...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Introduction

About This Guide

This guide is intended to be used as a standard guide for the Freedom Access Control System. General Linux knowledge and Freedom Certification Training Knowledge are expected.

Additional Documentation

To find documentation available for all products, go to https://www.identiv.com/viscount.

...

To find related vendor documentation on Veridt Readers, go to www.veridt.com.

Initial Software Configuration

Administration Management

Starting the Freedom Administration System

Launch a web browser (Internet Explorer, Firefox, or other browser that allows pop-ups).

...

Login and Log Out

To login to Freedom:

...

1. Enter the Default Username and the Password.

2. Click on the LOGIN button.

...

As a security feature, after a certain period of inactivity Freedom will automatically log you off. At that point, the login page will appear, and the user will have to log back in.

Navigating the Freedom Software

Below is a screenshot of the Freedom Administration software. It shows the optional Alert Level bar. Below the Alert Level bar, is the Navigation Tabs. It allows you to access the main areas of the Freedom software – the current tab is underlined (i.e. the System tab below). To the right of the Navigation Tabs is the Site dropdown box where you can select the site to view or configure. The Log Out button is located beside the Site drop down menu. The Actions Bar near the bottom of the screen contains buttons to add, delete, edit and save. The Quick Links at the bottom of the page reveal company, service, contact, version information. The manual can also be downloaded from the quick links bar.

...

You can close an open link by clicking its orange down arrow.

Adding a New Administrator and Deleting the Default Account

The first Administrator account created should be given full permissions to manage all aspects of a Freedom installation.  Additional accounts can be given less control over the installation depending on the role that each user plays in managing or supporting the installation. Users with an Administrator Account for the installation cannot create, modify or delete other accounts that have more privileges than their own. The extent to which one can create, modify, or delete accounts is limited to users with fewer privileges than the account under which one is currently logged in.

...

Once the admin user is saved, the user ID field cannot be edited.  This field specifies a unique admin user profile. You can change the other fields after an admin user profile has been saved.

Site Administrator Management

In addition to the full access administrator, there can be limitedadministrative users that have the capacity to add/modify/delete card holder access. The privileges of these admin users can be fine-tuned to restrict or grant access to certain functions of the software. These restrictions include the modification of Controlled Areas, Access Groups, Devices, and Users. Admin users can also be assigned to certain sites within Freedom, further restricting and partitioning data, thereby limiting their Admin access.

...

System Management

Set Date, Time, Time Zone Settings

Date and time settings for Freedom servers can be set either manually or by using a network time protocol (NTP) server. An NTP server is the recommended method for keeping the date and time in sync with other systems.

Setup Network Time Protocol (NTP) Settings

An NTP server is the recommended method for keeping the date and time in sync with other systems. However, it does require either a local NTP server or an internet connection. NTP Server could be an internal company facing NTP server or an external public facing.

...

When changing the time or the date of a Freedom/Enterphone System, the synchronizing of schedules and events are not done until the following day at midnight. For proper scheduling, please restart the Freedom server using the reboot link from the Utilities section.

Change Date and Time Manually

If you are not using an NTP server, you can set the date and time manually.

...

System Card Format Support

The Freedom Server has a built-in set of Card Format Definitions that determine how Wiegand data is being translated (e.g. Wiegand 75 bit, FIP-201 200 bit).  Upon card swipe, Freedom performs a sequential look up of this list to find the best fitting definition.

...

In case no suitable definition is available, use the Default Card Format drop down list to select a default format. Please note that card format definition in Freedom is highly customizable. Please feel free to contact Viscount Technical Support (vsicountsupport@identiv.com ) should you require a custom format.

Customize Dealer and Installer Pages

The links for Dealer and Installer from the Freedom Administration software can be configured to match the company who sold and installed the MESH system.

...

For more information, please refer to the instructions in the MESH Parameter Files section.

Freedom Encryption Bridges

Viscount’s Freedom Encryption Brides allow door hardware to be connected to Freedom servers. Bridges for card readers communicate with Freedom software. Data is received from card readers, encrypted and sent via IP to a Freedom server for processing. Relays on the Freedom Bridge are activated by commands from a Freedom server to lock or unlock doors.

Discovering Freedom Bridges on a Network

Freedom Bridges can be discovered using one of two methods. Either using the Bridge Discovery Tool located in the Freedom Administration Software or using the standalone Windows tool called Bridge Configuration Utility (BridgeUtil). For most systems, the built-in web based discovery tool will be sufficient. If a Freedom bridge is not located on the same LAN as the Freedom server or is behind a switch/router where UDP MultiCast traffic is being blocked, the bridge utility application should be used on a PC located on the network where UDP traffic is not being blocked.

Finding a Freedom Bridge on the Network

Once a Freedom Bridge is connected to the network, you can scan the network for the added device and add it to the Freedom Administration Software using the Freedom Bridge Utility.

...

You can also find the Freedom Bridge Utility at the bottom of the Devices - Main page, and clicking on the Freedom Bridge Discovery Tool check box.

...

Using the Web Based Freedom Bridge Utility

1. Click on the System navigation tab.

2. On the left, click the Utilities link.

3. Click the Bridge Utility sub link.

4. Click the [Scan Devices] button.This process might take a minute or two.

5. Click on the MAC address of the device you wish to provision.

   

6. Assign the appropriate IP information to the device or choose DHCP. You may need to contact your system admin for this information. If the DHCP checkbox is checked, the IP, Netmask and Gateway fields are automatically populated once the bridge receives the DHCP information.

7. To update Bridge Configuration only, click on Save. Note that it might take up to two minutes to save.

8. To update and add the Bridge to Freedom, check Save & Add Device To Freedom checkbox and click Save.

   

9. Enter the name by which you’d like to refer to the device and click the Save button.

Lock Bridge Configuration

This is an option in freedom bridge configuration to lock the system configuration of the bridge. Once you choose to lock the configuration, no changes to the configuration can be made remotely. 

In order to remove the lock, it requires a manual reset of the bridge that will reset the IP address and require the IP’s be reset.

Windows Based Bridge Discovery Utility

The Freedom Bridge settings can be changed by using Viscount’s Bridge Utility. This program (BridgeUtil.exe) is self-contained, does not require a special install program and should run on Windows XP, 7, 8.1 and 10.

Download BridgeUtil.exe from Freedom Application

1. Click on the System navigation tab.

2. On the left, click on the Utilities link.

3. Click the Download sub link.

4. Click on the BridgeUtil link and save the executable on the PC.

5. Locate the BridgeUtil.exe from where it was downloaded. Right click on the executable and select “Run as administrator”

...

The settings may be changed and updated as needed. When done hit the Save button

Device Properties

Each Freedom Bridge model displays a different properties section. For example, a single port Freedom Bridge will only have one reader, input and output properties section; two ports will have two and so on.

...

The following tables describe the properties for Freedom bridges.

Reader Properties

Input Properties

LED Properties

Description: Identifies the LED when adding to Port Trigger Actions or viewing in Activity Logs.

Buzzer Properties

Description: Identifies the Buzzer output when adding to Port Trigger Actions or viewing in Activity Logs.

Relay Properties

Schedules

Schedule Management

A Schedule is a given period of time that is applied to different aspects of the software. If a Schedule is added to a Controlled Area, then that schedule activates the devices and outputs in that Controlled Area. If a schedule is linked to a Controlled Area, under User or Guest Access Groups, then the schedule enables or disables access to that controlled area only to the users that are contained in that User Access Group.

...

The current state (on or off) of all the schedules can be seen on the Schedule tab.

...

Adding a Schedule

1. Click on the Schedules navigation tab.

2. In the Actions bar, click on Add Schedule. The following screen is displayed:

3. Enter a Name and Description.

4. Select Weekdays OR Special Days.

   1. If you select Weekdays, check the box for each Week Day this schedule applies to and check the box for each Type of Special Day you would like to exclude from this schedule. To add a Special Day, see instructions in the previous section.

   2. If you select Special Days then you wish to apply this schedule ONLY to the Type of special day that you select in the dropdown box.

5. Enter an ON Time for this schedule.

6. Enter an OFF Time for this schedule.

7. Under Effective Dates, check the Always On box if this schedule is to remain in effect at all times or, if not, enter a Start Date and an Expire Date for this schedule.

8. Click Save.

Special Days (Holidays)

Special days are an optional addition to a schedule. They can be used for holidays or any other day where a schedule needs an explicit or relative period. Special days are added to schedules as a period so they may need to be configured before adding a schedule.

