Freedom Solution Guide V11.3
Introduction
- 1 Introduction
- 2 Initial Software Configuration
- 3 Freedom Encryption Bridges
- 3.1 Discovering Freedom Bridges on a Network
- 3.2 Finding a Freedom Bridge on the Network
- 3.3 Using the Web Based Freedom Bridge Utility
- 3.4 Windows Based Bridge Discovery Utility
- 3.5 Download BridgeUtil.exe from Freedom Application
- 3.5.1 Device Properties
- 3.5.2 Reader Properties
- 3.5.3 Input Properties
- 3.5.4 LED Properties
- 3.5.5 Buzzer Properties
- 3.5.6 Relay Properties
- 4 Schedules
- 5 Controlled Areas
- 5.1 How to set up
- 5.2 Freedom offers two ways to handle Floor Access
- 5.3 Controlled Area Configuration
- 5.3.1 Configure a Door Controlled Area
- 5.3.2 Adding a Door Controlled Area
- 5.3.3 Config Tab
- 5.3.4 Unlock Schedule Tab
- 5.3.5 Door Monitor Tab
- 5.3.5.1 Door Held Open Alarm
- 5.3.5.2 Door Forced Open Alarm
- 5.3.6 Advanced Tab
- 5.3.7 Multi Card Swipe Tab
- 5.3.8 Floors Tab
- 5.3.9 Assign a Device to a Controlled Area
- 5.4 Alarm Instructions
- 5.5 Alarm Resolutions
- 5.6 Port Triggered Actions
- 6 Zone Groups
- 7 Access Groups
- 8 Users
- 8.1 Configuring a User’s Access
- 8.1.1 Adding a User Account
- 8.1.2 User Categories
- 8.1 Configuring a User’s Access
- 9 Elevator Configuration
- 9.1 Elevator Management
- 9.1.1 Installing Hardware
- 9.1.2 Device Setup
- 9.1.3 Link Floor Areas to the Elevator Reader’s Door Area
- 9.1.3.1 Create a Floor Access Group
- 9.1.3.2 Assign Groups to the User
- 9.1.4 Example Scenario
- 9.1.4.1 Create a Floor Access Group
- 9.1.4.2 Assign Groups to Users
- 9.1.4.3 Operation
- 9.1 Elevator Management
- 10 Events
- 10.1 Event Management
- 10.1.1 Viewing Events
- 10.1.2 Event Groups & Categories
- 10.1.3 Searching Events
- 10.1.4 Set Audit Data Search Criteria
- 10.1.5 Export to a CSV File
- 10.1.6 Export to a PDF File
- 10.1.7 Enhanced Access Denied Diagnostics
- 10.1 Event Management
- 11 Reports
- 11.1 Reporting Management
- 11.1.1 Creating PDF Report Files
- 11.1.2 Creating CSV Report Files
- 11.1.3 Reports Available By Page
- 11.1.4 Time and Attendance Reports
- 11.1 Reporting Management
- 12 Backup & Restore
- 12.1 Manual Backup and Restore Configuration (Data)
- 12.1.1 Manually Backup Data
- 12.1.2 Manually Restore Data
- 12.1.3 Local Automatic Backup and Recovery Management
- 12.1.4 Restore Database from Local Automatic Backup
- 12.1.5 Manual Backup of History (Event Logs)
- 12.1.6 Backup Local Business Admin Users
- 12.1.7 Open Log Files
- 12.1.8 Setting Up Remote Automatic Backups
- 12.1 Manual Backup and Restore Configuration (Data)
- 13 Importing Data
- 14 Commercial Database Replication
- 14.1 Database Replication Setup
- 14.1.1 Configuring the Master Server
- 14.1.2 Configuring Slave Server
- 14.1.3 Detaching Slave Server
- 14.1 Database Replication Setup
- 15 Microsoft Active Directory (AD) Integration
- 15.1 Active Directory Overview
- 15.1.1 Single Server Deployment Example
- 15.1.2 Understanding Graceful Access
- 15.1.3 Design Consideration
- 15.1.4 Active Directory Configuration
- 15.2 LDAP Connections
- 15.3 Active Directory User Import
- 15.3.1 Filter Import by Organizational Unit and Group
- 15.3.2 User Attribute Mapping
- 15.3.3 Automatically Mapped Fields
- 15.3.4 Freedom Selected Mapped Fields
- 15.3.5 Users Import Exclusion Filters
- 15.3.6 Understanding Attribute Based Access Control
- 15.3.7 Active Directory Administrator Import
- 15.3.8 Mapping Access Group Field to Physical Access Group
- 15.3.9 User Access Groups
- 15.3.10 Attribute Based Access Control Use Cases
- 15.1 Active Directory Overview
- 16 Personal Identity Verification
- 16.1 Cardholder Registration Tool – VeriCert
- 16.1.1 Using VeriCert
- 16.2 Application Settings
- 16.2.1 Other Application Settings
- 16.3 Connection Settings
- 16.4 Enrolling Cardholders
- 16.5 Freedom PIV
- 16.6 PIV Configuration
- 16.7 Certificate Manager
- 16.8 Certificate Policies
- 16.9 Extended Key Usage Extensions
- 16.10 PKI Fault Options
- 16.11 CRL Summary
- 16.1 Cardholder Registration Tool – VeriCert
- 17 Mobile Access
- 18 Managing Enterphone MESH Panels
- 18.1 Enterphone MESH Panel Settings
- 18.1.1 Enterphone MESH (Controlled Area Tab)
- 18.1.2 Changing Screen Saver Image File
- 18.1.3 Changing Screen Saver Timeout
- 18.1.4 Calibrate MESH Screen
- 18.1.5 MESH Parameters Files
- 18.1.5.1 To Edit a Parameter file
- 18.1.5.2 To Backup Parameter Files
- 18.2 Main and Peer Configuration (Sync MESH Units)
- 18.2.1 To Setup a Main and a Peer
- 18.2.2 Copy Common Data
- 18.2.3 MESH Panel File Configuration
- 18.2.4 Business Administrator Management
- 18.2.5 Create Business Users
- 18.2.6 Backup of Logs for Business Users
- 18.1 Enterphone MESH Panel Settings
- 19 Alarm Management System (AMS) Lite
- 19.1 Overview
- 19.2 Navigation: Monitor With Maps And Video
- 19.2.1 Navigation Overview: Controlled Area Icon Supported Actions
- 19.2.2 Live Video For Mapped Cameras
- 19.2.3 View All Cameras
- 19.2.4 Navigation Overview: Login to NVR From Monitor Tab
- 19.2.5 Navigation Overview: Export View
- 19.2.6 Navigation Overview: Select Video and Send to Export View
- 19.2.7 Navigation Overview: Save Video Export View
- 19.2.8 Navigation Overview: Event Video
- 19.2.9 Navigation Overview: Event Clip Controls
- 19.3 Configure AMS Lite
- 19.3.1 Add a Map to AMS Lite
- 19.3.2 Place Controlled Area Icon On Map
- 19.3.3 Place Video Icon On Map
- 19.3.4 Mapping Icons
- 19.3.5 Remove Icon From Map
- 19.3.6 Configure Custom Map Icons
About This Guide
This guide is intended to be used as a standard guide for the Freedom Access Control System. General Linux knowledge and Freedom Certification Training Knowledge are expected.
Additional Documentation
To find documentation available for all products, go to https://www.identiv.com/viscount.
To find related vendor documentation on Cisco Switches, go to www.cisco.com.
To find related vendor documentation on Veridt Readers, go to www.veridt.com.
Initial Software Configuration
Administration Management
Starting the Freedom Administration System
Launch a web browser (Internet Explorer, Firefox, or other browser that allows pop-ups).
In the Address field, type http://<freedom ip address>/ and press Enter. For convenience, this page should be bookmarked.
In most cases the default IP address of a server or a panel is 192.168.123.101; however, it might be different depending on the configuration specified. Please check the sticker located on the unit if the default IP address is not working.
Login and Log Out
To login to Freedom:
Enter the Default Username and the Password.
Click on the LOGIN button.
With certain older browsers pressing the Enter key causes an error message. Make sure to use the mouse to click on the Login button.
To log off, click on the Log Out button.
As a security feature, after a certain period of inactivity Freedom will automatically log you off. At that point, the login page will appear, and the user will have to log back in.
Navigating the Freedom Software
Below is a screenshot of the Freedom Administration software. It shows the optional Alert Level bar. Below the Alert Level bar, is the Navigation Tabs. It allows you to access the main areas of the Freedom software – the current tab is underlined (i.e. the System tab below). To the right of the Navigation Tabs is the Site dropdown box where you can select the site to view or configure. The Log Out button is located beside the Site drop down menu. The Actions Bar near the bottom of the screen contains buttons to add, delete, edit and save. The Quick Links at the bottom of the page reveal company, service, contact, version information. The manual can also be downloaded from the quick links bar.
Each Navigation Tab contains Navigation Links on the left-hand side. If a navigation link contains a blue arrow at the end of the line, it can be opened to reveal its own sub links. The current link is highlighted, and its selected sub link is indicated by a black arrow.
You can close an open link by clicking its orange down arrow.
Adding a New Administrator and Deleting the Default Account
The first Administrator account created should be given full permissions to manage all aspects of a Freedom installation. Additional accounts can be given less control over the installation depending on the role that each user plays in managing or supporting the installation. Users with an Administrator Account for the installation cannot create, modify or delete other accounts that have more privileges than their own. The extent to which one can create, modify, or delete accounts is limited to users with fewer privileges than the account under which one is currently logged in.
It is recommended that the first item done after login is to create an Administrator Account with full access to all pages so that the default “freedom” user may be deleted. This will eliminate any security problems that might occur if the default user name is kept. Before deleting the default user, the new one should be tested.
To create an Administrator Account with full access and delete the default user:
Log in to Freedom using the instructions in Login and Log Out above.
Click on the System navigation tab at the top of the screen.
On the left, click the Administration link.
Click the Admin Users sub link.
In the Actions bar, click on Add Admin User. The following screen is displayed:
Enter the User ID, Last Name, and First Name.
Enter a Password that is different than the one provided.
Verify the Password.
Beside Business, select All.
Beside Sites, select ALL.
Select Full Access for all of the parameters from Suites to Active Directory.
For Mustering, select the required level.
Select the Language that this full administrator would like to use.
Select the View Suite/User Page Size 10, 25, or 50 to set the default number of suites/users per page this admin user sees when viewing the listing.
Click Save to save the full access admin user.
Click the [Log Out] button to log off and test the new user ID.
Log in with the user ID and password that was created in the previous steps.
Verify that you can log in successfully and that your new user has full privileges.
Log out once more and log in using the default user account name.
Click on the System tab, Administration, Admin Users and select the default “freedom” user account.
Change one of its privileges and click Save.
Log out and log in again as your newly created user.
Go to Admin Users again and select the default “freedom” user account.
Click on Delete and OK.
Once the admin user is saved, the user ID field cannot be edited. This field specifies a unique admin user profile. You can change the other fields after an admin user profile has been saved.
Site Administrator Management
In addition to the full access administrator, there can be limited administrative users that have the capacity to add/modify/delete card holder access. The privileges of these admin users can be fine-tuned to restrict or grant access to certain functions of the software. These restrictions include the modification of Controlled Areas, Access Groups, Devices, and Users. Admin users can also be assigned to certain sites within Freedom, further restricting and partitioning data, thereby limiting their Admin access.
To add an Admin User:
Follow Steps 1 to 15 above to add new Admin Users. Each of the software’s tabs or links is listed with the following options:
No Access: the tab or action will not appear in the toolbar or action menu for this admin user
Read Only: only read permissions are given to selected tabs or actions
Full Access: the user can modify every aspect of the section
You will be able to assign Admin Users to the sites that they are allowed to administer (i.e. The user hoffjenn01 is limited to the control of the sites Distribution Centre, Huston Office and Sales Office - Vancouver). Once the admin user logs in to the system, the sites that they have access to will appear in a dropdown list on the top-right corner of the screen. By selecting a Site from the dropdown list, the Admin User will only see data corresponding to that Site. Also, any data added (i.e. adding a controlled area) will be added to the Site that is currently selected.
System Management
Set Date, Time, Time Zone Settings
Date and time settings for Freedom servers can be set either manually or by using a network time protocol (NTP) server. An NTP server is the recommended method for keeping the date and time in sync with other systems.
