. Encrypt all streams, all JPEG, and audio [AAC-LC].
[Off]:Disables data encryption.
[Stream], [JPEG]
[On] and [Off] individually configure whether to enable data encryption for each stream and each JPEG.
[Encryption password], [Retype encryption password]
Set the data encryption password.
Number of characters that can be entered:4 to 16 characters
Characters that cannot be entered:Double-byte and single-byte symbols " &
[Important]

・When setting data encryption to [On], it is recommended that the total bit rate of the streams be set to 16 Mbps or less.


・When data encryption is set to [On], images cannot be viewed by browsers. To view the encrypted video, use our compatible equipment.


・Data-encrypted MP4 files and JPEG images cannot be viewed on the browser playback page. Download to the PC and check with the decoding tool. For decoding tools, please refer to our technical information website<Control No. C0310>.


[Note:]

・If [Data encryption (Batch change)] is [On], the audio [AAC-LC] is encrypted ([G.726] [G.711] is not encrypted). To encrypt both video and audio, set [Data encryption (Batch change)] to [On] and set the audio [Audio input encoding format] to [AAC-LC].


・For encrypted MP4 files and JPEG images, the video can be viewed using a decoding tool.


・[New X Fixed-8MP][New X Fixed-6MP][New X Fixed-5MP]If [Image capture mode] is set to [60fps Mode] or [50fps Mode], [Encryption] of [Stream(2)] to [Stream(4)] and [JPEG(1)] [JPEG(2)] cannot be changed to [On].


Displaying pull-down menus when data encryption is enabled
For streams with data encryption enabled in both the [Live view] pull-down menu and the in-screen pull-down menu<Encrypted>The message is displayed.
[Note:]

・The [Multi-sensor + PTZ] is displayed only for Multi-directional + PTZ.


[Live view] pull-down menu on the live screen
[Live view] pull-down menu in the setting window
Multi-directional camera
Set the data encryption for each stream separately.
[Stream]
Enable/disable data encryption for each stream separately.
[Encryption password], [Retype encryption password]
Set the data encryption password.
Number of characters that can be entered:4~16
Characters that cannot be entered:Double-byte and single-byte symbols&
[Important]

・JPEG cannot encrypt data.


・When setting data encryption to [On], it is recommended that the total bit rate of the streams be set to 64 Mbps or less.


・The data-encrypted MP4 file cannot be viewed on the browser playback page. Download to the PC and check with the decoding tool. For decoding tools, please refer to our technical information website<Control No. C0310>.
2.8 Play back images on the SD Memory Card


[Note:]

・When the [Data encryption] of all streams is set to [On], the audio [AAC-LC] is encrypted ([G.726] [G.711] is not encrypted). If [AAC-LC] is selected in [Audio input encoding format], the sound will not be played while JPEG is displayed in live picture.


・For encrypted MP4 files, the video can be viewed using the decryption tool.


Displaying pull-down menus when data encryption is enabled
For streams with data encryption enabled in the [Live view] pull-down menu<Encrypted>The message is displayed. Also, in the pull-down menu in the setting screen, streams with valid data encryption are displayed in <>.
[Live view] pull-down menu on the live screen
[Live view] pull-down menu in the setting window
On the Users Admin page, press [Data encryption]. Refer to the following how to display and operate the Advanced menu.
5.1 How to display
5.2 How to operate
Here, the data encryption settings are made.
Brute force attack countermeasures
Configure settings related to brute force attack countermeasures.
If you enter the wrong user name or password the specified number of times and within the time set in [Blocking conditions], you cannot access your browser or SNMP/FTP for the period set in [Blocking period].
For example, when using the settings on the screen shown above ([Browser access blocking period]: 30s, [Browser access blocking conditions] (times): 5 times, [Browser access blocking conditions] (s): 10s), if your login attempt fails 5 times within 10 seconds, the login page will not be displayed for 30 seconds.
Browser access blocking period (s)
Set the length of time the browser cannot be accessed.
Input range: 10 to 1000(s)
Browser access blocking conditions - Input range (times)
Set the conditions (number of failed attempts) before access to the browser is prohibited.
Input range: 1 to 5 (times)
Browser access blocking conditions - Input range (s)
Set the conditions (specified length of time) before access to the browser is prohibited.
Input range: 1 to 100 (s)
SNMP/FTP access blocking period (s)
Set the length of time the SNMP/FTP cannot be accessed.
Input range: 10 to 1000(s)
SNMP/FTP access blocking conditions - Input range (times)
Set the conditions (number of failed attempts) before access to the SNMP/FTP is prohibited.
Input range: 1 to 5 (times)
SNMP/FTP access blocking conditions - Input range (s)
Set the conditions (specified length of time) before access to the SNMP/FTP is prohibited.
Input range: 1 to 100(s)
[Note:]

・If you want to use the browser access blocking function in [Brute force attack countermeasures], set [User auth.] to [On] on the [User auth.] tab.


Browser Access
Set whether or not to enable/disable browser access.
[IMPORTANT]

・If [Browser Access] is set to [Disable], access to live images is disabled.


・To switch [Browser Access] from [Disable] to [Enable], you need to initialize the setting data.
Refer to the camera's Operating Instructions for details on initializing the settings.