Adding a Special Day

1. Click on the Schedules navigation tab.

2. On the left, click the Special Days link.

3. In the Actions bar, click Add Special Day. The following screen is displayed.

   

4. Enter the Name of the Special Day.

5. Choose a number for this Type of special day, number between 1 and 12. Special day types allow grouping of different special days. For example, a Type 1 special day labeled First of Every month, could contain the first day of every month. In this case there will need to be 12 special days added, all of them belonging to the Type 1 group.

6. Select Explicit or Relative. An explicit day is a particular day of the year while a Relative day is a day that will occur every month i.e. the first Monday of every month.

7. Enter the Month and Day of the special day if Explicit was selected; select the Day of the Week if Relative was selected.

8. Click Save.

Assigning a Special day to a Schedule

Once a special day is added, it can be programmed to be a part of a schedule.

Controlled Areas

In general, Freedom has two different types of Controlled Areas - Door and Floor Areas.

...

Floor Controlled Area is an Access Control Object that represents a floor. It contains the Freedom Bridge output ports that are typically connecting to elevator control modules in the building. Floor areas can be linked to door areas in such a way that when Freedom server grants access to a door, its associated floor area outputs can be activated. The card holder’s floor access rights then determines which floor area should be activated.

...

How to set up

First, the administrator needs to create Door Areas to hold the elevator readers. Then for each controlled area, “link” the corresponding Floor Areas to it. In the above example, a Door Area called Elevator A is created that hosts “Cab A Reader”. This door needs to have linked Floor Areas “Cab A - FL 1”, “Cab A – FL 2” and “Cab A - FL3” that contain relays to elevator A’s control:

...

Elevator B would follow the same idea except that it is using Elevator B reader, Floor Area Cab B – FL 1 through to FL 3.

Freedom offers two ways to handle Floor Access

Use separate Floor Access Groups

This is the original method implemented in 9.2 up to 10.1. The user will need to be assigned to a User Access Group that allows access to the various elevators. Floor Access Groups are then assigned to the user to give access to his floor.

...

For the card holder that have access to the 1st Floor, this is how his User and Floor Access Groups look like:

...

No separate Floor Access Group

This is a new option implemented in later versions of 10.1 and 9.2c. It reduces database migration effort from older systems such as 9.1, 8.7 and below.

...

When assigning Access Group, the administrator will select a group that will give the card holder access to both elevators and his corresponding floor. Note that in this mode, the Floor Access Group select box is not present.

...

Controlled Area Configuration

Configure a Door Controlled Area

Controlled Areas are areas in a facility that are controlled by one or more devices such as Card Readers. Any area within a facility that requires controlled entry or exit must be set as a Controlled Area. An area can also be set to change from Secure to Unsecure based upon schedules or manual control. 

Adding a Door Controlled Area

1. Click on the Controlled Areas navigation tab.

2. In the Actions bar, click Add Controlled Area. The following screen is displayed:

   

3. Enter a Name that describes the controlled area.

4. Enter an optional Description.

5. Select Door Area as the Area Type.

6. Select a Reader for the controlled area.

7. By default, Freedom assigns the input 1 as Door Contact and input 2 as Request to Exit. To choose a custom setting, check Custom and select the desired input mapping.

8. Click Save.

...

Once the controlled area is saved, different aspects of it can be modified.

...

Config Tab

The Config tab allows the configuration of the reader that is assigned to the controlled area.

...

1. Select a Card Format for the Reader; set it to Auto to default to the system settings.

2. For the Door Contact, check the Suprv Ready box to indicate that the bridge input has supervised resistors set.

3. Set the Door Contact Switch to Normally Open or Normally Closed.

4. For Request to Exit, check the Suprv Ready box to indicate that the bridge input has supervised resistors set.

5. Set the Request to Exit Switch to Normally Open or Normally Closed.

6. Check the Activate Relay to set the lock to trigger when the REX is fired and select a Relay and enter the number of seconds for it to remain active.

7. For each of the Outputs, enter a Delay time (the number of minutes/seconds the relay will fire) and an Activation Time (the number of minutes/seconds the relay stays open).

8. Select an Output for this door.

9. Enter an optional Description.

10. For each output, enter a Delay time (the number of minutes/seconds until the relay will fire) and an Activation Time (the number of minutes/seconds the relay stays open). Click the Show Accessibility box to enter an Accessibility Delay time and an Accessibility Activation time: this is a separate set of delays and activation times for users with special needs (e.g. wheelchair, crutches) that are used if the Accessibility check box is selected in that user’s setup page. See Chapter Users for more information on setting up a User.

11. Check the Latch Allowed box to allow the corresponding output to remain open(latched) when it is set to Open state either by the Administrator or through Unlock Schedule.

12. To add another Output line, click the + button beside the first output line.

    

13. Click Save when all outputs are configured.

Unlock Schedule Tab

A Schedule is a given period of time that is applied to a Controlled Areas and Access Groups and is used to schedule device activation and alarms. If a schedule is added to a Controlled Area, then that schedule activates the devices and outputs in that Controlled Area. If a schedule is linked to a Controlled Area, under User or Guest Access Groups, then the schedule enables or disables access to that Controlled Area only to the users that are contained in that User Access Group.

...

Door Monitor Tab

There are two Door Monitor Alarms for a controlled Door area: a Door Held Open Alarm that indicates a door being held open for a given period of time and a Door Forced Open Alarm that indicates that a door is being forced open without the use of a reader or an entry/exit device.

...

In the Door Monitor tab on the View/Edit Controlled Area screen:

...

Door Held Open Alarm

1. Under Door Held Open Alarm, check the Enable box.

2. Enter the number of seconds in the Held Open Time box before the alarm will sound.

3. Select an output in the Output 1 dropdown box; in the Action box, select Activate or Deactivate; in the Duration box, select the number of seconds the alarm will sound.

4. Repeat Step 3 for Output 2 if necessary.

5. Select the Schedule from the dropdown box that you would like applied to the action, or select Always On if you need the action to be enabled 24/7; check the Effective Except for this Schedule box to have the alarm sound during all schedules except this one.

6. Check the General Alarm box if you need this action to generate an alarm in the Events tab.

7. Check the Ack. Required box to require an acknowledgement from the AMS Server.

8. Select a Severity level from the dropdown box: Warning, Error, Alert, Critical, or Emergency.

9. If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server. To create a new alarm instruction, click the Alarm Instructions link and click Add Alarm Instruction in the Actions bar.

10. Once done, click save at the bottom of the window

Door Forced Open Alarm

1. Under Door Forced Open Alarm, check the Enable box.

2. Select an output in the Output 1 dropdown box; in the Action box, select Activate or Deactivate; in the Duration box, select the number of seconds the alarm will sound.

3. Repeat Step 2 for Output 2 if necessary.

4. In the Racing box, enter the number of seconds when the door contact state change is reported before the push button bar signal reaches the system.  If Racing is set to 1, then the DFO will not fire if a REX is detected within one second of the door contact change state.

5. In the Shunt Window box, enter the number of seconds. This options shunts the alarm when the REX opens the door (no card scan releases the door).

6. Select the Schedule from the dropdown box that you would like applied to the action or select Always On if you need the action to be enabled 24/7; check the Effective Except for this Schedule box to have the alarm sound during all schedules except this one.

7. Check the Generate Alarm box if you need this action to generate an alarm in the Events tab.

8. Check the Ack. Required box to require an acknowledgement from the AMS Server.

9. Select a Severity level from the dropdown box: Warning, Error, Alert, Critical, or Emergency.

10. If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server. To create a new alarm instruction, click the Alarm Instructions link and click Add Alarm Instruction in the Actions bar.

11. Click Save.

Advanced Tab

The Advanced tab on the Controlled Areas screen contains additional configuration flags:

...

Multi Card Swipe Tab

The multiple swipe action is intended to place a multiple actions to change the state of a single Controlled Area, or an entire zone group on a pre-set number of card scans, in a defined window of seconds.

...

1. Select the Card Swipe Interval: the number of seconds that you count the multiple swipes for this controlled area.

2. Select a specific User Group if only the identified user group will have access to take action on this reader; select ANY to allow all user groups to have access.

3. Select a Controlled Area or a Zone Group to activate.

4. Select Open, Close or LOCKDOWN in the Action dropdown box.

5. Select a Schedule or select Always On.

6. Click Save.

...

Floors Tab

The Floors tab allows you to link one Controlled area to floors. Typically the controlled area is an elevator reader area and the linked Floor Controlled Areas are the floors that the reader would provide access to.

...

1. Select a Floor Controlled Area from the Linked Floor Area dropdown box to link to this controlled area.
   NOTE: More details on Floor Controlled Areas can be found in Chapter Elevator Configuration.

2. Enter a Delay time (a pause before the relay fires, default is 0 second) and an Activation Time (the duration that the relay activates, default is 5 seconds).