Setup Network Time Protocol (NTP) Settings
An NTP server is the recommended method for keeping the date and time in sync with other systems. However, it does require either a local NTP server or an internet connection. NTP Server could be an internal company facing NTP server or an external public facing.
To set the system time and date using NTP Settings:
Click on the System navigation tab.
On the left, click the Utilities link.
Click the System Date/Time sub link. The following screen is displayed.
Select a Time Zone from the dropdown box.
Check the Enable NTP box.
Enter an IP address or a hostname for the NTP Server pool.ntp.org is a commonly used public NTP server. If no local NTP server is available this hostname can be used.
Click Save.
When changing the time or the date of a Freedom/Enterphone System, the synchronizing of schedules and events are not done until the following day at midnight. For proper scheduling, please restart the Freedom server using the reboot link from the Utilities section.
Change Date and Time Manually
If you are not using an NTP server, you can set the date and time manually.
Click on the System navigation tab.
On the left, click the Utilities link.
Click the System Date/Time sub link.
Select a Time Zone from the dropdown box
Select the date from Set Date.
Select the time from Set Time.
Click Save to save the date and time.
Once the date is set, click the Reboot link at the bottom of the Utilities list.
Click the Reboot button.
System Card Format Support
The Freedom Server has a built-in set of Card Format Definitions that determine how Wiegand data is being translated (e.g. Wiegand 75 bit, FIP-201 200 bit). Upon card swipe, Freedom performs a sequential look up of this list to find the best fitting definition.
To adjust this lookup behavior:
Click on the System navigation tab.
On the left, click the Manage Card Format link.
To speed up card format search, put the most relevant definition at the top of the list. If the installation is using Indala 36 bit cards for example – put the Indala 36 bit definition above all other 36 bit formats to ensure correct Wiegand data translation. Use the up/down arrows beside each definition to adjust the order of format preferences.
In case no suitable definition is available, use the Default Card Format drop down list to select a default format. Please note that card format definition in Freedom is highly customizable. Please feel free to contact Viscount Technical Support (vsicountsupport@identiv.com ) should you require a custom format.
Customize Dealer and Installer Pages
The links for Dealer and Installer from the Freedom Administration software can be configured to match the company who sold and installed the MESH system.
Click on the System navigation tab.
On the left, click the Administration link.
Click the System Parameters sub link.
Edit the dealer.ini and installer.ini files using the in-browser editor or save and edit them locally and restore them.
For more information, please refer to the instructions in the MESH Parameter Files section.
Freedom Encryption Bridges
Viscount’s Freedom Encryption Brides allow door hardware to be connected to Freedom servers. Bridges for card readers communicate with Freedom software. Data is received from card readers, encrypted and sent via IP to a Freedom server for processing. Relays on the Freedom Bridge are activated by commands from a Freedom server to lock or unlock doors.
Discovering Freedom Bridges on a Network
Freedom Bridges can be discovered using one of two methods. Either using the Bridge Discovery Tool located in the Freedom Administration Software or using the standalone Windows tool called Bridge Configuration Utility (BridgeUtil). For most systems, the built-in web based discovery tool will be sufficient. If a Freedom bridge is not located on the same LAN as the Freedom server or is behind a switch/router where UDP MultiCast traffic is being blocked, the bridge utility application should be used on a PC located on the network where UDP traffic is not being blocked.
Finding a Freedom Bridge on the Network
Once a Freedom Bridge is connected to the network, you can scan the network for the added device and add it to the Freedom Administration Software using the Freedom Bridge Utility.
You can also find the Freedom Bridge Utility at the bottom of the Devices - Main page, and clicking on the Freedom Bridge Discovery Tool check box.
Using the Web Based Freedom Bridge Utility
Click on the System navigation tab.
On the left, click the Utilities link.
Click the Bridge Utility sub link.
Click the [Scan Devices] button. This process might take a minute or two.
Click on the MAC address of the device you wish to provision.
Assign the appropriate IP information to the device or choose DHCP. You may need to contact your system admin for this information. If the DHCP checkbox is checked, the IP, Netmask and Gateway fields are automatically populated once the bridge receives the DHCP information.
To update Bridge Configuration only, click on Save. Note that it might take up to two minutes to save.
To update and add the Bridge to Freedom, check Save & Add Device To Freedom checkbox and click Save.
Enter the name by which you’d like to refer to the device and click the Save button.
Lock Bridge Configuration
This is an option in freedom bridge configuration to lock the system configuration of the bridge. Once you choose to lock the configuration, no changes to the configuration can be made remotely.
In order to remove the lock, it requires a manual reset of the bridge that will reset the IP address and require the IP’s be reset.
Windows Based Bridge Discovery Utility
The Freedom Bridge settings can be changed by using Viscount’s Bridge Utility. This program (BridgeUtil.exe) is self-contained, does not require a special install program and should run on Windows XP, 7, 8.1 and 10.
Download BridgeUtil.exe from Freedom Application
Click on the System navigation tab.
On the left, click on the Utilities link.
Click the Download sub link.
Click on the BridgeUtil link and save the executable on the PC.
Locate the BridgeUtil.exe from where it was downloaded. Right click on the executable and select “Run as administrator”
Once the utility starts, click on the [Scan Devices] button and all the bridges on the local network will be displayed by MAC and IP addresses.
6. Double click on the MAC address of the bridge that needs to be configured.
The settings may be changed and updated as needed. When done hit the Save button
Device Properties
Each Freedom Bridge model displays a different properties section. For example, a single port Freedom Bridge will only have one reader, input and output properties section; two ports will have two and so on.
The following tables describe the properties for Freedom bridges.
Reader Properties
Options | Description |
Description | Reader description identifies the reader. |
Default Card Format | This field specifies the card that is being used with this bridge device. Auto card format will try to match the best fitting card format. The auto card format behavior can be managed by going to System, Devices and then Manage Card Format. For more information see the section on Managing Card Formats. |
Input Properties
Options | Description |
Description | This field identifies what input signal is being monitored. |
Activate Relay Output | This option configures the Freedom Bridge to activate the specified relay when the input is shorted. Note: This feature is executed in the Freedom Bridge hardware level and it does not require a connection to a Freedom server. Thus, this is generally used as a “Request to Exit” function (e.g. via a push button). |
Activate Relay Output: Relay: | This drop-down list specifies which relay is to be activated as input event occurs. This drop-down menu is only active if the above Active Relay Output checkbox is checked. |
Default Activation Time | This drop-down list specifies the number of seconds that the relay activates as input event occurs. |
Supervised Input Ready: | This checkbox is for Freedom Bridge Devices that are equipped with supervised inputs. This field should be left uncheck, unless the optional Supervised Input Board is connected. For specific instructions on how to connect the supervised input board, please see the appropriate instructions. |
LED Properties
Description: Identifies the LED when adding to Port Trigger Actions or viewing in Activity Logs.
Buzzer Properties
Description: Identifies the Buzzer output when adding to Port Trigger Actions or viewing in Activity Logs.
Relay Properties
Options | Description |
Description | Description of the relay output. Identifies the relay in the Controlled Areas and Port Triggered Actions. |
Default Relay Position | Default power up position of the relay. |
Schedules
Schedule Management
A Schedule is a given period of time that is applied to different aspects of the software. If a Schedule is added to a Controlled Area, then that schedule activates the devices and outputs in that Controlled Area. If a schedule is linked to a Controlled Area, under User or Guest Access Groups, then the schedule enables or disables access to that controlled area only to the users that are contained in that User Access Group.
A single schedule can contain more than one Period. For example, a schedule named Business Hours can contain a period Monday through Friday, 9 AM ON TIME and 6 PM OFF TIME. If needed, multiple periods can be added to a single schedule.
In addition, Special Days can be added to enable or disable access for certain days only. For example, if a special day is set to January first then that schedule can be turned off on every January first or it can be set to be active only on January first.
The current state (on or off) of all the schedules can be seen on the Schedule tab.
Adding a Schedule
Click on the Schedules navigation tab.
In the Actions bar, click on Add Schedule. The following screen is displayed:
Enter a Name and Description.
Select Weekdays OR Special Days.
If you select Weekdays, check the box for each Week Day this schedule applies to and check the box for each Type of Special Day you would like to exclude from this schedule. To add a Special Day, see instructions in the previous section.
If you select Special Days then you wish to apply this schedule ONLY to the Type of special day that you select in the dropdown box.
Enter an ON Time for this schedule.
Enter an OFF Time for this schedule.
Under Effective Dates, check the Always On box if this schedule is to remain in effect at all times or, if not, enter a Start Date and an Expire Date for this schedule.
Click Save.
Special Days (Holidays)
Special days are an optional addition to a schedule. They can be used for holidays or any other day where a schedule needs an explicit or relative period. Special days are added to schedules as a period so they may need to be configured before adding a schedule.
Adding a Special Day
Click on the Schedules navigation tab.
On the left, click the Special Days link.
In the Actions bar, click Add Special Day. The following screen is displayed.
Enter the Name of the Special Day.
Choose a number for this Type of special day, number between 1 and 12. Special day types allow grouping of different special days. For example, a Type 1 special day labeled First of Every month, could contain the first day of every month. In this case there will need to be 12 special days added, all of them belonging to the Type 1 group.
Select Explicit or Relative. An explicit day is a particular day of the year while a Relative day is a day that will occur every month i.e. the first Monday of every month.
Enter the Month and Day of the special day if Explicit was selected; select the Day of the Week if Relative was selected.
Click Save.
Assigning a Special day to a Schedule
Once a special day is added, it can be programmed to be a part of a schedule.
Controlled Areas
In general, Freedom has two different types of Controlled Areas - Door and Floor Areas.
Door Areas are areas that has readers, in this case the Door Area represents the in-cab reader. Floor Areas contains relay outputs that activates elevator access (e.g. button in the cab).
The administrator needs to first "link" a Door Area to its associated Floor Area(s). That means all floors that are accessible by the elevator needs to be linked to the Door; in this particular case the Door is simply the in-cab reader.
Floor Controlled Area is an Access Control Object that represents a floor. It contains the Freedom Bridge output ports that are typically connecting to elevator control modules in the building. Floor areas can be linked to door areas in such a way that when Freedom server grants access to a door, its associated floor area outputs can be activated. The card holder’s floor access rights then determines which floor area should be activated.
How to set up
First, the administrator needs to create Door Areas to hold the elevator readers. Then for each controlled area, “link” the corresponding Floor Areas to it. In the above example, a Door Area called Elevator A is created that hosts “Cab A Reader”. This door needs to have linked Floor Areas “Cab A - FL 1”, “Cab A – FL 2” and “Cab A - FL3” that contain relays to elevator A’s control:
Elevator B would follow the same idea except that it is using Elevator B reader, Floor Area Cab B – FL 1 through to FL 3.
Freedom offers two ways to handle Floor Access
Use separate Floor Access Groups
This is the original method implemented in 9.2 up to 10.1. The user will need to be assigned to a User Access Group that allows access to the various elevators. Floor Access Groups are then assigned to the user to give access to his floor.
This is how the User Access Group would look like for the above example:
This is how the Floor Access Group looks like for 1st Floor:
For the card holder that have access to the 1st Floor, this is how his User and Floor Access Groups look like:
No separate Floor Access Group
This is a new option implemented in later versions of 10.1 and 9.2c. It reduces database migration effort from older systems such as 9.1, 8.7 and below.
To switch to this mode, in siteEngine.ini, set property “UseFloorAccessGroups” to “no”. Restart the server after update (please note that once this mode is chosen, returning to the old method may require some database clean up).
Once this mode is set, the “Floor Access Group” menu item will disappear from the Access tab:
In the above example instead of having one Resident User Access Group and 3 Floor Access Groups; we need 3 Resident user groups, each one covers elevator door access and one floor
Each Residents group would have access to Elevator A and Elevator B controlled area:
Floor Access is immersed into User Access Group in the second tab labeled “Floor Access and Schedules”. In the “Resident FL 1” User Access Group, it includes access to the first floor for both elevators:
When assigning Access Group, the administrator will select a group that will give the card holder access to both elevators and his corresponding floor. Note that in this mode, the Floor Access Group select box is not present.
Controlled Area Configuration
Configure a Door Controlled Area
Controlled Areas are areas in a facility that are controlled by one or more devices such as Card Readers. Any area within a facility that requires controlled entry or exit must be set as a Controlled Area. An area can also be set to change from Secure to Unsecure based upon schedules or manual control.
Adding a Door Controlled Area
Click on the Controlled Areas navigation tab.
