thank you Bojan for the reply. Interestinf everything you mention.
I'll try to figure out a way to secure cameras physicaly. Do you know a way to setup 802.1x radius? Is it complicated?
The cameras support that protocol.
On a Windows AD Domain, Radius comes with the NPS server role. So you only have to create a domain user and configure the NPS Server to work with your switch.
That would mean, you need to add the switch as a Radius client and define a shared secret. Than you need to configure the switch side with the info / shared secret for the NPS server.
If you don't have a Windows Server, than Freereadius is an option. I have never set it up, but I've seen it being recommended as an option for Eduroam WiFi deployments, that don't have a Windows server.
Otherwise, the first question here is the network layout you have - are all cameras in a separate camera network 'on the other side' of the NVR (connections would go switch-NVR.PoE switch-Cameras)? If all the cameras are 'behind' than NVR, than it is a question, if this will allow the switch to communicate with anything (including Radius Server) that is 'in front' of the NVR.
In such a case, IF the switch is a managed switch and supports VLANs, one could separate a port for a management VLAN and allow this one to connect to the Radius server, if it's the Domain server with the NPS role.
All in all it's not so simple, that one could 'solve' it in 3 posts on a forum, specially when you don't know anything about the network, it's components and it's requirements and restrictions.
Specially it's not something you should jump in and start playing with - you could end up not being able to do any surveillance for multiple days. Start in small steps. Figure out what kind of Radius server you will have and where it will be placed. Figure out, how it will communicate with the switch. Configure the server, add a user. Set up Radius on the switch - but turn it on just for a test port and test camera. Than try to get the camera into the game.
Once it works, you can start deploying it to other cameras and ports.
But be also aware, that if the Radius server breaks because of any reason, you might have a problem to connect anything to the switch. So test also this scenario, before you deploy it to all ports. Check if the switch can cache the credentials or will it try to communicate with the Radius server every time you reconnect a camera (or reboot). Possibly in the end, you might even figure out that it isn't worth it all, when the cameras are behind a NVR and don't have any access to the main network trough the NVR.