3. Click the Show Accessibility box to enter an Accessibility Delay time and an Accessibility Activation time. This is a separate set of delays and activation times for users with special needs (e.g. wheelchair, crutches) that are used if the Accessibility check box is selected in that user’s setup page. See Chapter Users for more information on setting up a User.

   

4. To link another floor to this controlled area, click the add button +

5. Click Save.

Assign a Device to a Controlled Area

The following steps allow the user to associate a device to a Door Controlled Area that has not been assigned a device previously.

...

5. Click Save. The screen expands with more options. The administrator will be able adjust Controlled Area parameters as described in the above sections.

...

Alarm Instructions

A customized message can be configured that will be passed to the AMS Server and displayed in the log when an Alarm is triggered.  Alarm instructions can be used by Controlled Area’s Door Monitors or Port Triggered Actions in the next chapter.

...

1. In the Controlled Areas navigation tab, click the Alarm Instructions link.

2. In the Actions bar, click Add Alarm Instruction. The following screen is displayed:

   

3. Enter a Description of the alarm instruction.

4. Enter any Details that pertain to this instruction.

5. Click Save.

Alarm Resolutions

Alarm resolutions are for the clear step of the alarm response process.

...

1. In the Controlled Areas tab, click the Alarm Resolutions link.

2. In the Actions bar, click Add Alarm Resolution. The following screen is displayed:

   

3. Enter a Description of the alarm instruction.

4. Enter any Details that pertain to the instruction.

5. Click Save.

Port Triggered Actions

Port triggered actions are output actions, such as alarms, triggered by a conditional input or output event from a device. Port triggered actions are useful for alarm monitoring and requests to exit.

...

E.g. If Input 1 from a Freedom Bridge is closed and the Front Door Reader’s Output is Not-Active then Front Door Reader’s Output should be Activated.

Adding a Port Triggered Action

1. Click on the Controlled Areas navigation tab.

2. On the left, click the Port Triggered Actions link.

3. In the Actions bar, click Add Port Trigger. The following screen is displayed:

   

4. Enter a Name for this action.

5. Select a Port Event from thedropdown listand select the state of the event: For inputs, choose Reset, Set, Error Break, or Error Short.

   For outputs, choose Activate or Non Active.

6. Choose up to two Condition States for an output port and the condition of that device’s output port.

7. Combine two conditions with AND or OR from the dropdown list. For example, if Front Reader’s Output Port is Not-Active AND Front Door Trip Input 1 is Active then the Output Action is triggered.

8. Select an Output Action and select Deactivate, Activate, Buzzer On, Buzzer Off, Latch Active, Unlatch Active or No Action.

9. Enter the Delay before activation for the output action.

10. Enter the Activation Time for the output action.

11. Select a Controlled Area and its associated action: Open, Close, Enable panel, Disable panel, LOCKDOWN or Toggle.

12. Select a Schedule that defines the time that the Port Triggered Action is going to be used or leave it as Always On.

13. Generate an Alarm enables or disables logging of this Port Triggered Action in the alarm logs, desktop alarm client and AMS servers.

14. Choose the Severity of the alarm level: Info, Warning, Error, Critical, Alert, or Emergency, when set to Alarm this will log the action to the Alarm Log. 

15. If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server.

16. Select an Alarm Area.

17. To lag an NVR camera clip to the port triggered event, select the camera from the NetCam drop-down list. Before Event and After Event specify the time window (in seconds) of the clip relative to the event.

18. Click Save.

Zone Groups

Zone Group Management and Anti-Passback

Zone Groups allow users to group various Controlled Areas to form a Perimeter Security Zone where Anti-password rules can be applied.

...

Adding Zone Groups

1. Click on the Controlled Areas navigation tab.

2. On the left, click the Zone Groups link.

3. In the Actions bar, click on Add Zone Group.

4. Enter a Name for the zone group.

5. Enter an optional Description of the group.

6. Check the Anti Passback Enabled box to enforce anti-passback for this zone group.

7. In the Anti Passback Forgiveness dropdown box select from the following options:

...

8. Check the APB Enforced on Exit Readers box to enable this feature; anti-passback is imposed on exit readers also. You must set EnforceExitAccessRight to Yes in siteEngine.ini – go to the System tab, Administration, System Parameters page to edit this file.
9. Select a group of users in the Exempt Access Groups if you want them to be exempt from anti pass back rules.
10. Click Save.

Assigning Controlled Areas to Zone Groups

Once Zone Groups are created, controlled areas can be assigned to the zone groups.  A Zone Group is a security perimeter that contains multiple controlled areas.  Each zone group can exercise anti-passback rules onto its controlled areas. For example, a building with two entrances can be seen as a zone group with two controlled areas (doors).  If the anti passback rule is enforced in this building, a person cannot enter through one door and re-enter to either door without first exiting the building.

...

1. Click on the Controlled Areas navigation tab.

2. On the left, click on the Zone Groups link.

3. Click on the Zone Group to edit.

   

4. In the Controlled Areas drop down box, select all the Areas that are to be included.

5. Click Save

 Resetting Anti-Passback Manually

Freedom Administrators can manually reset Anti-passback locks by editing the zone group record:

1. Click on the Controlled Areas navigation tab.

2. On the left, click on the Zone Groups link.

3. Click on the Zone Group to edit.

4. In the Edit Zone Group page, click the [Forgive All] button.

5. Click Save.

Manually Reset a User’s Anti-Passback Lock

Freedom Administrators can manually reset a user’s anti-passback lock via the Users page:

1. Click on the Muster navigationtab.

2. Check the box in the Reset column next to the user and click the [Reset] button above it.

   

Mustering

The Muster tab has two sub links: Muster/Anti Passback and Emer. Mustering. This functionality must be turned on in licensing.

Muster/Anti-Passback

This page shows a live view of the number of users who have entered into or exited from a Controlled Area. You can also go here to identify who is in what areas for anti-passback.

...

Emergency Mustering Report

The Emergency Mustering Report tab allows you to create custom area reports by Access Group and Controlled Area to support operations. This report is useful when security staffs want to find out who are in the designated safety area (e.g. a zone group) during an emergency.

...

1. Click on the Muster navigationtab.

2. On the left, click on the Emer. Mustering link. The following screen appears:

   

3. Select the Zone Group which represents the designated safety zone.

4. Select Access Groups to report on.

5. Select User Categories to report on.

6. Enter an Alarm Message Token to identify when a tagged event is enabled; it will grab the last event date and time as an anchor point to help highlight users who have entered the safety zone before the alarm took place. If there is no alarm required, leave this input blank.

7. Select the Zone Groups to be excluded in Report and select In, Out, or Both from the State dropdown box for each Controlled Area selected. This feature helps to filter areas from the report that is not relevance to the alarm event.

8. Click the Add button to add this report to your list of Mustering Reports. These reports will list at the top of the screen and as sub links on the left once they are created.

Access Groups

Access Group Management

An Access Group is an organizational unit in which users can be placed.  This lets the administrator apply access rights to groups instead of people, for ease of administration.  This also lets the administrator make changes to a group of people as opposed to having to change the rights individually.  An access group can have 1 or thousands of people (user accounts) assigned to it. There are also Floor Access Groups that allow access to specific floors and Guest Access Groups that work in conjunction with MESH panels. The instructions for adding each type of group are the same.

Adding a User, Floor or Guest Access Group          

1. Click on the Access navigation tab.

2. Click on the User Access Groups, Floor Access Groups or Guest Access Groups link.

3. In the Actions bar, click on Add Access Group. The following screen is displayed:

   

4. Enter a Name and a Description.

5. Select the Risk Levels during which this group will have access: Low, Guarded, Elevated, High or Severe (the current risk level is always displayed at the top of the Freedom screen)
   For more information on Risk Levels see the Alert Level Managementsection.

6. Select a Controlled Area for this group.

7. Select a Schedule for the Controlled Area. If that controlled area is not going to be accessed by that User Access Group, leave the schedule as Always Off.

8. If you need an additional line for extra Controlled Areas and/or Schedules, click the + button beside the current line. To delete a line, click the x button.

9. Click Save.

Global User Access Groups

In Freedom version 11, User Access Groups can be global to all sites. This makes Access administration more efficient for large enterprise systems. For example, all employees within an enterprise are assigned a general Access Group “Employees”. This group can be associated with any controlled area/schedule pairs in any sites.

...

Once a Global Group is added, it will be visible to all sites. Administrators can associate it with any controlled area-schedule pairs that are local to the selected site.
Notice the Icon that highlights the Global Access Group “Employees”.

...