In the Actions bar, click Add Controlled Area. The following screen is displayed:
Enter a Name that describes the controlled area.
Enter an optional Description.
Select Door Area as the Area Type.
Select a Reader for the controlled area.
By default, Freedom assigns the input 1 as Door Contact and input 2 as Request to Exit. To choose a custom setting, check Custom and select the desired input mapping.
Click Save.
Once the controlled area is saved, different aspects of it can be modified.
Config Tab
The Config tab allows the configuration of the reader that is assigned to the controlled area.
For a Door area:
Select a Card Format for the Reader; set it to Auto to default to the system settings.
For the Door Contact, check the Suprv Ready box to indicate that the bridge input has supervised resistors set.
Set the Door Contact Switch to Normally Open or Normally Closed.
For Request to Exit, check the Suprv Ready box to indicate that the bridge input has supervised resistors set.
Set the Request to Exit Switch to Normally Open or Normally Closed.
Check the Activate Relay to set the lock to trigger when the REX is fired and select a Relay and enter the number of seconds for it to remain active.
For each of the Outputs, enter a Delay time (the number of minutes/seconds the relay will fire) and an Activation Time (the number of minutes/seconds the relay stays open).
Select an Output for this door.
Enter an optional Description.
For each output, enter a Delay time (the number of minutes/seconds until the relay will fire) and an Activation Time (the number of minutes/seconds the relay stays open). Click the Show Accessibility box to enter an Accessibility Delay time and an Accessibility Activation time: this is a separate set of delays and activation times for users with special needs (e.g. wheelchair, crutches) that are used if the Accessibility check box is selected in that user’s setup page. See Chapter Users for more information on setting up a User.
Check the Latch Allowed box to allow the corresponding output to remain open(latched) when it is set to Open state either by the Administrator or through Unlock Schedule.
To add another Output line, click the + button beside the first output line.
Click Save when all outputs are configured.
Unlock Schedule Tab
A Schedule is a given period of time that is applied to a Controlled Areas and Access Groups and is used to schedule device activation and alarms. If a schedule is added to a Controlled Area, then that schedule activates the devices and outputs in that Controlled Area. If a schedule is linked to a Controlled Area, under User or Guest Access Groups, then the schedule enables or disables access to that Controlled Area only to the users that are contained in that User Access Group.
For more information about schedules, please refer to Schedules.
In the Unlock Schedule tab on the View/Edit Controlled Area screen:
Select a Schedule for this controlled area.
Select an ON action.
Select an OFF action.
Select the box below each Alert Level that corresponds to the users in this controlled area: Low, Guarded, Elevated, High or Severe.
To add another Schedule line, click the button beside the first schedule line.
Click Save.
Door Monitor Tab
There are two Door Monitor Alarms for a controlled Door area: a Door Held Open Alarm that indicates a door being held open for a given period of time and a Door Forced Open Alarm that indicates that a door is being forced open without the use of a reader or an entry/exit device.
Freedom tracks the status of a monitoring device and tracks the state of an entry and an exit device. Once an event is triggered, two output actions can be activated for generating a buzzer or an alarm.
In the Door Monitor tab on the View/Edit Controlled Area screen:
Door Held Open Alarm
Under Door Held Open Alarm, check the Enable box.
Enter the number of seconds in the Held Open Time box before the alarm will sound.
Select an output in the Output 1 dropdown box; in the Action box, select Activate or Deactivate; in the Duration box, select the number of seconds the alarm will sound.
Repeat Step 3 for Output 2 if necessary.
Select the Schedule from the dropdown box that you would like applied to the action, or select Always On if you need the action to be enabled 24/7; check the Effective Except for this Schedule box to have the alarm sound during all schedules except this one.
Check the General Alarm box if you need this action to generate an alarm in the Events tab.
Check the Ack. Required box to require an acknowledgement from the AMS Server.
Select a Severity level from the dropdown box: Warning, Error, Alert, Critical, or Emergency.
If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server. To create a new alarm instruction, click the Alarm Instructions link and click Add Alarm Instruction in the Actions bar.
Once done, click save at the bottom of the window
Door Forced Open Alarm
Under Door Forced Open Alarm, check the Enable box.
Select an output in the Output 1 dropdown box; in the Action box, select Activate or Deactivate; in the Duration box, select the number of seconds the alarm will sound.
Repeat Step 2 for Output 2 if necessary.
In the Racing box, enter the number of seconds when the door contact state change is reported before the push button bar signal reaches the system. If Racing is set to 1, then the DFO will not fire if a REX is detected within one second of the door contact change state.
In the Shunt Window box, enter the number of seconds. This options shunts the alarm when the REX opens the door (no card scan releases the door).
Select the Schedule from the dropdown box that you would like applied to the action or select Always On if you need the action to be enabled 24/7; check the Effective Except for this Schedule box to have the alarm sound during all schedules except this one.
Check the Generate Alarm box if you need this action to generate an alarm in the Events tab.
Check the Ack. Required box to require an acknowledgement from the AMS Server.
Select a Severity level from the dropdown box: Warning, Error, Alert, Critical, or Emergency.
If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server. To create a new alarm instruction, click the Alarm Instructions link and click Add Alarm Instruction in the Actions bar.
Click Save.
Advanced Tab
The Advanced tab on the Controlled Areas screen contains additional configuration flags:
Options | Description |
Toggle | Sets the Controlled area to Secure or Unsecure based upon an event other than a schedule. For example, an Authorized Card can change the state. Check the box for this function. Also provides ability to Disable the Door Monitor Event. Alarms are now enabled by default. This will not generate the alarm unless the Generate Alarm box is checked. |
Multi-Factor | Sets the number of Authorized Card Reads necessary to allow entry to the Area. Allows ability to implement 2-Factor or 3-Factor identification. |
Auth Mode | Relates to Multi-Factor. Sets the number of Users required for entry to the Area. Two Factor authentications for the number of factors to be used to activate an access granted: Single User, Multi-User, Guard Group. |
Guard Access Group | Defines the access group required for two-authentication. |
Auth Timeout | Relates to Multi-Factor. Set the number of seconds allowed between card reads. Note: a device that has Multi-Factor set can only reside in one Controlled Area. |
Exit Reader | Defines the exit reader. Required for counting for zone groups for Anti-passback and/or Muster reporting. |
Multi Card Swipe Tab
The multiple swipe action is intended to place a multiple actions to change the state of a single Controlled Area, or an entire zone group on a pre-set number of card scans, in a defined window of seconds.
It is a recommended best practice to have the least secure action as the lower number, and the higher secure action as the higher number.
Assigning a Multi Swipe Action by Group
In the Multiple Swipe tab on the View/Edit Controlled Area screen:
Select the Card Swipe Interval: the number of seconds that you count the multiple swipes for this controlled area.
Select a specific User Group if only the identified user group will have access to take action on this reader; select ANY to allow all user groups to have access.
Select a Controlled Area or a Zone Group to activate.
Select Open, Close or LOCKDOWN in the Action dropdown box.
Select a Schedule or select Always On.
Click Save.
Floors Tab
The Floors tab allows you to link one Controlled area to floors. Typically the controlled area is an elevator reader area and the linked Floor Controlled Areas are the floors that the reader would provide access to.
In the Floors tab on the View/Edit Controlled Area screen:
Select a Floor Controlled Area from the Linked Floor Area dropdown box to link to this controlled area.
NOTE: More details on Floor Controlled Areas can be found in Chapter Elevator Configuration.Enter a Delay time (a pause before the relay fires, default is 0 second) and an Activation Time (the duration that the relay activates, default is 5 seconds).
Click the Show Accessibility box to enter an Accessibility Delay time and an Accessibility Activation time. This is a separate set of delays and activation times for users with special needs (e.g. wheelchair, crutches) that are used if the Accessibility check box is selected in that user’s setup page. See Chapter Users for more information on setting up a User.
To link another floor to this controlled area, click the add button +
Click Save.
Assign a Device to a Controlled Area
The following steps allow the user to associate a device to a Door Controlled Area that has not been assigned a device previously.
Click on the Controlled Areas navigation tab and select the Controlled Area that was just created.
In the Actions bar, click Assign Device.
In the Assign/Replace Door Reader screen, select a Reader for this controlled area.
Select Default or Custom
Default: will assign Input 1 to Door Contact, and Input 2 to REX.
Custom: Allows you to determine which input is the door contact, and which is the request-to-exit.
5. Click Save. The screen expands with more options. The administrator will be able adjust Controlled Area parameters as described in the above sections.
Alarm Instructions
A customized message can be configured that will be passed to the AMS Server and displayed in the log when an Alarm is triggered. Alarm instructions can be used by Controlled Area’s Door Monitors or Port Triggered Actions in the next chapter.
To create an alarm instruction:
In the Controlled Areas navigation tab, click the Alarm Instructions link.
In the Actions bar, click Add Alarm Instruction. The following screen is displayed:
Enter a Description of the alarm instruction.
Enter any Details that pertain to this instruction.
Click Save.
Alarm Resolutions
Alarm resolutions are for the clear step of the alarm response process.
To create an alarm resolution:
In the Controlled Areas tab, click the Alarm Resolutions link.
In the Actions bar, click Add Alarm Resolution. The following screen is displayed:
Enter a Description of the alarm instruction.
Enter any Details that pertain to the instruction.
Click Save.
Port Triggered Actions
Port triggered actions are output actions, such as alarms, triggered by a conditional input or output event from a device. Port triggered actions are useful for alarm monitoring and requests to exit.
If a port is triggered and either of two conditions is true, the Output Action is triggered. This output action can have a delay and an activation duration.
E.g. If Input 1 from a Freedom Bridge is closed and the Front Door Reader’s Output is Not-Active then Front Door Reader’s Output should be Activated.
Adding a Port Triggered Action
Click on the Controlled Areas navigation tab.
On the left, click the Port Triggered Actions link.
In the Actions bar, click Add Port Trigger. The following screen is displayed:
Enter a Name for this action.
Select a Port Event from the dropdown list and select the state of the event: For inputs, choose Reset, Set, Error Break, or Error Short.
For outputs, choose Activate or Non Active.
Choose up to two Condition States for an output port and the condition of that device’s output port.
Combine two conditions with AND or OR from the dropdown list. For example, if Front Reader’s Output Port is Not-Active AND Front Door Trip Input 1 is Active then the Output Action is triggered.
Select an Output Action and select Deactivate, Activate, Buzzer On, Buzzer Off, Latch Active, Unlatch Active or No Action.
Enter the Delay before activation for the output action.
Enter the Activation Time for the output action.
Select a Controlled Area and its associated action: Open, Close, Enable panel, Disable panel, LOCKDOWN or Toggle.
Select a Schedule that defines the time that the Port Triggered Action is going to be used or leave it as Always On.
Generate an Alarm enables or disables logging of this Port Triggered Action in the alarm logs, desktop alarm client and AMS servers.
Choose the Severity of the alarm level: Info, Warning, Error, Critical, Alert, or Emergency, when set to Alarm this will log the action to the Alarm Log.
If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server.
Select an Alarm Area.
To lag an NVR camera clip to the port triggered event, select the camera from the NetCam drop-down list. Before Event and After Event specify the time window (in seconds) of the clip relative to the event.
Click Save.
Zone Groups
Zone Group Management and Anti-Passback
Zone Groups allow users to group various Controlled Areas to form a Perimeter Security Zone where Anti-password rules can be applied.
Adding Zone Groups
Click on the Controlled Areas navigation tab.
On the left, click the Zone Groups link.
In the Actions bar, click on Add Zone Group.
Enter a Name for the zone group.
Enter an optional Description of the group.
Check the Anti Passback Enabled box to enforce anti-passback for this zone group.
In the Anti Passback Forgiveness dropdown box select from the following options:
Options | Description |
Never | User cannot re-enter the perimeter until they pass through an exit reader or enter an area that is outside of the zone group. Otherwise Freedom administrators have to manually reset the user’s anti-passback lock. |
Midnight | Anti-passback lock will be forgiven at midnight. |
Every 12 hours | This forgives anti-passback locks twice a day: at noon and midnight. |
Every 6 hours | This forgives anti-passback locks every 4 hours (e.g. midnight, 6am, noon, 6pm). |
Every 2 hours | This forgives anti-passback locks every 2 hours (e.g. midnight, 2am, 4am, etc.) |
Every hour | This forgives anti-passback at the top of every hour. |
Every 30 minutes | This forgives anti-passback at the top and 30 minutes of the hour. |
8. Check the APB Enforced on Exit Readers box to enable this feature; anti-passback is imposed on exit readers also. You must set EnforceExitAccessRight to Yes in siteEngine.ini – go to the System tab, Administration, System Parameters page to edit this file.
