FUNCTIONAL DESCRIPTION

Authentication in
ONVIF™ and VAPIX®

Copyright © 2011, Axis Communications AB, Lund, Sweden

Functional description: Authentication in ONVIF™ and VAPIX® Page 2

TABLE OF CONTENTS

Introduction ......................................................................................................... 3

1 Background ............................................................................................. 3

2 VAPIX only ............................................................................................. 3

3 ONVIF v1.01 ........................................................................................... 4

4 ONVIF v1.02 ........................................................................................... 5

5 References................................................................................................ 6

This document is copyright protected and is the property of Axis Communications AB and may not be copied,
reproduced, or distributed in any way without the prior written consent of Axis Communications AB.
Functional description: Authentication in ONVIF™ and VAPIX® Page 3

Introduction
This document describes the different authentication schemes in ONVIF and VAPIX and the
implications of this on software interacting with Axis network cameras and video encoders.

Note: The schema presented here is Axis specific and does not apply to other vendors’
implementations of ONVIF.

1 Background
The authentication scheme is the method by which a device, an Axis network camera or video
encoder, can ensure only authorized users can retrieve the video and control the device. The
user is here either a physical user using the device’s web interface, an application using the
VAPIX interface, or an application using the ONVIF interface.

ONVIF and VAPIX are two different network interfaces with two different authentication
schemes. A consequence of this is that the device needs to be configured properly depending on
which interface will be used. It is also possible to use both interfaces in conjunction but that
needs also to be configured.

Section 2 VAPIX only describes how authentication is configured in VAPIX and sections 3
ONVIF v1.01 and 4 ONVIF v1.02 describes how authentication is configured in ONVIF. Note
that there is a slight difference in the authentication schemes of ONVIF depending on the
version, as is described in the following sections.

2 VAPIX only
Regardless if the device is being accessed using the web GUI or VAPIX the same user
authentication scheme is used. This scheme works as follows. The first time a user access the
device using the web interface a password for the default root as is illustrated in Figure 1.

Figure 1: Entering a password for root user

Once the root user has a password the device only accepts access according to the access
permissions as described in VAPIX HTTP API v3 [1] section 4.3 User rights. Users can also

This document is copyright protected and is the property of Axis Communications AB and may not be copied,
reproduced, or distributed in any way without the prior written consent of Axis Communications AB.
Functional description: Authentication in ONVIF™ and VAPIX® Page 4

be added and password configured using VAPIX as described in VAPIX HTTP API v3 [1],
section 5.1.2 Add, modify, and delete users.

However, if the device is first accessed using the VAPIX API (i.e. not the GUI) there is no
hard requirement from the device to enter users with proper credentials. Instead, as this is the
normal way a camera is plugged into a VMS, the client application is trusted to add proper
users to the device to control the access as described above.

3 ONVIF v1.01
The authentication scheme in ONVIF is decoupled from the one in VAPIX. A consequence of
this is that regardless of users being added to VAPIX or not, users have to be explicitly added
to ONVIF for the ONVIF interface to be used.

For product firmware with ONVIF v1.01 support, i.e. firmware 5.20 and earlier, the two
ONVIF and VAPIX authentication schemes interacts in the following three cases.
1. If ONVIF authentication is being initialized, i.e. ONVIF-users are added, but there are
no VAPIX-users configured in the device, the VAPIX interface is kept open.
2. If ONVIF authentication is being initialized, i.e. ONVIF-users are added, when there
already exist VAPIX-users in the system, the two authentication schemes will coexist
in parallel with no changes.
3. If ONVIF authentication is uninitialized when VAPIX-users are added, the ONVIF
interface will be disabled. That is, the ONVIF interface is inaccessible.

To re-enable ONVIF the parameter ‘root.WebService.Enable’ has to be set to ‘yes’. Note that
this will then make the camera open to access via the ONVIF interface without any
validations of the users’ credentials as the ONVIF interface at this time has no configured
users. The VMS application must add proper ONVIF users to the system to control the access
permissions.

Figure 2: Enabling WebService

Figure 2 illustrates how to enable the parameter to re-enable ONVIF using the device’s web
GUI. This can also be done using the VAPIX parameter update command as described in
VAPIX HTTP API v3 [1], section 5.1.1 Parameter management.

This document is copyright protected and is the property of Axis Communications AB and may not be copied,
reproduced, or distributed in any way without the prior written consent of Axis Communications AB.
Functional description: Authentication in ONVIF™ and VAPIX® Page 5

4 ONVIF v1.02
With ONVIF v1.02 in the firmware, version 5.25 and higher, the interaction between the two
security schemes of ONVIF and VAPIX was slightly changed.

As with ONVIF v1.01, neither ONVIF nor VAPIX have a properly initialized authentication
scheme in its out-of-the-box state.
1. If ONVIF authentication is being initialized and there are no VAPIX-users configured
in the device, the VAPIX interface is kept open. This behavior is identical to the
ONVIF v1.01-case.
2. If ONVIF authentication is being initialized and the device already has VAPIX-users
configured, the two authentication schemes will coexist in parallel with no changes to
either of them. This behavior is also identical to the ONVIF v1.01-case.
3. If ONVIF authentication is uninitialized when VAPIX-users are added, the ONVIF
interface will still be enabled but inaccessible as there are no properly configured users
to the ONVIF system. This behavior is slightly changed compared with the ONVIF
v1.01-case.

For this third case, at least one user has to be added to the ONVIF authentication scheme for
ONVIF to be accessible. The only way to do that is to use the web interface, as illustrated in
Figure 3. On the camera web GUI select the ‘Setup’ link on the upper right corner in the live
view, and then select ‘System Options’, ‘Security’, and then ‘ONVIF’. Add users clicking the
‘Add …’-button.

Figure 3: Adding ONVIF users

Once there is an ONVIF-user ONVIF is accessible through this user with the permissions
associated with the user.

This document is copyright protected and is the property of Axis Communications AB and may not be copied,
reproduced, or distributed in any way without the prior written consent of Axis Communications AB.
Functional description: Authentication in ONVIF™ and VAPIX® Page 6

5 References
[1] VAPIX® Version 3: HTTP API v3.00
http://www.axis.com/files/manuals/VAPIX_3_HTTP_API_3_00.pdf

This document is copyright protected and is the property of Axis Communications AB and may not be copied,
reproduced, or distributed in any way without the prior written consent of Axis Communications AB.