Users

Configuring a User’s Access

A User’s right to access through a door or to a floor is set up by entering a person into an Access Group. This Access Group is set to have rights to gain access to certain areas (controlled areas) of a facility at certain times (schedules).  The following chart is a guide to setting up a person’s access rights.

...

Typically schedules are configured and then controlled areas are configured.  Once done these are attached to an Access Group.  The final step is to assign a User to an Access Group

Adding a User Account

In order to assign cards or key fobs to people, User Accounts must be set-up.  During this process a User is assigned to an Access Group (or multiple Access Groups) which in turn defines their Access Rights.  To set up a User Account do the following:

1. Click on the Users navigation tab.

2. In the Actions bar, click on Add User.  The following screen is displayed. 

   

3. Enter the user’s Last Name.

4. Enter the user’s First Name.

5. Select Yes or No to Display this user’s name in the Directory if there is an intercom on the panel.

6. Select this user’s Suite. This is also for Intercom functionality

7. Enter the MESH Card Number.

8. Enter the Wiegand Card Number that is assigned to the user or click on the [Read Card] button and present the card to the reader - the Wiegand number will automatically fill in the field. If the number is unknown, a card reader can be set up as an enrolment reader. To set up an enrolment reader, click on Select Enrolment Reader from the left menu and select the appropriate card reader.

9. Enter a PIN number for the card. This is for Intercom functionality.

10. Enter the user’s Email address.

11. Enter the user’s Telephone number.

12. Select the User Access Groups in the Available box that should be assigned to this user and click the right arrow button to move the group to the Selected box.

13. Select the Floor Access Groups for this user.

14. Enter the Date that the user’s access rights will Start.

15. Select Never, or enter the Date that the access rights of this user will Expire.

16. Click the Accessibility box if this is a user with special needs (i.e. wheelchair or crutches) that requires the longer Accessibility Delay and Activation times configured in Controlled Areas.

17. Select Yes to Enable Admin Functions if this user is an administrator – the View/Edit Admin User options will become available.

18. Click Save.

User Categories

You now have the ability to filter a global database of users by user category. Admin Users can be configured to see specific user categories.

...

Once you have created all of your User Categories you can assign them to your Admin Users in order to filter the users they have access to. Please refer to the Admin Users section to assign the categories.

Elevator Configuration

Elevator Management

In Freedom each reader can only be assigned to one Door Area only. In order for Freedom to activate floor relays upon a card swipe, it now has a new Floor Controlled Area type that can link to a Door Area where the elevator reader resides. Each Floor Area contains outputs that would activate its corresponding elevator controls. In order for users to obtain access to floors, they would need to have both User Access Groups (for card access) and Floor Access Groups (for elevator/floor access).

Installing Hardware

• Install a Wiegand reader in the cab, connect its Wiegand wires to a FB9 adaptor.

• On the FB9 adaptor board, change the address to 1 using the dip switch.

• Run an RS485 cable long enough to connect the FB9 adaptor to the FB5 board which is located in the elevator/engine room of the building. This cable will likely run along the elevator shaft. Relays on the FB5 would be used to interface with the Elevator Control System in the elevator/engine Room.

Device Setup

In the Freedom Software, make sure that the FB5 (Digital IO) device has been added in the System – Devices tab. See Freedom Bridge Configuration for more information.

Create a Controlled Area - Type Floor

1. Click on the Controlled Areas navigation tab.

2. In the Actions bar, click Add Controlled Area.

3. Enter a Name and Description for the Controlled Area.

4. Select Floor Area in the Area Type dropdown box.

   

5. Click Save.

Add All Outputs that Belong to that Floor

This is intended to trigger all of the outputs that a user has access to.  If a user has access to multiple floors, you would select all of the outputs that complete the circuit.

1. Once the Controlled Area is saved, the Outputs and Unlock Schedule tabs appear.

2. Select a device Output for this Floor controlled area. You may select and add multiple Floor Areas. Click the plus sign button to add the selected Output(s).

3. To create an unlock schedule, click on the Unlock Schedule tab. Please see the Unlock Schedules section of the Controlled Areas chapter earlier in this document for more information.

   

4. Click Save.

Link Floor Areas to the Elevator Reader’s Door Area

Create a Door Area and assign it with the elevator reader. Link all the Floor Areas that the reader can provide access to.

1. Create a new Controlled Area with the elevator reader.

2. In the new Controlled Area’s Floor tab, select all the associated Floor Areas; specify the desired activation time and click +.

...

Create a Floor Access Group

Create a floor access group to link the controlled area to a floor.  You can have multiple floor access groups added to a single controlled access group.

1. Click on the Access navigation tab.

2. On the left, click on the Floor Access Group sub link.

3. In the Actions bar, click Add Floor Access Group.

4. Enter a Name and a Description and click Save.

5. Check the box(es) beside the Risk Level allowed for this floor.

6. Selected the Controlled Area to link to this floor access group. If you need additional controlled area click the + button to add another line.

7. Click Save.

Assign Groups to the User

Add permissions to a floor access group in the User account.  This grants access to the floor access group relays defined under the floor group created.

1. Click on the Users navigation tab.

2. Click on a User.

3. Scroll down to the Floor Access Group boxes and click on the Available Floor Access Group to move it to Selected. Select all floor access groups for this user.

4. Click Save.

Example Scenario

The builder has 3 floors with one elevator cab. A reader is installed inside the elevator cab. As the tenant enters the elevator, he/she needs to present a card to access the floor(s) that he/she has rights to.

...

1. Click on the Controlled Areas navigation tab.

2. In the Actions bar, click Add Controlled Area.

3. First we want to create a Door Controlled Area for the Elevator Reader. In this example select the FB5’s Reader 1 and this will be the cab reader.

4. Since there are 3 floors, you will create 3 Floor Controlled Areas. Name the first one Floor 1 Elevator Control and enter an extra Description line if necessary.

5. Select Floor Area in the Area Type dropdown box.

6. Select the FB5’s Reader 1 as its (Entrance) Reader. This Reader 1 will be the cab reader. 

7. Click Save.

8. The Outputs and Unlock Schedule grid will appear. In the Outputs tab, select the FB5 Relay that activates Elevator Control Access to Floor 1 (e.g. relay 1).

9. Click on the Unlock Schedule tab to assign a schedule for this elevator if desired. For more information, please refer to the Unlock Schedule section of Chapter Controlled Areas.

10. Click Save.

11. Repeat Steps 2 to 9 to create a Floor 2 Elevator Controlled Area and add the same FB5 Reader in it as its entrance reader. In the Outputs tab, add the FB5 Relay that activates Elevator Control Access to Floor 2 (e.g. relay 2).

12. Repeat Steps 2 to 9 to create Floor 3 Elevator Controlled Area and add the same entrance reader and Floor 3 relay (e.g. relay 3).

13. Return to the Door Controlled Area created in Step 3, go to the Floors tab and add the three Floor Controlled Areas to it.

Create a Floor Access Group

Create a floor access group to link the controlled area to a floor.  You can have multiple floor access groups added to a single controlled access group.

1. Click on the Access navigation tab.

2. On the left, click on the Floor Access Group sub link.

3. In the Actions bar, click Add Floor Access Group.

4. Enter a Name and a Description and click Save.

5. Check the box(es) beside the Risk Level allowed for this floor.

6. Selected the Controlled Area to link to this floor access group. If you need additional controlled area click the + button to add another line.

7. Click Save.

Assign Groups to Users

You can assign a User Access Group to give general access to your users or a Floor Access Group to give them access to specific floors.

1. Click on the Users navigation tab.

2. Select a Floor 1 user from the list of users.

3. Scroll down to User Access Group or Floor Access Group. Click on the “Floor 1” Access Group in the Available box to move it to the Selected box.

4. Repeat Step 3 for all Floor 1 users.

5. Repeat Step 3 to add the “Floor 2” Access Group to all Floor 2 users and “Floor 3” Access Group to all Floor 3 users.

6. Click Save.

Operation

As a Floor 1 User presents the access card to the cab reader, the reader LED should light up (access granted) and allow elevator access to Floor 1 (e.g. Floor 1 button lights up).

Similarly Floor 2 User’s card would allow the user to access floor 2 inside the cab.

Events

Event Management

Freedom systems keep logs of certain activities and problems with devices under the Events tab.

The Events tab displays information such as the access attempts to the building and if they are granted or not.  Calls placed, answered and wrong numbers dialed from the panels are logged.  If a MESH Panel has the optional camera installed, a snapshot of the user is taken once access is granted by a suite. Scheduled opening or closing of a controlled area and any communication loss or device problems are also displayed. Alarm logs will also be displayed under the optional AMS Server. Preventative and pro-active measures should include the scheduled review of these event logs.