9. Select a group of users in the Exempt Access Groups if you want them to be exempt from anti pass back rules.
10. Click Save.
Assigning Controlled Areas to Zone Groups
Once Zone Groups are created, controlled areas can be assigned to the zone groups. A Zone Group is a security perimeter that contains multiple controlled areas. Each zone group can exercise anti-passback rules onto its controlled areas. For example, a building with two entrances can be seen as a zone group with two controlled areas (doors). If the anti passback rule is enforced in this building, a person cannot enter through one door and re-enter to either door without first exiting the building.
To assign a Controlled Area to a Zone Group:
Click on the Controlled Areas navigation tab.
On the left, click on the Zone Groups link.
Click on the Zone Group to edit.
In the Controlled Areas drop down box, select all the Areas that are to be included.
Click Save
Resetting Anti-Passback Manually
Freedom Administrators can manually reset Anti-passback locks by editing the zone group record:
Click on the Controlled Areas navigation tab.
On the left, click on the Zone Groups link.
Click on the Zone Group to edit.
In the Edit Zone Group page, click the [Forgive All] button.
Click Save.
Manually Reset a User’s Anti-Passback Lock
Freedom Administrators can manually reset a user’s anti-passback lock via the Users page:
Click on the Muster navigation tab.
Check the box in the Reset column next to the user and click the [Reset] button above it.
Mustering
The Muster tab has two sub links: Muster/Anti Passback and Emer. Mustering. This functionality must be turned on in licensing.
Muster/Anti-Passback
This page shows a live view of the number of users who have entered into or exited from a Controlled Area. You can also go here to identify who is in what areas for anti-passback.
Emergency Mustering Report
The Emergency Mustering Report tab allows you to create custom area reports by Access Group and Controlled Area to support operations. This report is useful when security staffs want to find out who are in the designated safety area (e.g. a zone group) during an emergency.
To create a custom Mustering Report:
Click on the Muster navigation tab.
On the left, click on the Emer. Mustering link. The following screen appears:
Select the Zone Group which represents the designated safety zone.
Select Access Groups to report on.
Select User Categories to report on.
Enter an Alarm Message Token to identify when a tagged event is enabled; it will grab the last event date and time as an anchor point to help highlight users who have entered the safety zone before the alarm took place. If there is no alarm required, leave this input blank.
Select the Zone Groups to be excluded in Report and select In, Out, or Both from the State dropdown box for each Controlled Area selected. This feature helps to filter areas from the report that is not relevance to the alarm event.
Click the Add button to add this report to your list of Mustering Reports. These reports will list at the top of the screen and as sub links on the left once they are created.
Access Groups
Access Group Management
An Access Group is an organizational unit in which users can be placed. This lets the administrator apply access rights to groups instead of people, for ease of administration. This also lets the administrator make changes to a group of people as opposed to having to change the rights individually. An access group can have 1 or thousands of people (user accounts) assigned to it. There are also Floor Access Groups that allow access to specific floors and Guest Access Groups that work in conjunction with MESH panels. The instructions for adding each type of group are the same.
Adding a User, Floor or Guest Access Group
Click on the Access navigation tab.
Click on the User Access Groups, Floor Access Groups or Guest Access Groups link.
In the Actions bar, click on Add Access Group. The following screen is displayed:
Enter a Name and a Description.
Select the Risk Levels during which this group will have access: Low, Guarded, Elevated, High or Severe (the current risk level is always displayed at the top of the Freedom screen)
For more information on Risk Levels see the Alert Level Management section.Select a Controlled Area for this group.
Select a Schedule for the Controlled Area. If that controlled area is not going to be accessed by that User Access Group, leave the schedule as Always Off.
If you need an additional line for extra Controlled Areas and/or Schedules, click the + button beside the current line. To delete a line, click the x button.
Click Save.
Global User Access Groups
In Freedom version 11, User Access Groups can be global to all sites. This makes Access administration more efficient for large enterprise systems. For example, all employees within an enterprise are assigned a general Access Group “Employees”. This group can be associated with any controlled area/schedule pairs in any sites.
To create a Global User Access Group:
Click on the Access navigation tab.
Click on the User Access Groups.
Enter a Name and a Description.
Click Global Group check box.
Click Save to create the Access Group.
Once a Global Group is added, it will be visible to all sites. Administrators can associate it with any controlled area-schedule pairs that are local to the selected site.
Notice the Icon that highlights the Global Access Group “Employees”.
Users
Configuring a User’s Access
A User’s right to access through a door or to a floor is set up by entering a person into an Access Group. This Access Group is set to have rights to gain access to certain areas (controlled areas) of a facility at certain times (schedules). The following chart is a guide to setting up a person’s access rights.
Typically schedules are configured and then controlled areas are configured. Once done these are attached to an Access Group. The final step is to assign a User to an Access Group
Adding a User Account
In order to assign cards or key fobs to people, User Accounts must be set-up. During this process a User is assigned to an Access Group (or multiple Access Groups) which in turn defines their Access Rights. To set up a User Account do the following:
Click on the Users navigation tab.
In the Actions bar, click on Add User. The following screen is displayed.
Enter the user’s Last Name.
Enter the user’s First Name.
Select Yes or No to Display this user’s name in the Directory if there is an intercom on the panel.
Select this user’s Suite. This is also for Intercom functionality
Enter the MESH Card Number.
Enter the Wiegand Card Number that is assigned to the user or click on the [Read Card] button and present the card to the reader - the Wiegand number will automatically fill in the field. If the number is unknown, a card reader can be set up as an enrolment reader. To set up an enrolment reader, click on Select Enrolment Reader from the left menu and select the appropriate card reader.
Enter a PIN number for the card. This is for Intercom functionality.
Enter the user’s Email address.
Enter the user’s Telephone number.
Select the User Access Groups in the Available box that should be assigned to this user and click the right arrow button to move the group to the Selected box.
Select the Floor Access Groups for this user.
Enter the Date that the user’s access rights will Start.
Select Never, or enter the Date that the access rights of this user will Expire.
Click the Accessibility box if this is a user with special needs (i.e. wheelchair or crutches) that requires the longer Accessibility Delay and Activation times configured in Controlled Areas.
Select Yes to Enable Admin Functions if this user is an administrator – the View/Edit Admin User options will become available.
Click Save.
User Categories
You now have the ability to filter a global database of users by user category. Admin Users can be configured to see specific user categories.
Click on the Users navigation tab.
On the left, click on the User Categories link.
To add a new user category enter a Category ID number and a Category Name and click the add button.
To remove a User Category click the delete button.
Once you have created all of your User Categories you can assign them to your Admin Users in order to filter the users they have access to. Please refer to the Admin Users section to assign the categories.
Elevator Configuration
Elevator Management
In Freedom each reader can only be assigned to one Door Area only. In order for Freedom to activate floor relays upon a card swipe, it now has a new Floor Controlled Area type that can link to a Door Area where the elevator reader resides. Each Floor Area contains outputs that would activate its corresponding elevator controls. In order for users to obtain access to floors, they would need to have both User Access Groups (for card access) and Floor Access Groups (for elevator/floor access).
Installing Hardware
Install a Wiegand reader in the cab, connect its Wiegand wires to a FB9 adaptor.
On the FB9 adaptor board, change the address to 1 using the dip switch.
Run an RS485 cable long enough to connect the FB9 adaptor to the FB5 board which is located in the elevator/engine room of the building. This cable will likely run along the elevator shaft. Relays on the FB5 would be used to interface with the Elevator Control System in the elevator/engine Room.
Device Setup
In the Freedom Software, make sure that the FB5 (Digital IO) device has been added in the System – Devices tab. See Freedom Bridge Configuration for more information.
Create a Controlled Area - Type Floor
Click on the Controlled Areas navigation tab.
In the Actions bar, click Add Controlled Area.
Enter a Name and Description for the Controlled Area.
Select Floor Area in the Area Type dropdown box.
Click Save.
Add All Outputs that Belong to that Floor
This is intended to trigger all of the outputs that a user has access to. If a user has access to multiple floors, you would select all of the outputs that complete the circuit.
Once the Controlled Area is saved, the Outputs and Unlock Schedule tabs appear.
Select a device Output for this Floor controlled area. You may select and add multiple Floor Areas. Click the plus sign button to add the selected Output(s).
To create an unlock schedule, click on the Unlock Schedule tab. Please see the Unlock Schedules section of the Controlled Areas chapter earlier in this document for more information.
Click Save.
Link Floor Areas to the Elevator Reader’s Door Area
Create a Door Area and assign it with the elevator reader. Link all the Floor Areas that the reader can provide access to.
Create a new Controlled Area with the elevator reader.
In the new Controlled Area’s Floor tab, select all the associated Floor Areas; specify the desired activation time and click +.
Create a Floor Access Group
Create a floor access group to link the controlled area to a floor. You can have multiple floor access groups added to a single controlled access group.
Click on the Access navigation tab.
On the left, click on the Floor Access Group sub link.
In the Actions bar, click Add Floor Access Group.
Enter a Name and a Description and click Save.
Check the box(es) beside the Risk Level allowed for this floor.
Selected the Controlled Area to link to this floor access group. If you need additional controlled area click the + button to add another line.
Click Save.
Assign Groups to the User
Add permissions to a floor access group in the User account. This grants access to the floor access group relays defined under the floor group created.
Click on the Users navigation tab.
Click on a User.
Scroll down to the Floor Access Group boxes and click on the Available Floor Access Group to move it to Selected. Select all floor access groups for this user.
Click Save.
Example Scenario
The builder has 3 floors with one elevator cab. A reader is installed inside the elevator cab. As the tenant enters the elevator, he/she needs to present a card to access the floor(s) that he/she has rights to.
Controlled Area Configuration
Click on the Controlled Areas navigation tab.
In the Actions bar, click Add Controlled Area.
First we want to create a Door Controlled Area for the Elevator Reader. In this example select the FB5’s Reader 1 and this will be the cab reader.
Since there are 3 floors, you will create 3 Floor Controlled Areas. Name the first one Floor 1 Elevator Control and enter an extra Description line if necessary.
Select Floor Area in the Area Type dropdown box.
Select the FB5’s Reader 1 as its (Entrance) Reader. This Reader 1 will be the cab reader.
Click Save.
The Outputs and Unlock Schedule grid will appear. In the Outputs tab, select the FB5 Relay that activates Elevator Control Access to Floor 1 (e.g. relay 1).
Click on the Unlock Schedule tab to assign a schedule for this elevator if desired. For more information, please refer to the Unlock Schedule section of Chapter Controlled Areas.
Click Save.
Repeat Steps 2 to 9 to create a Floor 2 Elevator Controlled Area and add the same FB5 Reader in it as its entrance reader. In the Outputs tab, add the FB5 Relay that activates Elevator Control Access to Floor 2 (e.g. relay 2).
Repeat Steps 2 to 9 to create Floor 3 Elevator Controlled Area and add the same entrance reader and Floor 3 relay (e.g. relay 3).
Return to the Door Controlled Area created in Step 3, go to the Floors tab and add the three Floor Controlled Areas to it.
Create a Floor Access Group
Create a floor access group to link the controlled area to a floor. You can have multiple floor access groups added to a single controlled access group.
Click on the Access navigation tab.
On the left, click on the Floor Access Group sub link.
In the Actions bar, click Add Floor Access Group.
Enter a Name and a Description and click Save.
Check the box(es) beside the Risk Level allowed for this floor.
Selected the Controlled Area to link to this floor access group. If you need additional controlled area click the + button to add another line.
Click Save.
Assign Groups to Users
You can assign a User Access Group to give general access to your users or a Floor Access Group to give them access to specific floors.
Click on the Users navigation tab.
Select a Floor 1 user from the list of users.
Scroll down to User Access Group or Floor Access Group. Click on the “Floor 1” Access Group in the Available box to move it to the Selected box.
Repeat Step 3 for all Floor 1 users.
Repeat Step 3 to add the “Floor 2” Access Group to all Floor 2 users and “Floor 3” Access Group to all Floor 3 users.
Click Save.
Operation
As a Floor 1 User presents the access card to the cab reader, the reader LED should light up (access granted) and allow elevator access to Floor 1 (e.g. Floor 1 button lights up).