Viewing Events

The Events page refreshes automatically depending on login settings and is divided into a grid. The grid sections contain information about the event that took place. Multiple devices whose states are changed as a result of one event are grouped together to help with readability. Expanding an event will show all the resultant device changes.

...

To search for a specific event of a particular time window, please refer to Searching Events in the next section.

Event Groups & Categories

All events fall into one of the following groups and categories. In addition, every event in the system has an event id associated for searching.

Searching Events

You can search events to track access or errors over several days. When searching events, it is possible to filter results by particular devices or events and it is also possible to generate a PDF or a CSV document from your search results.

1. Click on the Events navigation tab.

2. On the left, click on the Search Events link. The following screen is displayed: 
   

   

3. Enter a From and To Date and Times for the data you wish to search.

4. Enter Search Criteria in the Filters input box.

5. Click the [Search] button to retrieve result set records.

6. Result set will be shown on the area below the search criteria. The user may choose to download a copy of the result set in either CSV or PDF format by clicking the corresponding buttons.

Set Audit Data Search Criteria

1. Click on the System navigation tab.

2. On the left, click on the Utilities link.

3. Click on the Audit Data sub link.  The following screen is displayed:
   

   

4. Enter a From and To Date and Times for the data you wish to search.

5. Enter a User ID.

6. In the Change box, enter a specified string from the audit logs to search through the data that has changed.

7. Select an Action.

8. In the Original Data box, enter a specified string from the audit logs to search through the original data. For example, you could search for a card number in the original field to find out who previously had this card.

9. Select a Function.

10. Click the [Search] button.

Export to a CSV File

You can export Event and User search data to a CSV file by clicking the CSV button.

...

Export to a PDF File

Data on the Device tab can be exported to a PDF file by using the PDF button.

Enhanced Access Denied Diagnostics

Freedom now has the ability to display why a user was denied in the system with all of the possible complex options.  This data will also display in the activity details.

Reports

Reporting Management

In most sections of the Administration Software it is possible to generate a report (or several types of reports) for that section. Reports are generally used for auditing purposes and to view the data for a section in one place making at-a-glance viewing and printing easier. Generated report files are in the PDF file format. Adobe’s Acrobat Reader might be required to view these files.

Because generating reports requires accessing data that may be privileged, it is important that the user you are logged in as and under which you would like to generate a report has adequate permissions to access the report generating functionality of Freedom.

Creating PDF Report Files

PDF files can be generated from most pages by clicking on the [PDF] button beside the Search box. This will generate a PDF file and the user will be asked to save the PDF file on a local folder or the file will saved to a default location, depending on browser settings.

PDF reports can be generated for the following pages: System, Suites and Businesses, Users, User and Guest Access Groups, Controlled Areas and Port Triggered Actions, Schedules and Special Days.

...

Creating CSV Report Files

A CSV file can also be generated on the Users, Suites and Businesses, and Events pages. To download, click on the [CSV] button next to the Search box.

...

 Reports Available By Page

Time and Attendance Reports

The Freedom System is capable of generating reports of who has entered a particular Controlled Area in a given time frame, and who is currently in a particular area. This controlled area needs to have an Entrance and an Exit reader programmed. A report can also be generated in PDF format or CSV to be imported into a spreadsheet or database application.

1. Click on the Events navigationtab.

2. On the left, click on the Reports link.

3. Click on the Attendance sub link.

4. Enter a From/To date and time.

5. Select the Zone Group(s) of interest.

6. Optionally select User Category of interest.

7. Optionally provide a Suite number, Card number, First or a Last name.

8. Select either CSV or PDF report type. The two additional types – CSV summary and PDF Summary reports would show daily card holder attendance summaries. All access transaction details are omitted.

9. Click the Search button.

   

   
   

Backup & Restore

Manual Backup and Restore Configuration (Data)

It is recommended that regular backups of the database are made. Backup files should be stored on digital media such as flash drives or CDs and preferably kept in a secure place.  Because the backup files can contain sensitive information they should be protected from unauthorized access.

Manually Backup Data

1. Click on the System navigation tab.

2. On the left, click on the Administration link.

3. Click on the Backup Data sub link.

4. Find the location to store the file on the local computer.

5. Click Save

Manually Restore Data

1. Click on the System navigation tab.

2. On the left, click on the Administration link.

3. Click on the Restore Data sub link.

4. Click the Choose File button. This will display the contents of the local computer.

5. Find and open the backup file.

6. Select the type of Restore:

...

8. Reboot the system using the reboot link in the Utilities section.

Local Automatic Backup and Recovery Management

Mesh systems do an automatic backup every day. These backup files can be used to bring the system back to a previous state before a file corruption may have occurred. These are done locally, and are part of the standard internal operation of all Mesh and Mesh systems.

...

Restore Database from Local Automatic Backup

1. Click on the System navigation tab.

2. On the left, click on the Administration link.

3. Click on the Backup Data sub link.

4. Click the plus (+) sign beside Restore from a system backup. This will display a list of previously saved back up files. These files are sorted by date.

5. Click the Restore button beside the correct backup file.

6. Reboot the system using the Reboot link from the Utilities section.

 Manual Backup of History (Event Logs)

All activates a system performs such as dialing a suite from the panel, allowing PIN access, and allowing (or denying) access control activities. Anyone whose user profile grants them access to the log can view and search the logs, and if the optional camera is installed, view photographs of people who use a system to access a building. Once a date is specified for backup a compressed ZIP file is created.

This file can be uncompressed using standard compression utilities built in to Windows. After uncompressing the logs a program like Open Office or Microsoft Excel is needed to view the uncompressed comma separated value (CSV) file. The log backup file cannot be restored back. It is only for auditing purposes.

Backup Local Business Admin Users

Because business admin users can’t access the System tab, the backup log instructions are different. Please refer to the Backup of Logs for Business Users section for more information.

Open Log Files  

1. Decompress the Log file that was saved in the previous sections.

2. Use either Microsoft Excel or a CSV compatible application to view the CSV file.

 Setting Up Remote Automatic Backups

1. Click on the System navigation tab.

2. On the left, click on the Utilities link.

3. Click on the Remote Backup sub link.
   

   

4. Select the Backup Method:

...

• Now – Sends when you select save. Recommended to be used for testing the initial backup testing.

• Hourly

• Daily

• Weekly

• Monthly

9. Click Save

Importing Data

To import data to the database, import a template from the Import Data screen under the System 🡪 Administration 🡪 Utilities tab. When importing data to the database it will be added to existing data. Existing data will not be replaced by this function. Suite, Suite Code, and Business Name have to be unique in the imported data and existing data. User field does not need to be unique, but it will create duplicates if identical names are imported.

...

Obtain a Data Template

1. Click on the System navigation tab.

2. On the left, click on the Utilities link.

3. Click on the Import Data sub link.

4. At the bottom of the page under To obtain a Data File Template, right click on the template and select “Save Target As...”, ”Save Link As...”, or equivalent option from the pop-up menu that appears.

5. Select a directory to save the Mesh data backup file in the ”Save as” dialog box.

6. Name the template with the .xls extension. For example, user-template.xls.

7. If the “Download complete” dialog box persists after the copy completes, click Close. Follow these steps carefully to append data to the database.

 Setting up a database file to import:

1. Open the template file using MS Excel, or compatible spreadsheet application. Fill in the data.

2. Do not delete or change the header cells in the template or the import will fail.

3. Save the file to the comma separated values (*.csv) format.

4. Always import the Business file first, followed by the Suites file, then the Users file.

5. The result page displays the imported lines that generated errors. To correct the errors, create a new data file with the corrected data of those lines only and import the new data file.

6. In the Users template, leave the User Id column blank.  This field is reserved for the Mesh system.

Importing Data

1. Select the type of data that is being imported from the Target Data table dropdown menu.

2. Click Browse.

3. Find the data file that is being imported; make sure it is in CSV format.

4. Click the Import button to add the data to the database, if no errors are displayed the importing is complete.

Commercial Database Replication

Database Replication Setup 

This is used for Freedom Systems that are intended to be used as redundant systems that communicate all information to make a hot standby for all bridges and users to communicate to in the event of failure.   These are also the steps to deploy remote Freedom cube appliances for the sections that are needed.

The instructions below are to setup database replication between 2 or more Freedom servers.  Before starting, verify that the full version numbers between the master and the slave nodes are identical.  

Configuring the Master Server

1. Configure the firewall to allow incoming connections on port 31415.

2. Login to the Freedom administration software using the system user.  Call Viscount Support if you need the system password.  