Similarly Floor 2 User’s card would allow the user to access floor 2 inside the cab.
Events
Event Management
Freedom systems keep logs of certain activities and problems with devices under the Events tab.
The Events tab displays information such as the access attempts to the building and if they are granted or not. Calls placed, answered and wrong numbers dialed from the panels are logged. If a MESH Panel has the optional camera installed, a snapshot of the user is taken once access is granted by a suite. Scheduled opening or closing of a controlled area and any communication loss or device problems are also displayed. Alarm logs will also be displayed under the optional AMS Server. Preventative and pro-active measures should include the scheduled review of these event logs.
Viewing Events
The Events page refreshes automatically depending on login settings and is divided into a grid. The grid sections contain information about the event that took place. Multiple devices whose states are changed as a result of one event are grouped together to help with readability. Expanding an event will show all the resultant device changes.
Click on the Events navigation tab. The following screen is displayed:
Check the boxes above the grid to display the following options:
Live Update: check this box to update the table when there is live data or pause it for discussion and/or troubleshooting.
Local Time: the local monitoring time of the system.
Category: the final category of what is occurring.
Event Code: the events that are supposed to occur.
Current Site Only: the current site; leave unchecked to show data for all sites.
Access Events Only: only show access related events. To see all I/O and logic leave this box unchecked.From the Display dropdown box, select Today, Last 3 days, This week or This month.
Select the number of entries to Show on one page.
You can filter the view by entering Search criteria and/or selecting the Type of event you’d like to view from the dropdown box. Type in the search text and hit Enter.
As user is entering search content, Freedom will provide type-ahead hints for the user. If the user prefers using a wildcard search, type ‘*’ to suspend type-ahead and continue to enter search text.
Freedom version 11 allows search criteria to contain multiple search categories. Implicate OR gate is applied to search criteria of the same category and an implicit AND gate is applied to search criteria of different categories. In the following example, the criteria reads: “Last Name is ‘Lee’ or Last Name is ‘Hudson’ AND controlled area is ‘Front Internal Door’”.
To search for a specific event of a particular time window, please refer to Searching Events in the next section.
Event Groups & Categories
All events fall into one of the following groups and categories. In addition, every event in the system has an event id associated for searching.
Event Groups | Category | Description |
Access Control Activity | User | Cardholder activity on the system. |
| Port | Identifier to what device the activity occurred. |
| Door | The controlled area that the activity occurred. |
System | System | The system that the activity occurred. |
| Device | The bridge or device the activity occurred. |
| Port | The port the system data occurred. |
| Database | The database the system data occurred. |
| Credential | The credential data or error information. |
| LDAP | Active Directory sync data and errors. |
| Network | Data errors and other critical network data. |
Admin | Login/Logoff | Administrator authentication log. |
| Operator Action | Action done by the operator using AMS-Lite. |
External System | Video | Video activity events and errors. |
Searching Events
You can search events to track access or errors over several days. When searching events, it is possible to filter results by particular devices or events and it is also possible to generate a PDF or a CSV document from your search results.
Click on the Events navigation tab.
On the left, click on the Search Events link. The following screen is displayed:
Enter a From and To Date and Times for the data you wish to search.
Enter Search Criteria in the Filters input box.
Click the [Search] button to retrieve result set records.
Result set will be shown on the area below the search criteria. The user may choose to download a copy of the result set in either CSV or PDF format by clicking the corresponding buttons.
Set Audit Data Search Criteria
Click on the System navigation tab.
On the left, click on the Utilities link.
Click on the Audit Data sub link. The following screen is displayed:
Enter a From and To Date and Times for the data you wish to search.
Enter a User ID.
In the Change box, enter a specified string from the audit logs to search through the data that has changed.
Select an Action.
In the Original Data box, enter a specified string from the audit logs to search through the original data. For example, you could search for a card number in the original field to find out who previously had this card.
Select a Function.
Click the [Search] button.
Export to a CSV File
You can export Event and User search data to a CSV file by clicking the CSV button.
Export to a PDF File
Data on the Device tab can be exported to a PDF file by using the PDF button.
Enhanced Access Denied Diagnostics
Freedom now has the ability to display why a user was denied in the system with all of the possible complex options. This data will also display in the activity details.
Event ID | Description |
10202 | Denied - CA Locked Down |
10203 | Denied - Invalid License |
10204 | Denied - Anti Passback |
10205 | Denied - Card Disabled |
10206 | Denied - User Deactivated |
10207 | Denied - User Expired |
10208 | Denied - Access Expired |
10209 | Denied - Risk Level |
10210 | Denied - Start Date Error |
10211 | Denied - Certificate Revoked |
10212 | Denied - Certificate Chain Invalid |
10213 | Denied - Certificate Signature Invalid |
10214 | Denied - Certificate Timestamp Invalid |
10215 | Denied – SSL Validation Error |
Reports
Reporting Management
In most sections of the Administration Software it is possible to generate a report (or several types of reports) for that section. Reports are generally used for auditing purposes and to view the data for a section in one place making at-a-glance viewing and printing easier. Generated report files are in the PDF file format. Adobe’s Acrobat Reader might be required to view these files.
Because generating reports requires accessing data that may be privileged, it is important that the user you are logged in as and under which you would like to generate a report has adequate permissions to access the report generating functionality of Freedom.
Creating PDF Report Files
PDF files can be generated from most pages by clicking on the [PDF] button beside the Search box. This will generate a PDF file and the user will be asked to save the PDF file on a local folder or the file will saved to a default location, depending on browser settings.
PDF reports can be generated for the following pages: System, Suites and Businesses, Users, User and Guest Access Groups, Controlled Areas and Port Triggered Actions, Schedules and Special Days.
Creating CSV Report Files
A CSV file can also be generated on the Users, Suites and Businesses, and Events pages. To download, click on the [CSV] button next to the Search box.
Reports Available By Page
Page | Report Name | Description |
Users | Users Report | Creates a list of all of the users in the database for review. |
Access | User Access | Creates a list of all of the user access groups in the list. |
| Guest Access | Creates a list of all of the guest access groups in the list. |
Controlled Area | Controlled Areas | Creates a list of all of the controlled areas. |
| Port Triggers | Creates a list of all port triggered actions currently in the system. |
Schedules | Schedule | Creates a list of all schedules and their respective periods. |
| Special Days | Creates a list of all of the special days currently in the system. |
Events | Attendance | Working in accordance with anti-pass back for in-out readers to determine if someone was in the building. |
| Alarm Monitor | Reports all alarms that occurred on the system between the requested date and time. |
| Alarm Activity | Reports all alarms that occurred on the system between the activity and the real system. |
Suites | Suites | Provides a list of all the suites in the system. |
| Businesses | Provides a list of all of the Business units in the system. |
Time and Attendance Reports
The Freedom System is capable of generating reports of who has entered a particular Controlled Area in a given time frame, and who is currently in a particular area. This controlled area needs to have an Entrance and an Exit reader programmed. A report can also be generated in PDF format or CSV to be imported into a spreadsheet or database application.
Click on the Events navigation tab.
On the left, click on the Reports link.
Click on the Attendance sub link.
Enter a From/To date and time.
Select the Zone Group(s) of interest.
Optionally select User Category of interest.
Optionally provide a Suite number, Card number, First or a Last name.
Select either CSV or PDF report type. The two additional types – CSV summary and PDF Summary reports would show daily card holder attendance summaries. All access transaction details are omitted.
Click the Search button.
Backup & Restore
Manual Backup and Restore Configuration (Data)
It is recommended that regular backups of the database are made. Backup files should be stored on digital media such as flash drives or CDs and preferably kept in a secure place. Because the backup files can contain sensitive information they should be protected from unauthorized access.
Manually Backup Data
Click on the System navigation tab.
On the left, click on the Administration link.
Click on the Backup Data sub link.
Find the location to store the file on the local computer.
Click Save
Manually Restore Data
Click on the System navigation tab.
On the left, click on the Administration link.
Click on the Restore Data sub link.
Click the Choose File button. This will display the contents of the local computer.
Find and open the backup file.
Select the type of Restore:
Select Data Only if using a backup file from another unit.
OR
Select All Settings only if using a backup file from the same unit.
7. Click the RESTORE button.
8. Reboot the system using the reboot link in the Utilities section.
Local Automatic Backup and Recovery Management
Mesh systems do an automatic backup every day. These backup files can be used to bring the system back to a previous state before a file corruption may have occurred. These are done locally, and are part of the standard internal operation of all Mesh and Mesh systems.
Restore Database from Local Automatic Backup
Click on the System navigation tab.
On the left, click on the Administration link.
Click on the Backup Data sub link.
Click the plus (+) sign beside Restore from a system backup. This will display a list of previously saved back up files. These files are sorted by date.
Click the Restore button beside the correct backup file.
Reboot the system using the Reboot link from the Utilities section.
Manual Backup of History (Event Logs)
All activates a system performs such as dialing a suite from the panel, allowing PIN access, and allowing (or denying) access control activities. Anyone whose user profile grants them access to the log can view and search the logs, and if the optional camera is installed, view photographs of people who use a system to access a building. Once a date is specified for backup a compressed ZIP file is created.
This file can be uncompressed using standard compression utilities built in to Windows. After uncompressing the logs a program like Open Office or Microsoft Excel is needed to view the uncompressed comma separated value (CSV) file. The log backup file cannot be restored back. It is only for auditing purposes.
Backup Local Business Admin Users
Because business admin users can’t access the System tab, the backup log instructions are different. Please refer to the Backup of Logs for Business Users section for more information.
Open Log Files
Decompress the Log file that was saved in the previous sections.
Use either Microsoft Excel or a CSV compatible application to view the CSV file.
Setting Up Remote Automatic Backups
Click on the System navigation tab.
On the left, click on the Utilities link.
Click on the Remote Backup sub link.
Select the Backup Method:
CIFS/SMB (Linux System Backup)
FTP
SFTP
5. In the Server field, enter the IP address with the corresponding protocol.
6. Enter the Remote file system Path.
7. Enter the User name and Password that have permissions to write to the server and path.
8. Select the Frequency of backups to be sent to the file:
Now – Sends when you select save. Recommended to be used for testing the initial backup testing.
Hourly
Daily
Weekly
Monthly
9. Click Save
Importing Data
To import data to the database, import a template from the Import Data screen under the System 🡪 Administration 🡪 Utilities tab. When importing data to the database it will be added to existing data. Existing data will not be replaced by this function. Suite, Suite Code, and Business Name have to be unique in the imported data and existing data. User field does not need to be unique, but it will create duplicates if identical names are imported.
Obtain a Data Template
Click on the System navigation tab.
On the left, click on the Utilities link.
Click on the Import Data sub link.
At the bottom of the page under To obtain a Data File Template, right click on the template and select “Save Target As...”, ”Save Link As...”, or equivalent option from the pop-up menu that appears.
Select a directory to save the Mesh data backup file in the ”Save as” dialog box.
Name the template with the .xls extension. For example, user-template.xls.
If the “Download complete” dialog box persists after the copy completes, click Close. Follow these steps carefully to append data to the database.
Setting up a database file to import:
Open the template file using MS Excel, or compatible spreadsheet application. Fill in the data.
Do not delete or change the header cells in the template or the import will fail.
Save the file to the comma separated values (*.csv) format.
Always import the Business file first, followed by the Suites file, then the Users file.
The result page displays the imported lines that generated errors. To correct the errors, create a new data file with the corrected data of those lines only and import the new data file.
In the Users template, leave the User Id column blank. This field is reserved for the Mesh system.
Importing Data
Select the type of data that is being imported from the Target Data table dropdown menu.
Click Browse.
Find the data file that is being imported; make sure it is in CSV format.
Click the Import button to add the data to the database, if no errors are displayed the importing is complete.
Commercial Database Replication
Database Replication Setup
This is used for Freedom Systems that are intended to be used as redundant systems that communicate all information to make a hot standby for all bridges and users to communicate to in the event of failure. These are also the steps to deploy remote Freedom cube appliances for the sections that are needed.
The instructions below are to setup database replication between 2 or more Freedom servers. Before starting, verify that the full version numbers between the master and the slave nodes are identical.
Configuring the Master Server
Configure the firewall to allow incoming connections on port 31415.
Login to the Freedom administration software using the system user. Call Viscount Support if you need the system password.
Click on the System navigation tab.
On the left, click on the Administration link.
Click on the System Parameters sub link.
Click on the siteEngine.ini file to edit it.
Edit the line that reads DBMode=single and change it to DBMode=master
Click Save.
Select and edit a different System Parameters file called start.ini
Edit the line that reads #sds.service=no and change it to sds.service=yes
Click Save and Reboot the server.
Once the system is rebooted, log back in with the system user and go the System tab.
In the scope pane on the left, click on Utilities.
Click DB Replication. |
Fill in the text boxes on the screen.
Host Name: This is the IP address of the master server.
Sync Name: Name for the configuration. Enter something that will identify the master server. This field must be alpha numeric.
Sync Protocol: Select http or https. In order to use https, additional configurations are required to install SSL certificate on the master and slave server.
Sync Port Number: Select the TCP port number that slave servers will be connecting to. The TCP port number selected must be configured in the firewall to allow incoming connection. The Freedom server is preconfigured to support port 31415, additional configurations on the server are required if other port number is used.
Click the Save button. The master node configuration will be displayed in the Master Node section. The Delete button of the master node allows users to remove the master configuration from the server. It will be disabled if there are slave nodes attached to the master. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process. The Refresh Server Cache button allows users to refresh the Freedom server cache to the slave nodes.
Configuring Slave Server
Login to the Freedom administration software using the system user. Call Viscount Support if you need the system password
Click on the System navigation tab.
On the left, click on the Administration link.
Click on the System Parameters sub link.
Click on the siteEngine.ini file to edit it.
Edit the line that reads DBMode=single and change it to DBMode=slave
Click Save.
Select and edit a different System Parameters file called start.ini
Edit the line that reads #sds.service=no and change it to Change to sds.service=yes
Click Save and Reboot the server.
Once the system is rebooted, log back in with the system user and go the System tab.
In the scope pane on the left, click on Utilities.
Click DB Replication.
Fill in the text boxes on the screen.
Master Node Registration URL: The URL that the slave server will be connecting to for data replication. The URL should be set to the Sync URL configured on the master server.
Sync Name: Name for the configuration. Enter something that will identify the slave server. This field must be alpha numeric.
Click the Attach button. The slave node configuration will be displayed in the Node section. The Detach button allows users to remove the node from the data replication. Detaching a slave node is a two steps process, refer to the Detaching Slave Server section below for details. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process.
To verify the slave server is configured properly, login to the master server and go to the System tab. Click on Utilities on the left and select DB Replication. The client node should be listed.
To verify that the configuration is good, add a controlled area on the master node and verify that it appears on the slave.
Detaching Slave Server
Detaching a slave server from the master server is a two steps process.
Logon to the slave server with the system user and go the System tab.
In the scope pane on the left, click on Utilities.
Click DB Replication.
Click the Detach button to detach the node from the master.
Logon to the master server with the system user and go the System tab.
In the scope pane on the left, click on Utilities.
Click DB Replication.
Find the client node and click the Delete button to detach the slave server.
Microsoft Active Directory (AD) Integration
Active Directory Overview
Active Directory integration is a way to integrate the Physical Access Control System with the existing logical infrastructure. In order to configure Active Directory you must login with the system account.
This section covers how to converge the logical provisioning that exists in Microsoft Active Directory with the logical access control of Freedom. It is intended to go over the basic configuration of Active Directory with Freedom to get your system up and running.
Single Server Deployment Example
Freedom Commercial or Freedom Enterprise links the Freedom application to each server; there are three methods of deployment.
Understanding Graceful Access
The Freedom access control system uses graceful access to link multiple different systems together.
Design Consideration
When deploying Freedom it is possible to deploy each server in a global environment to be an extension to be managed by a different administrator. There is a pricing difference from the Freedom Commercial to Freedom Enterprise versions of the active directory licensing.
For training on active directory implementation, please reach out to trainingsupport@identiv.com
Active Directory Configuration
To configure Active Directory in Freedom:
Login to Freedom with the system account.
Click on the System navigation tab.
On the left, click on the Active Directory link.
Options | Description |
Connection Timeout | The connection timeout in seconds to the active directory. |
Audit Data Enabled | When this is enabled all changes made through the active directory integrations will be logged in the Audit logs. Enabling this option will dramatically increase the number of logs. The minimum hard disk space recommended is 500 GB when this feature is enabled. |
Web Login Enabled | Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration. It is recommended that for these types of accounts you name them differently than your standard user base to support the integration. |
User Sync Start Time | The start time of the synchronization on users, organizational units, and groups from LDAP connections. Multiple synchronization can be scheduled to run at different time of the day. |
User Sync Read Timeout | The timeout in seconds before the query issued by user sync is aborted. |
Force Update Enabled | This will force user updates from the active directory structure. |
Live Update Enabled | This feature enables an OU, Group, and Access Group attribute check against active directory on every card scan. If disabled it will rely on the data from the scheduled synchronization. |
Live Update Read Timeout | The timeout in seconds before the query issued by live update is aborted. |
Live Update On Imported LDAP Connection | This setting is only applicable when multiple LDAP connections are configured. When enabled, if the PIN/carddata is already imported to Freedom, Live Update will be first performed on the LDAP connection where the PIN/carddata is imported from in order to speed up the Live Update process. |
4. Click Save button to save the configuration
LDAP Connections
To add a new LDAP connection:
On the Active Directory Configuration page, click the Add LDAP Connection button.
On the LDAP Connection page, enter the connection information of the LDAP Server.
Options | Description |
Name | The name of the LDAP connection. |
Server URL | The URL of the LDAP server. |
Search Base | Using the query structure, this is the search base for all queries. |
Domain | The DNS name of the domain that you would like to connect to. |
Username (User ID) | This is a user that has permissions to query the active directory domain defined. |
Password | Password of the active directory user. |
3. Click the Test Connection button to confirm Freedom can connect to the LDAP server.
4. Click Save button to add the LDAP connection.
5. After the LDAP connection is saved, click the Cancel button to return to the Active Directory Configuration page.
6. On the Active Directory Configuration page, click the One Time Sync button to import the OUs and LDAP groups from the LDAPserver.
7. Go to the Events tab and check the LDAP synchronization status. After the LDAP synchronization is finished, go back to the Active Directory Configuration page and click the LDAP Connection that you just added. From the LDAP Connection page, you can specify the criteria for importing users and admin users from the LDAP Server.
Active Directory User Import
Filter Import by Organizational Unit and Group
From the search index provided in setup, the import screen populates with the Groups and Organizational Units (OUs). When selected, it will filter and only pull the select users into the Freedom System to manage.
To Import Users:
On the LDAP Connection page, click the Import Users button.
Click the AD Users Import/Sync tab.
On the Import Users page: To import all users, check the Import All Users box. To import users from Groups and OUs, click the entry in the Available box to move it to the Selected box. To search users in nested Active Directory groups, select the Nested Group Search checkbox.
Options | Description |
Import All Users From Groups | Imports all users who are part of the selected AD groups. |
Import All Users From OUs | Imports all users found in the OU, and all sub OUs. |
4. Click Save button to save the import user configuration.
User Attribute Mapping
There are two types of fields to map in the User Attributes Mapping tab. Fields that are automatically mapped and user selected fields.
On the Import Users page, click the User Attributes Mapping tab.
Automatically Mapped Fields
These fields are defined and statically mapped to AD attributes.
Freedom User Attribute | Active Directory Name |
Username (User ID) | objectSID |
First Name | givenName |
Last Name | Sn |
Display Name | displayName |
Telephone | telephone number |
Freedom Selected Mapped Fields
Freedom User Attribute | Mapping Behaviour and Features |
Start Date | The date must be a properly formatted date. If specified, it will be the start date of the user access. |
Expiry Date | The date must be a properly formatted date, and will disable the user credentials after the defined expiry date. |
Card Data | Map to multiple AD attributes. When a card is deleted from active directory, it will be deleted in Freedom. Likewise, when a new card number is added to an user in active directory, it will be added to Freedom. |
Pin | Select mapping to a single AD attribute. This attribute will be mapped to the User PIN in Freedom. The value in this AD attribute must be unique. |
Access Linked AD Attributes | Map to multiple AD attributes. It will show up in a list of all possible assigned values across all users to assign to an access group. So assigning of values to users can be mapped to access groups. If the user has this attribute, they will be granted access. |
User Category | Select mapping to multiple AD attributes. The first value found in the mapped AD attributes will be used as the user’s category. |
Custom Fields | Select mapping to a single AD attribute. If an attribute is a multiple value string, attribute is chosen in active directory. Supporting a Custom Mapping Name. |
Users Import Exclusion Filters
To further refine the import criteria on importing users, you can use create exclusion filters based on the value of the user’s AD attributes.
On the Import Users page, click the AD Users Import Filters tab.
There are two ways to specify the user import filter. By selecting the Attribute Exclusion Filter option, you can define filters to exclude certain users from importing to Freedom. Alternatively, you can select the Advanced LDAP Filter option to specify the actual import filter query for importing users to Freedom.
Define Attribute Exclusion Filter
Define LDAP filter query
Click Save button to save the configuration.
Understanding Attribute Based Access Control
Leveraging the Access Group link to physical security allows the administration team to cut down on time associated with the users.
Active Directory Administrator Import
Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration. It is recommended that for these types of accounts you name them differently than your standard user base to support the integration.
For this section to allow the login from this group, you must have the Web Login Enabled box checked on the configuration page.
Mapping Access Group Field to Physical Access Group
The Freedom system will pull into the attribute list a list of all possible attributes that are currently loaded within active directory. On every card scan, Freedom will ask active directory if the user has the variable that is selected.
User Access Groups
The user access group can be linked to AD OUs, Groups or Access Linked AD attributes.
Attribute Based Access Control Use Cases
Besides associating a user access group to AD OU(s) and Group(s), you can select an AD attribute and use it as an Access Linked AD attribute.
This allows for several use cases around applying logical attributes to the physical space:
Umbrella Company Management: By Company name for contractors, employees, you can grant access to areas between time frames.
Business Specific Attributes: Every business have attributes that can drive access to physical areas:
Title
2. Department
3. Training Level
Geographic Association: Allowing anyone from the state to have general access to your front door and lobby area.
Clearance Levels: Clearance in AD allows for internal controls on physical area the same way you would allow AD.
Personal Identity Verification
When equipped with FICAM capable readers, Freedom can perform real-time PKI verifications during PIV card access.
Cardholder Registration Tool – VeriCert
VeriCert is a desktop application that registers PIV credentials into Freedom PACS and Validation System. With VeriCert’s intuitive design, a PIV cardholder’s credential can be fully authenticated, validated, registered and provisioned within seconds, allowing the cardholder access to a specified set of doors.
Using VeriCert
Before enrolling cardholders, it is important to configure a few settings:
Application Settings.
Connection Settings.
Application Settings
The Application settings for VeriCert allow administrators to select a USB smartcard reader. Preferences, such as name parsing patterns, may also be found in VeriCert’s application settings.
On the menu bar, click on Settings, and select Application Settings…
From the Enrollment Reader dropdown list, select the USB smartcard reader detected by the software. To detect a newly installed reader, click the Refresh button to update the dropdown list.
If the smartcard reader has a built-on keypad:
Check Use Reader’s Keypad to Enter PIN to use the smartcard reader’s keypad to enter PIN.
Uncheck Use Reader’s Keypad to Enter PIN to use the Workstation’s keyboard to enter PIN.
From the Printed Name Pattern dropdown list, select the name pattern that will be used to parse the printed name on a PIV credential. The user is able to test the selected pattern by clicking the Test button to test if the pattern can produce the expected result.
Click Save to update Application settings.
Other Application Settings
Proxy server – the URL of the proxy server through which the OCSP server can be accessed.
FICAM Compliance – this setting allows VeriCert to omit PKI validation during registration. This setting should always be checked during normal operation.
Match Cardholder Fingerprint – the setting tells VeriCert to find a finger print match during registration. If this setting is enabled but no matching fingerprint is obtained; VeriCert will fail registration.
Additional Validation Details – this setting lets VeriCert to record additional certificate details during validation and is useful for troubleshoot.
Site ID’s – this settings allows VeriCert to restrict the set of Access Groups that cardholders can be assigned to. By default this field is empty meaning cardholders can be assigned to Access Groups from all sites.
Connection Settings
The connection settings denote the Freedom API Server that VeriCert will connect to. VeriCert uses the Freedom API to enroll PIV cardholders and retrieve Access Groups to/from Freedom Access Control System.
On the menu bar, click on Settings, and select Connection Settings…
In the Protocol field, select the Freedom API protocol. Default is HTTP.