3. Click on the System navigation tab.

4. On the left, click on the Administration link.

5. Click on the System Parameters sub link.
   

   

6. Click on the siteEngine.ini file to edit it.

7. Edit the line that reads DBMode=single and change it to DBMode=master

   

8. Click Save.

9. Select and edit a different System Parameters file called start.ini

10. Edit the line that reads #sds.service=no and change it to sds.service=yes

    

11. Click Save and Reboot the server.

12. Once the system is rebooted, log back in with the system user and go the System tab.

13. In the scope pane on the left, click on Utilities.

14. Click DB Replication. |
    

    

15. Fill in the text boxes on the screen. 

    1. Host Name: This is the IP address of the master server.

    2. Sync Name: Name for the configuration. Enter something that will identify the master server. This field must be alpha numeric.

    3. Sync Protocol: Select http or https. In order to use https, additional configurations are required to install SSL certificate on the master and slave server.

    4. Sync Port Number: Select the TCP port number that slave servers will be connecting to.  The TCP port number selected must be configured in the firewall to allow incoming connection. The Freedom server is preconfigured to support port 31415, additional configurations on the server are required if other port number is used.

16. Click the Save button.  The master node configuration will be displayed in the Master Node section. The Delete button of the master node allows users to remove the master configuration from the server. It will be disabled if there are slave nodes attached to the master. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process. The Refresh Server Cache button allows users to refresh the Freedom server cache to the slave nodes.
    

    

Configuring Slave Server

1. Login to the Freedom administration software using the system user.  Call Viscount Support if you need the system password  

2. Click on the System navigation tab.

3. On the left, click on the Administration link.

4. Click on the System Parameters sub link.
   

   

5. Click on the siteEngine.ini file to edit it.

6. Edit the line that reads DBMode=single and change it to DBMode=slave

   

7. Click Save.

8. Select and edit a different System Parameters file called start.ini

9. Edit the line that reads #sds.service=no and change it to Change to sds.service=yes

   

10. Click Save and Reboot the server.

11. Once the system is rebooted, log back in with the system user and go the System tab.

12. In the scope pane on the left, click on Utilities.

13. Click DB Replication.
    

    

14. Fill in the text boxes on the screen.

    1. Master Node Registration URL: The URL that the slave server will be connecting to for data replication. The URL should be set to the Sync URL configured on the master server.

    2. Sync Name: Name for the configuration. Enter something that will identify the slave server. This field must be alpha numeric.

15. Click the Attach button. The slave node configuration will be displayed in the Node section. The Detach button allows users to remove the node from the data replication. Detaching a slave node is a two steps process, refer to the Detaching Slave Server section below for details. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process.
    

    

    
    

16. To verify the slave server is configured properly, login to the master server and go to the System tab. Click on Utilities on the left and select DB Replication.  The client node should be listed.
    

    

17. To verify that the configuration is good, add a controlled area on the master node and verify that it appears on the slave.

Detaching Slave Server

Detaching a slave server from the master server is a two steps process.

1. Logon to the slave server with the system user and go the System tab.

2. In the scope pane on the left, click on Utilities.

3. Click DB Replication.
   

   

4. Click the Detach button to detach the node from the master.

5. Logon to the master server with the system user and go the System tab.

6. In the scope pane on the left, click on Utilities.

7. Click DB Replication.

8. Find the client node and click the Delete button to detach the slave server.
   

   

 Microsoft Active Directory (AD) Integration

Active Directory Overview

Active Directory integration is a way to integrate the Physical Access Control System with the existing logical infrastructure.  In order to configure Active Directory you must login with the system account.

This section covers how to converge the logical provisioning that exists in Microsoft Active Directory with the logical access control of Freedom. It is intended to go over the basic configuration of Active Directory with Freedom to get your system up and running.

Single Server Deployment Example

Freedom Commercial or Freedom Enterprise links the Freedom application to each server; there are three methods of deployment.

...

Understanding Graceful Access

The Freedom access control system uses graceful access to link multiple different systems together.

Design Consideration

When deploying Freedom it is possible to deploy each server in a global environment to be an extension to be managed by a different administrator.  There is a pricing difference from the Freedom Commercial to Freedom Enterprise versions of the active directory licensing. 

For training on active directory implementation, please reach out to trainingsupport@identiv.com

Active Directory Configuration

To configure Active Directory in Freedom:

...

4. Click Save button to save the configuration

LDAP Connections

To add a new LDAP connection:

...

7. Go to the Events tab and check the LDAP synchronization status. After the LDAP synchronization is finished, go back to the Active Directory Configuration page and click the LDAP Connection that you just added. From the LDAP Connection page, you can specify the criteria for importing users and admin users from the LDAP Server.

...

Active Directory User Import

Filter Import by Organizational Unit and Group

From the search index provided in setup, the import screen populates with the Groups and Organizational Units (OUs).  When selected, it will filter and only pull the select users into the Freedom System to manage. 

...

4. Click Save button to save the import user configuration.

User Attribute Mapping

There are two types of fields to map in the User Attributes Mapping tab.  Fields that are automatically mapped and user selected fields.

1. On the Import Users page, click the User Attributes Mapping tab.
   

   

Automatically Mapped Fields

These fields are defined and statically mapped to AD attributes.

 Freedom Selected Mapped Fields

 Users Import Exclusion Filters

To further refine the import criteria on importing users, you can use create exclusion filters based on the value of the user’s AD attributes.

1. On the Import Users page, click the AD Users Import Filters tab. 
   

   

2. There are two ways to specify the user import filter. By selecting the Attribute Exclusion Filter option, you can define filters to exclude certain users from importing to Freedom. Alternatively, you can select the Advanced LDAP Filter option to specify the actual import filter query for importing users to Freedom.

3. Define Attribute Exclusion Filter
   

   

4. Define LDAP filter query
   

   

5. Click Save button to save the configuration.

Understanding Attribute Based Access Control

Leveraging the Access Group link to physical security allows the administration team to cut down on time associated with the users.

Active Directory Administrator Import

Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration.  It is recommended that for these types of accounts you name them differently than your standard user base to support the integration.

For this section to allow the login from this group, you must have the Web Login Enabled box checked on the configuration page.

...

Mapping Access Group Field to Physical Access Group

The Freedom system will pull into the attribute list a list of all possible attributes that are currently loaded within active directory.  On every card scan, Freedom will ask active directory if the user has the variable that is selected.

User Access Groups

The user access group can be linked to AD OUs, Groups or Access Linked AD attributes.

...

Attribute Based Access Control Use Cases

Besides associating a user access group to AD OU(s) and Group(s), you can select an AD attribute and use it as an Access Linked AD attribute.

...

• Geographic Association: Allowing anyone from the state to have general access to your front door and lobby area.

• Clearance Levels: Clearance in AD allows for internal controls on physical area the same way you would allow AD.

Personal Identity Verification

When equipped with FICAM capable readers, Freedom can perform real-time PKI verifications during PIV card access.

Cardholder Registration Tool – VeriCert

VeriCert is a desktop application that registers PIV credentials into Freedom PACS and Validation System. With VeriCert’s intuitive design, a PIV cardholder’s credential can be fully authenticated, validated, registered and provisioned within seconds, allowing the cardholder access to a specified set of doors.

...

Using VeriCert

...

Before enrolling cardholders, it is important to configure a few settings:

1. Application Settings.

2. Connection Settings.

Application Settings

The Application settings for VeriCert allow administrators to select a USB smartcard reader. Preferences, such as name parsing patterns, may also be found in VeriCert’s application settings.

1. On the menu bar, click on Settings, and select Application Settings…

2. From the Enrollment Reader dropdown list, select the USB smartcard reader detected by the software. To detect a newly installed reader, click the Refresh button to update the dropdown list.

   

3. If the smartcard reader has a built-on keypad:

   1. Check Use Reader’s Keypad to Enter PIN to use the smartcard reader’s keypad to enter PIN.

   2. Uncheck Use Reader’s Keypad to Enter PIN to use the Workstation’s keyboard to enter PIN.

4. From the Printed Name Pattern dropdown list, select the name pattern that will be used to parse the printed name on a PIV credential. The user is able to test the selected pattern by clicking the Test button to test if the pattern can produce the expected result.

5. Click Save to update Application settings.

Other Application Settings

• Proxy server – the URL of the proxy server through which the OCSP server can be accessed.

• FICAM Compliance – this setting allows VeriCert to omit PKI validation during registration. This setting should always be checked during normal operation.

• Match Cardholder Fingerprint – the setting tells VeriCert to find a finger print match during registration. If this setting is enabled but no matching fingerprint is obtained; VeriCert will fail registration.

• Additional Validation Details – this setting lets VeriCert to record additional certificate details during validation and is useful for troubleshoot.

• Site ID’s – this settings allows VeriCert to restrict the set of Access Groups that cardholders can be assigned to. By default this field is empty meaning cardholders can be assigned to Access Groups from all sites.

Connection Settings

The connection settings denote the Freedom API Server that VeriCert will connect to. VeriCert uses the Freedom API to enroll PIV cardholders and retrieve Access Groups to/from Freedom Access Control System.

1. On the menu bar, click on Settings, and select Connection Settings…

2. In the Protocol field, select the Freedom API protocol. Default is HTTP.

   

3. In the Server Address field, enter the IP Address of the Freedom API Server. Default is 192.168.123.101.

4. In the Port field, enter the port of the Freedom API Server. Default is 9000.

5. In the Username field, enter a Freedom Admin User’s Username. Default is freedom.

6. In the Password field, enter a Freedom Admin User’s Password. Default is viscount.

7. Click on the Test Connection button to ensure that VeriCert can contact the Freedom API using the given settings. A Connection Successful notification will be shown if settings are correct.

   

8. Click Save to update settings.

Enrolling Cardholders

1. Insert the PIV card into the USB smartcard reader. VeriCert will take a moment to download and verify all required credentials.

   

2. Enter PIN when prompted.

   

3. Once the PIV credential is fully processed, verify the information and click the Next button

   

4. Assign Access Group to the cardholder.

   

5. Click Save Change to send cardholder data to Freedom.

Freedom PIV

Freedom can perform certification validation on PIV credentials during access. There are number of settings that can adjust the validation process such as status proxy update frequency, CRL download frequency, root and intermediate certificate store management, certificate policies, extended key usage extensions and PKI fault options.

PIV Configuration

In System tab, under PIV; the first menu item is OCSP/CRL Configuration that covers the back settings for PKI validation.

...

Additional Validation Result Details – when enabled, Freedom will record additional validation details such as certificate serial numbers and URL information during PKI validation process.

Certificate Manager

Certificate Manager allow administrators to configure Freedom’s certificate store. This certificate store holds both root and intermediate certificates.

...

Note that when a redundant certificate is being added, Freedom will ignore the new entry. A redundant entry means that the Issuer name and serial number of the certificate already exists in the store.

Certificate Policies

Freedom can impose certificate policy constraints on the three major certificates – PIV, Card Auth and CHUID Signature. These constraints are assigned in the form or OID strings.

...

 To remove a Certificate Policy OID:

Click theX button next to the OID.

...

Extended Key Usage Extensions

Similar to Certificate Policies, Freedom allows administrators to specify required extended key usage extensions.

...

To remove an extended key usage extension constraint:

Click the X button next to the OID.

...

PKI Fault Options

During card access, Freedom performs a long list of validations that adhere to FICAM requirements. For institutions that may not issue PIV cards that fulfil all FICAM requirements; administrators can optionally disable certain fault validations. The following are the options that can be disabled:

...

1. Go to System -> PIV -> PKI Fault Options.

2. Check or Uncheck fault options.

3. Click Save to update.
   

   

CRL Summary

Freedom downloads CRL information for all cardholders in the database periodically. It provides a summary of the number of revoked certificates under each relevant issuer. See System -> PIV -> CRL Summary:

...

If CRL information cannot be obtained for more than 16 hours, this summary page will provide an alert that indicates ‘Download Overdue’.

...

PIV Card Single-Sign‐On Configuration

This section covers the steps to sign on to Freedom Admin using PIV cards.

1. Enroll a PIV cardholder into Freedom by VeriCert.

2. Go to Users, edit the user profile.

3. Enable Admin function to the user.
   

   

4. Enter the logon User ID, password and appropriate privileges.

5. Click Save.

6. Add the PIV card's Root Certificate in System -> PIV -> Certificate Manager.

7. Restart Freedom server (System -> Utilities -> Reboot).

8. In Windows, make sure “Certificate Propagation Service” is enabled and started.

   

9. Insert PIV card into reader.

10. In Chrome browser, go to https://<FreedomServerIP>:8443/

11. Select the PIV Authentication Certificate for the card.

    

12. Enter PIN.

    

13. Once PIN is validated, the browse will log in to Freedom Admin.

Mobile Access

Freedom now provides location based access with mobile devices such as iPhone or Android. Traditionally each controlled area has to be associated with a reader. With this new “Geo Location” based feature, a controlled area can simply be assigned with a GPS co-ordinate or a proximity device such as a Bluetooth Beacon. Freedom first determines the user’s proximity to a door/controlled-area by comparing the location reported by the mobile. Once determined, Freedom then performs the corresponding access control operation. This feature conveniently bypasses the need for readers and access cards; instead a mobile device is used as credential identification.

Configuring Geo Location

To configure Geographic information:

1. Select the Controlled Area

2. Click the Geo Location tab.

3. For GPS based access, select GPS radio button.

4. Enter Latitude, Longitude, radius and the unit (e.g. Feet or Meter) which best cover the entrance area.
   

   

5. Click Enabled to activate Geo Location access for this area.

6. For Beacon based access, repeat steps 1 – 2 and click Beacon radio button instead.

7. Select the Unique ID from the Beacon dropdown list. For details on allocating Beacons in Freedom, see next section Configuring Beacon Access.

   

8. Click Enabled to activate Beacon access for the area.

Configuring Beacon Access

To configure Beacons in Freedom:

...

5. Click Sync checkbox to enable periodic update to Beacon status information. Default behavior is every two hours.

...

Mobile Device Registration

To register a Mobile user in Freedom, these are the general steps:

1. Create the user and set the Mobile flag to true.

2. Assign a mobile password for the user.

3. Freedom server will automatically send the password to the mobile user via email.

4. Once the password is obtained, the user may log on to the Freedom Mobile App and start enjoying the service.

Configuring email server on Freedom

1. Go to System -> Mobile.

2. Click Email Config.

3. Enter the email server’s address and the sender address of the registration email.
   

   

Configuring registration Email Template

1. Go to System -> Mobile.

2. Click menu item Mobile Onboard Email Template.

3. Enter Mail Subject Text, e.g. Mobile App Registration.

4. Enter Mail Content that shall contain links to download Mobile App, user password and any information that is valuable to the registration process.

5. A reserved token USER_PASSWORD can be embedded in the mail content which will then be replaced by the user password assigned during the registration process.
   

   

Managing Enterphone MESH Panels

MESH panels provide visitors with a way to communicate with tenants from the front common entrance. Tenants then can grant or deny access to the building. MESH panels display a list of users that can be dialed. For hardware installation please view the MESH Hardware Installation Guide.

By default MESH panels are added to a single controlled area. This allows the panel to grant access if the tenant presses the relay activation digit when dialed.

Enterphone MESH Panel Settings

MESH panel settings such as talk time, relay access digit and activation time can be configured. To access these settings;

...

8. Enter the Talk Time: This is the maximum duration the call can occur (in seconds) before automatically hanging up.

9. Click Save.

Enterphone MESH (Controlled Area Tab)

The Enterphone MESH tab allows you to attach MESH panels to Controlled Areas. NOTE: MESH panels must have already been created in the System -> Enterphone MESH screen.

...

1. Select an Enterphone MESH panel from the dropdown box.

   

2. To add a second panel to this controlled area, click the add + button. to

3. Click Save.

Changing Screen Saver Image File

When MESH Panels are idle for more than the time set for the default screensaver time out, the default screensaver graphic is displayed. This graphic can be changed from the media files. Use the instructions in the Media Files section to access and change screensaver_1024x768.gif file.

This is the default screensaver picture. Edit this file using any graphic editing software that supports the GIF format. Keep in mind that the edited file’s name, resolution, and color settings must match this file. Once the editing is complete use the Update Media Files from the System tab to upload the edited screensaver_1024x768.gif file. Restart the Panel using the Reboot link at the bottom of the Utilities page.

Changing Screen Saver Timeout

By default, the screensaver activates after 60 seconds of inactivity. This number can be changed from the file sitePanel.ini.

1. Click on the System navigationtab.

2. On the left, click on the Administration link.

3. Click on the System Parameters sub link.

4. Click on the sitePanel.ini file.
   

   

5. Edit the line screensaverTimeOut=60; change 60 to any other value. Do not edit any other value.

6. Check the Reboot after save box. This will do a full restart of the panel after you save the file.

7. Click Save.

Calibrate MESH Screen

MESH parameter files are used to configure the software on both the server and the panel.