In the Server Address field, enter the IP Address of the Freedom API Server. Default is 192.168.123.101.
In the Port field, enter the port of the Freedom API Server. Default is 9000.
In the Username field, enter a Freedom Admin User’s Username. Default is freedom.
In the Password field, enter a Freedom Admin User’s Password. Default is viscount.
Click on the Test Connection button to ensure that VeriCert can contact the Freedom API using the given settings. A Connection Successful notification will be shown if settings are correct.
Click Save to update settings.
Enrolling Cardholders
Insert the PIV card into the USB smartcard reader. VeriCert will take a moment to download and verify all required credentials.
Enter PIN when prompted.
Once the PIV credential is fully processed, verify the information and click the Next button
Assign Access Group to the cardholder.
Click Save Change to send cardholder data to Freedom.
Freedom PIV
Freedom can perform certification validation on PIV credentials during access. There are number of settings that can adjust the validation process such as status proxy update frequency, CRL download frequency, root and intermediate certificate store management, certificate policies, extended key usage extensions and PKI fault options.
PIV Configuration
In System tab, under PIV; the first menu item is OCSP/CRL Configuration that covers the back settings for PKI validation.
Enabled – this enables/disables real-time PKI/OCSP validation during card swipes. Note that when this feature is disabled, Freedom at a minimal will revert to downloaded CRL information to determine the validity of a credential.
Path Discovery Timeout – this specifies the time out (in seconds) limit for Freedom to discover certificate chains.
Status Proxy Update Frequency – this specifies the frequency in hours that Freedom should update the status of cardholders’ certificates. The cached status will be used when real-time OCSP validation is failing due to network errors.
Deny Access upon OCSP timeout/network error – when enabled, this prevents Freedom from granting access when network error occurs during OCSP query.
Falls back to cache upon network error – when enabled, Freedom will look up cached status for a cardholder’s validity when there is an OCSP related network error. Note that even when this feature is disabled, Freedom will always revert to CRL information when no real-time OCSP information is available.
Additional Validation Result Details – when enabled, Freedom will record additional validation details such as certificate serial numbers and URL information during PKI validation process.
Certificate Manager
Certificate Manager allow administrators to configure Freedom’s certificate store. This certificate store holds both root and intermediate certificates.
To add a certificate to the store:
Go to System->PIV->Certificate Manage.
To add a certificate, click the Browse/Choose File button and select the certificate from the file system.
Click the + button to add the certificate.
To remove a certificate:
Click the X button beside the listed certificate.
Note that when a redundant certificate is being added, Freedom will ignore the new entry. A redundant entry means that the Issuer name and serial number of the certificate already exists in the store.
Certificate Policies
Freedom can impose certificate policy constraints on the three major certificates – PIV, Card Auth and CHUID Signature. These constraints are assigned in the form or OID strings.
To add a certificate policy constraint to a certificate:
Go to System -> PIV -> Certificate Policies.
Click the tab that represents the certificate type of interest.
Enter the OID string (e.g. 2.16.840.1.101.3.2.1.48.11), enter the description text (optional) and click the + button.
To remove a Certificate Policy OID:
Click the X button next to the OID.
Extended Key Usage Extensions
Similar to Certificate Policies, Freedom allows administrators to specify required extended key usage extensions.
To add an extended key usage extension constraint to a certificate type:
Go to System -> PIV -> Ext. Key Usage.
Click the tab that represent the certificate type of interest.
Enter the OID string (e.g. 2.16.840.1.101.3.2.1.48.13), enter the description (optional) and click the + button.
To remove an extended key usage extension constraint:
Click the X button next to the OID.
PKI Fault Options
During card access, Freedom performs a long list of validations that adhere to FICAM requirements. For institutions that may not issue PIV cards that fulfil all FICAM requirements; administrators can optionally disable certain fault validations. The following are the options that can be disabled:
Invalid CA Signature
Invalid CA notBefore Date
Invalid CA notAfter Date
Invalid Name Chaining
Missing Basic Constraints
Invalid CA False Critical
Invalid CA False not Critical
Invalid Path Length Constraint
keyUsage keyCertSign False
keyUsage Not Critical
keyUsage Critical CRLSign False
Invalid inhibitPolicyMapping
Invalid DN nameConstraints
Invalid SAN nameConstraints
Invalid Missing CRL
Invalid Revoked CA
ICAM Invalid CRL Signature
Invalid CRL Issuer Name
Invalid Old CRL nextUpdate
Invalid CRL notBefore
Invalid CRL Distribution Point
Valid requiredExplicitPolicy
Invalid requiredExplicitPolicy
Valid GeneralizedTime
Invalid GeneralizedTime
Invalid SKID
Invalid AKID
Invalid CRL format
Invalid CRL Signer
Golden PIV-I path
OCSP - Unable to get Issuer Cert Locally
To enabled or disable PKI Fault Options:
Go to System -> PIV -> PKI Fault Options.
Check or Uncheck fault options.
Click Save to update.
CRL Summary
Freedom downloads CRL information for all cardholders in the database periodically. It provides a summary of the number of revoked certificates under each relevant issuer. See System -> PIV -> CRL Summary:
If CRL information cannot be obtained for more than 16 hours, this summary page will provide an alert that indicates ‘Download Overdue’.
PIV Card Single-Sign‐On Configuration
This section covers the steps to sign on to Freedom Admin using PIV cards.
Enroll a PIV cardholder into Freedom by VeriCert.
Go to Users, edit the user profile.
Enable Admin function to the user.
Enter the logon User ID, password and appropriate privileges.
Click Save.
Add the PIV card's Root Certificate in System -> PIV -> Certificate Manager.
Restart Freedom server (System -> Utilities -> Reboot).
In Windows, make sure “Certificate Propagation Service” is enabled and started.
Insert PIV card into reader.
In Chrome browser, go to https://<FreedomServerIP>:8443/
Select the PIV Authentication Certificate for the card.
Enter PIN.
Once PIN is validated, the browse will log in to Freedom Admin.
Mobile Access
Freedom now provides location based access with mobile devices such as iPhone or Android. Traditionally each controlled area has to be associated with a reader. With this new “Geo Location” based feature, a controlled area can simply be assigned with a GPS co-ordinate or a proximity device such as a Bluetooth Beacon. Freedom first determines the user’s proximity to a door/controlled-area by comparing the location reported by the mobile. Once determined, Freedom then performs the corresponding access control operation. This feature conveniently bypasses the need for readers and access cards; instead a mobile device is used as credential identification.
Configuring Geo Location
To configure Geographic information:
Select the Controlled Area
Click the Geo Location tab.
For GPS based access, select GPS radio button.
Enter Latitude, Longitude, radius and the unit (e.g. Feet or Meter) which best cover the entrance area.
Click Enabled to activate Geo Location access for this area.
For Beacon based access, repeat steps 1 – 2 and click Beacon radio button instead.
Select the Unique ID from the Beacon dropdown list. For details on allocating Beacons in Freedom, see next section Configuring Beacon Access.
Click Enabled to activate Beacon access for the area.
Configuring Beacon Access
To configure Beacons in Freedom:
Go to System.
Click Mobile to expand its sub-menus.
Click Beacon Config.
Enter the following information:
Options | Description |
Server | URL for the Beacon Server Portal |
API Key | Key to access portal’s API. |
API Version | Version of the portal’s API. |
UUID | UUID for the Beacon count. |
5. Click Sync checkbox to enable periodic update to Beacon status information. Default behavior is every two hours.
Mobile Device Registration
To register a Mobile user in Freedom, these are the general steps:
Create the user and set the Mobile flag to true.
Assign a mobile password for the user.
Freedom server will automatically send the password to the mobile user via email.
Once the password is obtained, the user may log on to the Freedom Mobile App and start enjoying the service.
Configuring email server on Freedom
Go to System -> Mobile.
Click Email Config.
Enter the email server’s address and the sender address of the registration email.
Configuring registration Email Template
Go to System -> Mobile.
Click menu item Mobile Onboard Email Template.
Enter Mail Subject Text, e.g. Mobile App Registration.
Enter Mail Content that shall contain links to download Mobile App, user password and any information that is valuable to the registration process.
A reserved token USER_PASSWORD can be embedded in the mail content which will then be replaced by the user password assigned during the registration process.
Managing Enterphone MESH Panels
MESH panels provide visitors with a way to communicate with tenants from the front common entrance. Tenants then can grant or deny access to the building. MESH panels display a list of users that can be dialed. For hardware installation please view the MESH Hardware Installation Guide.
By default MESH panels are added to a single controlled area. This allows the panel to grant access if the tenant presses the relay activation digit when dialed.
Enterphone MESH Panel Settings
MESH panel settings such as talk time, relay access digit and activation time can be configured. To access these settings;
Click on the System navigation tab.
On the left, click on the Enterphone MESH link.
In the Actions bar, click Add Panel. The following screen is displayed:
Enter the Panel ID. This ID number can be found in the sitepanel.ini file for this panel. See Mesh Parameter Files for more information.
5. Enter a Name: this identifies the panel when adding it to Controlled Areas. This field should be changed if there is more than one panel.
6. Enter the Relay 1 or 2 Access digit: The digit on the telephone that the tenant must press to activate the appropriate relay.
7. Enter the Relay 1 or 2 Activation Time (Seconds): This specifies in how many seconds the relay should be activated for once a tenant grants access.
8. Enter the Talk Time: This is the maximum duration the call can occur (in seconds) before automatically hanging up.
9. Click Save.
Enterphone MESH (Controlled Area Tab)
The Enterphone MESH tab allows you to attach MESH panels to Controlled Areas. NOTE: MESH panels must have already been created in the System -> Enterphone MESH screen.
Please refer to the Mesh Panel Settings section for more details regarding MESH panels.
In the Enterphone MESH tab on the View/Edit Controlled Area screen:
Select an Enterphone MESH panel from the dropdown box.
To add a second panel to this controlled area, click the add + button. to
Click Save.
Changing Screen Saver Image File
When MESH Panels are idle for more than the time set for the default screensaver time out, the default screensaver graphic is displayed. This graphic can be changed from the media files. Use the instructions in the Media Files section to access and change screensaver_1024x768.gif file.
This is the default screensaver picture. Edit this file using any graphic editing software that supports the GIF format. Keep in mind that the edited file’s name, resolution, and color settings must match this file. Once the editing is complete use the Update Media Files from the System tab to upload the edited screensaver_1024x768.gif file. Restart the Panel using the Reboot link at the bottom of the Utilities page.
Changing Screen Saver Timeout
By default, the screensaver activates after 60 seconds of inactivity. This number can be changed from the file sitePanel.ini.
Click on the System navigation tab.
On the left, click on the Administration link.
Click on the System Parameters sub link.
Click on the sitePanel.ini file.
Edit the line screensaverTimeOut=60; change 60 to any other value. Do not edit any other value.
Check the Reboot after save box. This will do a full restart of the panel after you save the file.
Click Save.
Calibrate MESH Screen
MESH parameter files are used to configure the software on both the server and the panel.
MESH Parameters Files
MESH parameter files are used to configure the software on both the server and the panel. These files are located in the System Parameters link under the System -> Administration tab. These files can be edited using the in-browser text field provided by clicking on the file or backed up by clicking on Download and edited with a text editor locally then uploaded back to MESH. Once the files are uploaded back to MESH the server must be restarted using the Reboot link at the bottom of the Utilities page or by checking the Reboot after save option on the Edit page.
The following parameter files are user-modifiable:
dealer.ini
installer.ini
siteEngine.ini
sitePanel.ini
To Edit a Parameter file
Click on the Administration link from the System navigation tab.
Click on the System Parameters sub link.
Click on the file you would like to edit.
Make any changes necessary to the text presented in the text area.
If you would like a backup of the existing file, choose Write Backup.
Check the Reboot after save box if a reboot is required. Keep in mind that for the changes to take effect a full system reboot is required.
Click Save.
To Backup Parameter Files
Click on the Administration link from the System navigation tab.
Click on the System Parameters link.
Select the file you would like to back up.
To back up, click the Download link next to the file.
Select a location to back up the file.
Name the file with the extension *.ini.
Click Save.
Main and Peer Configuration (Sync MESH Units)
This form of replication only copies the Suite and User data to a remote panel to be loaded on the display. This does not allow for a remote system to be working as a backup unit for bridge communication.
Main peer integration with a panel is intended to only be for one site, where the unit is on the same network. Deploying multiple mesh panels across multiple sites is not support in Freedom 9.1. Please see Mesh and Freedom Application Note (AN9019) for more details.
Main and peer configuration creates a link between two MESH units. This can be multiple MESH Panels to a single Freedom server or multiple Freedom servers to one Freedom server. The Main servers automatically start sharing data once a peer establishes communication. More information about main and peer configuration can be obtained from the Main
To Setup a Main and a Peer
Follow the instructions below on any unit that needs to be configured as a peer. No configuration is necessary on the main units.
Open the siteEngine.ini using the instructions from System Parameters.
Locate the line MainPeers=
Add the IP address of the main server. For example, MainPeers=192.168.123.101
Locate the line SystemName=
Add an appropriate name for the peer. For example, SystemName=FrontPanel
Save the siteEngine.ini
Restart the MESH peer system
Once the configuration is done, connect to the Main server and log in. At this point there should be a button labeled with the names of Peer devices along the top of the Administration System’s interface. If there are any changes that need to be made to non-common data, these buttons can be used to connect to the Peer devices. If the button is absent from the Main Server or Panel, check over the configuration that was made up to this point then log out and log back in.
Copy Common Data
Once the connection is established between a peer and a main, there may be some data inconsistencies. To clear all the data on the peer and copy everything from the main a Copy Common Data needs to be done.
Click on the System navigation tab.
On the left, click on the Administration link.
Click on the Copy Common Data sub link.
From the list of Available Servers, select the main server.
Click Copy.
MESH Panel File Configuration
On MESH Panels an additional configuration file exists that controls the configuration of Panel- specific options.
Use the steps described in Editing a Parameter file to edit the siteEngine.ini. The Panel will need to be restarted for any changes to this file to take effect.
Parameters in the sitePanel.ini file are:
Options | Description |
serverName | localhost or the IP address of the panel |
panelId | The panel ID. This field should not be changed. |
screensaverTimeOut | The number of seconds before the screensaver becomes active (0 deactivates the screensaver). |
codeprefix | Filters suites codes based on this digit so that only suites with codes beginning with this number (or range of numbers) are displayed on this panel. |
switchDigit | Calling suites with codes beginning with this digit or range of digits (ex. ”1-5” or ”1,3,6”) will trigger the Call Redirector Board to use a second line.
|
ringAltCount | The number of rings the dialer will wait before calling a suite’s alternate number. |
hbCode | If set, a button will be displayed at the top of the directory and when it is pressed, the suite whose code is entered will be dialed. |
activateOnDialPanelId | The Panel ID of a panel that is in a Controlled Area whose devices should activate whenever a panel is in use. This requires that a second panel be added to the local panel and that second ID used in the aforementioned Controlled Area. |
directoryRows | The number of rows of suites displayed in the directory listing.
|
directoryColumns | The number of columns of suites displayed in the directory listing. |
SSButtonHeight | Vertical placement of language buttons expressed in pixels from the top. |
listBusTextCenter | Yes or No option to centre business names.
|
directoryFont | Resize the directory font. 0 is the default, +1 will increase the size, -1 will decrease. |
businessFont | Resize the business listing font. 0 is the default, +1 will increase the size, -1 will decrease. |
displaySuiteCode | Yes or No option to display each suite’s code in the directory. |
rightAlignSuiteCode | Yes or No option to place suite codes on the left or right side of the display. |
Display Call Button | Yes or No option that allows for removal of the call button beside a tenant’s name. |
Search Only | Yes or No option that allows a user to use the panel only for searching for a tenant, no calling. |
listTextColor | An RGB triplet that sets the colour of the suites listed in the directory. |
listBusTextColor | An RGB triplet that sets the colour of the businesses listed in the directory. |
listBGColor | An RGB triplet that sets the background colour of listings in the directory. |
alternateBGColor | An RGB triplet that sets the alternating colour of listings in the directory. |
cancelButtonColor | An RGB triplet of the color applied to the cancel button. |
cancelButtonTextColor | An RGB triplet of the color applied to the text of the cancel button. |
logoColor | An RGB triplet that sets the colour of the logo area. |
buttonSelect | An RGB triplet of the colour applied to a button when it’s selected. |
sbTrackColor | An RGB triplet of the colour applied to the back of the scroll bar. |
keyColor | An RGB triplet that sets the colour of the touch keypad. |
sbThumbColor | An RGB triplet that sets the color of the directory scroll button. |
sbTrackColor | An RGB triplet that sets the colour of the directory scroll bar. |
Business Administrator Management
MESH Panels can be programmed to divide buildings into multiple businesses. Each business can control its own controlled area without affecting other businesses or areas. In order to divide buildings into businesses, controlled areas that will control a business’ physical access need to be created. When adding a new business to the Administration Software, areas that are controlled by that business can be selected. Then admin users can be added to be part of that business.
Business admin users are restricted on what they can add or view. Also, business admin users do not have access to the System tab and are therefore unable to manage the system or view any system related information. In addition, business admin users cannot add or delete suites, controlled areas or schedules. They can add user access groups and link them only to the controlled areas that are associated with that business. Any of the activity logs that are related to other businesses are not viewable by that business admin user. A single business can have more than one controlled area. Also, a single business admin user can belong to more than one business.
Create Business Users
Add a Business using the instructions in the Businesses section of Chapter Suites.
Add a new admin user using the instructions in the section: Site Administrator Management.
From the Add Admin User screen, select the business name from the Business list.
Backup of Logs for Business Users
Because business admin users can’t access the System tab, the backup log instructions are different.
Click on the Events navigation tab.
Select a range of dates in the From and To Dates. Note that the maximum number of days is 31.
Click Search
Download the search result in CSV Format.
Alarm Management System (AMS) Lite
Overview
It is important to note that if AMS is configured under the System tab, all monitoring features on a server are disabled.
In the System > AMS tab you have the ability to choose if you are able to view the Monitor tab. This is also where you would go to disable video prior to the setup of video. AMS Server will not be covered in this section; for information on setup of the AMS application please see.
Navigation Overview: Monitor Systems without Mapping Setup
AMS-Lite supports the ability to monitor the system without maps. The purpose of this mode is that if the end user chooses not to use the mapping of devices, that there is a clear way to list and report on the status of all of the devices.
This is how the system looks if there are no maps loaded into the system. Should you require maps for your site, please refer to Chapter Controlled Areas - Maps.
Navigation Overview: Controlled Area Display
With this version of freedom there were many enhancements to the ability quick search, and apply actions to the controlled areas. Including the ability to acknowledge and clear the alarms listed.
Number Of Pending Alarms
A Live Alarm List Count displays on the alarm icon on all screens and will indicate if there is an alarm on the sites that you have access to see.
Number of Pending Alarms by Site
List Alarms by site by clicking on the Site link. These links will take you to the site map at any time.
Acknowledge and Clear
In the center panel of the alarm monitor tab you will see the alarm data come into the system. This is for the primary system.
Acknowledge and clear alarms with the ability to enable custom instructions for these acknowledge and clear alarms.
Once acknowledged the system will show the next step as clearing the alarm.
Clearing alarms allows for the setup of custom messages.
Once the alarm is cleared, the details of the alarm may be research on the events tab.
When a system is acknowledged and cleared, the documentation and notes of the operator show on the alarm monitor report. The following is showed on the report:
Navigation: Monitor With Maps And Video
This section does not cover how to setup and configure video services. Instead this covers only the over view of how to navigate using the video services.
Navigation Overview: Controlled Area Icon Supported Actions
Once the maps are installed, the center alarm monitoring screen shifts downwards, and allows for the mapping to show in the center, providing the following features:
While in Alarm the controlled area icon will flash red
While Acknowledged the controlled area will have a solid red ring around the system:
Clicking on the alarm in the bottom alarm tray will snap to the alarm, and pull alarm video associated with the alarm on the right hand video alarm panel:
Rick clicking the controlled area will give you option to change the state of the controlled area, acknowledge and clear the alarms.
Selecting a controlled area will also show the activity history of that controlled area in the bottom left corner under the Controlled Area Activities.
Mapped live video streams may be scrolled over to display the live video feed.
While the bridge is connected the reader shows a dark black. If the reader is offline it show a grey.
If the camera is online it shows black. If the camera is disconnected it will show a grey with a line thorough it.
Live Video For Mapped Cameras
Scrolling over event video shows the video screen as shown below.
View All Cameras
The top of the live camera view has multiple options.
Select All Cameras (#) and this will bring up all cameras in the video panel to scroll through.
Navigation Overview: Login to NVR From Monitor Tab
Select the NVR Icon. This icon links to the NVR of the selected video feed. If you need to Export video from the NVR, or perform a more detailed review of the video, this is how you get there. Depending on the NVR, you may need a username and password.
Navigation Overview: Export View
Select the [Export View] Icon at the top right of the screen. This is know as the Export Video button which is covered later in this chapter. This does not export video, however, it exports the video to b monitor from a separate window.
This is to allow the operation of Freedom System, and Video monitoring on the same system, or two different monitors.
Navigation Overview: Select Video and Send to Export View
You can also select video to be exported, and move it to the next screen in a two screen scenario:
Select the video video that you would like to export. This video feed will then be marked around it as red (see photo above as an example).
Select an area in the freedom Exported Video 4x4 that you would like the video to be displayed.
The video now appears in that area.
Once a configuration is setup, it may be saved to be recalled. All video saves are available across all systems.
Navigation Overview: Save Video Export View
Export Video
Create a name and enter it into the system:
Select Save
Navigation Overview: Event Video
When an alarm comes in with an event clip associated the video will automatically be displayed in the alarm video. This is that the Event video will show on the top, the alarm video will show on the bottom, and additional associated cameras will show below that.
The top video is event playback – in the above example it is showing the start of the video clip before the light is turned on.
Once an alarm occurs on the bridge it will show the event clip, live video, and up to 4 cameras if they are associated with the controlled area for a quick view. You can click on the cameras to pull them up to view to track a person in the frames.
Navigation Overview: Event Clip Controls
In the bottom left corner there is a reply and pause for the event clips. In the bottom right hand corner you can click to save a snapshot of the image by pressing the camera in the bottom right hand corner of event clip screen as seen here:
Configure AMS Lite
It is important to note that if AMS is configured under the System tab, all monitoring features on a server are disabled.
Add a Map to AMS Lite
There are many web file formats supported. Prior to trying to upload one of the files edit map files to support all web image formats:
JPG
JPEG 2000
JPEG / JIIF
GIF
PNG
TIFF
To add a map of a floor plan or other system (any web file format supported):
In the Controlled Areas navigation tab, click on the Maps link. The following screen is displayed:
Current maps are listed on the left and the controlled areas are listed on the right. Click on a map to view it; click on the edit button to change the file associated with this map.
To add a new map, click on the +Add Map button. The following screen is displayed:
Enter Name and a Description for the map.
Click the [Choose file] button beside Map Image to import the map file image.
Click the [SAVE] button.
Place Controlled Area Icon On Map
Maps have been placed in the Controlled area tabs. You can simply drag and drop all controlled areas from the right to the map. Only one controlled area is supported per system. The controlled area may only exist in one location at a time.
To configure controlled area maps:
Click on the Controlled Areas navigation tab.
On the left, click on the Maps link. The following screen appears:
Drag and drop controlled areas onto the point.
Place Video Icon On Map
To setup the video portion of the system with video you must login as the system administrator account and ensure that the video is enabled. If the video is not enabled, after turning this setting on, then you may need to check your server activation and ensure you have NVR Video licensing enabled.
This will allow the mapping of camera as an individual device. To attach a video feed to a controlled area, you must navigate to Controlled Area, select the controlled area, select the Cameras tab. This will then show the video icon attached to controlled area:
Mapping Icons
Scrolling over an icon will show the name, and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:
Remove Icon From Map
Scrolling over an icon will show the name, and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:
Icons can be added to a map to indicate whether a controlled are is Closed, Open or in Lockdown. Freedom comes with three standard icons. Images of these icons can be changed in the Icons page.
Configure Custom Map Icons
Icons can be added to a map to indicate whether a controlled are is Closed, Open or in Lockdown. Freedom comes with three standard icons. Images of these icons can be changed in the Icons page.
To change a controlled area map icon:
In the Controlled Areas navigation tab, click on the Icons link. The following screen is displayed:
Click the [Choose file] button beside the icon to change and navigate to the new icon image and click Open.
The selected file name is displayed. Click the [Update] button to replace the icon image with this new image.