MESH Parameters Files

MESH parameter files are used to configure the software on both the server and the panel. These files are located in the System Parameters link under the System -> Administration tab.  These files can be edited using the in-browser text field provided by clicking on the file or backed up by clicking on Download and edited with a text editor locally then uploaded back to MESH. Once the files are uploaded back to MESH the server must be restarted using the Reboot link at the bottom of the Utilities page or by checking the Reboot after save option on the Edit page.

...

siteEngine.ini

sitePanel.ini

To Edit a Parameter file

1. Click on the Administration link from the System navigation tab.

2. Click on the System Parameters sub link.

3. Click on the file you would like to edit.

4. Make any changes necessary to the text presented in the text area.

5. If you would like a backup of the existing file, choose Write Backup.

6. Check the Reboot after save box if a reboot is required. Keep in mind that for the changes to take effect a full system reboot is required.

7. Click Save.

To Backup Parameter Files

1. Click on the Administration link from the System navigation tab.

2. Click on the System Parameters link.

3. Select the file you would like to back up.

4. To back up, click the Download link next to the file.

5. Select a location to back up the file.

6. Name the file with the extension *.ini.

7. Click Save.

Main and Peer Configuration (Sync MESH Units)

This form of replication only copies the Suite and User data to a remote panel to be loaded on the display.  This does not allow for a remote system to be working as a backup unit for bridge communication.

...

Main and peer configuration creates a link between two MESH units. This can be multiple MESH Panels to a single Freedom server or multiple Freedom servers to one Freedom server. The Main servers automatically start sharing data once a peer establishes communication. More information about main and peer configuration can be obtained from the Main

To Setup a Main and a Peer

Follow the instructions below on any unit that needs to be configured as a peer. No configuration is necessary on the main units.

...

Copy Common Data

Once the connection is established between a peer and a main, there may be some data inconsistencies. To clear all the data on the peer and copy everything from the main a Copy Common Data needs to be done.

...

MESH Panel File Configuration

On MESH Panels an additional configuration file exists that controls the configuration of Panel- specific options.

...

Business Administrator Management

MESH Panels can be programmed to divide buildings into multiple businesses. Each business can control its own controlled area without affecting other businesses or areas. In order to divide buildings into businesses, controlled areas that will control a business’ physical access need to be created. When adding a new business to the Administration Software, areas that are controlled by that business can be selected. Then admin users can be added to be part of that business.

Business admin users are restricted on what they can add or view. Also, business admin users do not have access to the System tab and are therefore unable to manage the system or view any system related information.  In addition, business admin users cannot add or delete suites, controlled areas or schedules.  They can add user access groups and link them only to the controlled areas that are associated with that business. Any of the activity logs that are related to other businesses are not viewable by that business admin user.  A single business can have more than one controlled area. Also, a single business admin user can belong to more than one business.

Create Business Users

1. Add a Business using the instructions in the Businesses section of Chapter Suites.

2. Add a new admin user using the instructions in the section: Site Administrator Management.

3. From the Add Admin User screen, select the business name from the Business list.

Backup of Logs for Business Users

Because business admin users can’t access the System tab, the backup log instructions are different.

1. Click on the Events navigation tab.

2. Select a range of dates in the From and To Dates. Note that the maximum number of days is 31.

3. Click Search
   

   

4. Download the search result in CSV Format.

Alarm Management System (AMS) Lite

Overview

It is important to note that if AMS is configured under the System tab, all monitoring features on a server are disabled.

In the System > AMS tab you have the ability to choose if you are able to view the Monitor tab.  This is also where you would go to disable video prior to the setup of video.  AMS Server will not be covered in this section; for information on setup of the AMS application please see.

Navigation Overview: Monitor Systems without Mapping Setup

AMS-Lite supports the ability to monitor the system without maps.  The purpose of this mode is that if the end user chooses not to use the mapping of devices, that there is a clear way to list and report on the status of all of the devices.

This is how the system looks if there are no maps loaded into the system. Should you require maps for your site, please refer to Chapter Controlled Areas - Maps.

Navigation Overview: Controlled Area Display

With this version of freedom there were many enhancements to the ability quick search, and apply actions to the controlled areas.  Including the ability to acknowledge and clear the alarms listed.

...

Number Of Pending Alarms

A Live Alarm List Count displays on the alarm icon on all screens and will indicate if there is an alarm on the sites that you have access to see.

...

Number of Pending Alarms by Site

List Alarms by site by clicking on the Site link. These links will take you to the site map at any time.

...

Acknowledge and Clear

In the center panel of the alarm monitor tab you will see the alarm data come into the system.  This is for the primary system.

...

When a system is acknowledged and cleared, the documentation and notes of the operator show on the alarm monitor report. The following is showed on the report:

...

Navigation: Monitor With Maps And Video

This section does not cover how to setup and configure video services. Instead this covers only the over view of how to navigate using the video services.

...

Navigation Overview: Controlled Area Icon Supported Actions

Once the maps are installed, the center alarm monitoring screen shifts downwards, and allows for the mapping to show in the center, providing the following features:

...

• If the camera is online it shows black. If the camera is disconnected it will show a grey with a line thorough it.

...

Live Video For Mapped Cameras

Scrolling over event video shows the video screen as shown below.

...

View All Cameras

The top of the live camera view has multiple options.

Select All Cameras (#) and this will bring up all cameras in the video panel to scroll through.

...

Navigation Overview: Login to NVR From Monitor Tab

Select the NVR Icon.  This icon links to the NVR of the selected video feed.  If you need to Export video from the NVR, or perform a more detailed review of the video, this is how you get there. Depending on the NVR, you may need a username and password.

...

Navigation Overview: Export View

Select the [Export View] Icon at the top right of the screen. This is know as the Export Video button which is covered later in this chapter. This does not export video, however, it exports the video to b monitor from a separate window.

...

This is to allow the operation of Freedom System, and Video monitoring on the same system, or two different monitors.

Navigation Overview: Select Video and Send to Export View

You can also select video to be exported, and move it to the next screen in a two screen scenario:

...

Once a configuration is setup, it may be saved to be recalled.  All video saves are available across all systems.

Navigation Overview: Save Video Export View

1. Export Video

2. Create a name and enter it into the system:

3. Select Save
   

   

Navigation Overview: Event Video

When an alarm comes in with an event clip associated the video will automatically be displayed in the alarm video.  This is that the Event video will show on the top, the alarm video will show on the bottom, and additional associated cameras will show below that.

...

Once an alarm occurs on the bridge it will show the event clip, live video, and up to 4 cameras if they are associated with the controlled area for a quick view.  You can click on the cameras to pull them up to view to track a person in the frames.

Navigation Overview: Event Clip Controls

In the bottom left corner there is a reply and pause for the event clips. In the bottom right hand corner you can click to save a snapshot of the image by pressing the camera in the bottom right hand corner of event clip screen as seen here:

...

Configure AMS Lite

It is important to note that if AMS is configured under the System tab, all monitoring features on a server are disabled.

Add a Map to AMS Lite

There are many web file formats supported.  Prior to trying to upload one of the files edit map files to support all web image formats:

...

1. In the Controlled Areas navigation tab, click on the Maps link. The following screen is displayed:
   

   

2. Current maps are listed on the left and the controlled areas are listed on the right. Click on a map to view it; click on the  edit button to change the file associated with this map.
   

   

3. To add a new map, click on the +Add Map button. The following screen is displayed:

   

4. Enter Name and a Description for the map.

5. Click the [Choose file] button beside Map Image to import the map file image.

6. Click the [SAVE] button.

Place Controlled Area Icon On Map

Maps have been placed in the Controlled area tabs.  You can simply drag and drop all controlled areas from the right to the map.  Only one controlled area is supported per system.  The controlled area may only exist in one location at a time.

...

1. Click on the Controlled Areas navigation tab.

2. On the left, click on the Maps link. The following screen appears:
   

   

3. Drag and drop controlled areas onto the point.

Place Video Icon On Map

To setup the video portion of the system with video you must login as the system administrator account and ensure that the video is enabled.  If the video is not enabled, after turning this setting on, then you may need to check your server activation and ensure you have NVR Video licensing enabled.

...

This will allow the mapping of camera as an individual device.  To attach a video feed to a controlled area, you must navigate to Controlled Area, select the controlled area, select the Cameras tab.  This will then show the video icon attached to controlled area:

Mapping Icons

Scrolling over an icon will show the name, and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:

Remove Icon From Map

Scrolling over an icon will show the name, and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:

...

Icons can be added to a map to indicate whether a controlled are is Closed, Open or in Lockdown. Freedom comes with three standard icons. Images of these icons can be changed in the Icons page.

...

Configure Custom Map Icons

Icons can be added to a map to indicate whether a controlled are is Closed, Open or in Lockdown. Freedom comes with three standard icons. Images of these icons can be changed in the Icons page.

...