wireless access control past, present, and future
TRANSCRIPT
Wireless Access Control Past, Present, and Future
Curtis Baker Access Control Project Manager
Cornell University Police
Introduction Cornell Access Control Program Team: • Peggy Matta
• Program Director
• Curtis Baker • Project Manager/Programmer/DBA
• Eric Bourdon • Systems Administrator
• Mark Conrad • CUPD Records and Communication Center Manager
• Facilities Services Lock Shop Support: • Facilities Services Network and Systems Administration • Cornell Information Technology • CUPD Crime Prevention • Facilities Services Shops Primary Vendor: • Stanley Convergent Security Solutions
Access Control Program
Access Control Program: • Card Access • Video Surveillance • Key Management • Alarm Systems Fun Statistics: • 58 Segments • 134 ISC Panels • ~1700 Wired Readers • ~13 Wireless Readers • 45 Servers (30 NVR) • 210 Cameras • 234 Users • 177,000 Cardholders (275,000 Badges) • 60,000,000 Events/year
Human Resources & Safety Services
Cornell University Police Department
Access Control Program
Wireless Interest
Initial Interest: • Campus Life
• 2007/8 • Alternative to expensive rekeying process • Teetered off due to economic down turn
• Access Control Program / Life Sciences • 2009/10 • Cheaper alternative to expand access control systems
• Engineering • 2010 • Online & modern alternative/replacement to aging offline BASIS V
• Administration • 2012 • Added security and accountability on high risk/value units of
upper administration
Initial Problems
Product Issues • Untested • Unreliable • Not secure Software Issues • Integration Issues
– What do you mean…you want it to work with your existing card access system?
• User Interface – So, how do I set up and configure this lock?
The Vendors
Early 2011 • Began identifying vendors with solutions that
‘may’ work with OnGuard – Stanley Wi-Q – Onity ILS – Schlage AD – Sargent S2
• Gathered references • Requested Demo Units
Stanley Wi-Q
OnGuard Stanley
IIS Based Interface
Typical Door Hardware
IP
Stanley Wi-Q
Pros: • Conversion kit to upgrade BASIS V offline locks • Large capacity
– 144 time zones – 65k badges – 10k Events
• Redundant data storage • Decisions made at the lock • Can be integrated with most door hardware via
Wireless Access Controller • Good configuration and spectrum analysis tools
Stanley Wi-Q
Drawbacks: • Multiple proprietary systems between lock and
OnGuard system • 2.4 Ghz, same frequency range as many
wireless communication devices (headsets, etc.)
• Unfavorable customer reviews for initial release
Stanley Wi-Q
Other Thoughts: • Was excluded from pilot due to reviews • New update is now available that may address
some of the concerns • Will be discussing the possibility of a Fall 2012
pilot of these devices
Onity ILS
Intelligent Lock
Chassis Cylindrical Mortise
ANSI Standard Meets or exceeds A156.13, Grade 1 strength and operational requirements
Meets or exceeds A156.25, Grade 1 operational and security
Door Thickness 1-3/4” standard, 1-3/8” to 2-3/4” optional (available in 1/8” increments
Back set 2-3/4” standard, 2-3/8”, 3-3/4” and 5” optional 2-3/4” only
Latch Bolt 1/2” throw security latch standard3/4” throw optional
3/4” throw security latch standard1” throw dead bolt on Mortise optional
Levers Pressure cast zinc, plated to match finish Steel, plated to match finish
StrikeANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center standard, optional strikes, lip lengths and ANSI strike box available
ANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center with dust box standard, optional lip lengths available
Key Override Key override not standard. Available upon request
ILS MECHANICAL SPECIFICATIONS
ILS READER SPECIFICATIONS
Reader Technologies Magnetic Stripe Smart Card ProximityFrequency or Track Triple track reader 13.56 MHz 125 KHz
Standards ABA, ISO 76 ISO 15593, ISO 14443
Maximum Read Range Not applicable Up to .75”
Compatibility (secure sector) High coercivity magnetic stripe cards
Lenel iCLASS (programmable format), HID iCLASS
Not Applicable
Compatibility (serial number only) Not applicableISO 15693, ISO 14443A, HID iCLASS, Lenel iCLASS
HID Prox, HID Corporate 1000, AWID/Lenel Prox, others
Certifications FCC, Canadian FCC, UL294 pending
ILS System Configurations (offline and wireless illustrated) Secure and Reliable. Communication for all wireless Lenel ILS locks is accomplished via the Lenel Wireless Gateway. AES 128 bit encryption over 900 MHz band offers secure transmission of system parameters and cardholder data. Portable Communications. Whichever lock you choose utilizes a Mobile Configuration device with Lenel ILS application for initial lock set up. The Mobile Configurator is used to port data from the OnGuard system to the lock. Once configured, Lenel ILS wireless locks receive and send all subsequent updates through the associated Lenel ILS Wireless Gateway.
One lock, flexible modes. Lenel ILS support a number of operation modes, based on the use and preference of the user
Card Only. Lock is set to be opened with card only Unlocked. The lock is unlocked First Card Unlock. First valid card presented unlocks the lock for a set duration Blocked. A lock remains locked until presented with a badge with overriding priverledges Secured. Lock remains locked until it transitions to new mode or presented with emergency lock card Unsecured. Lock remains unlocked until it transitions to new mode or presented with emergency unlock card Facility Code Only. Lock is opened by a card with a valid facility code, authorization level, and card
Onity ILS
Pros: • Built specifically for OnGuard • No additional software
– Wireless Access Point connects directly to Lenel Communication Servers via IP
• Does not count towards traditional reader licenses
• Good battery life – 3AA every 2 years
Onity ILS
Drawbacks: • No support for badge offset • Firmware non-expandable
– “Feature lock at release” • No exit device trim • Requires a proprietary access point • Limited onboard capacity
– 5000 Badges – 1000 Events
Onity ILS
Other Thoughts: • This lock was pulled from the live pilot due to
missing card format features • Only configured on our testing server • Since there is no expandability with current
hardware, a fix will not be available until 2014
Schlage AD
Intelligent Lock
Chassis Cylindrical Mortise
ANSI Standard Meets or exceeds A156.13, Grade 1 strength and operational requirements
Meets or exceeds A156.25, Grade 1 operational and security
Door Thickness 1-3/4” standard, 1-3/8” to 2-3/4” optional (available in 1/8” increments
Back set 2-3/4” standard, 2-3/8”, 3-3/4” and 5” optional 2-3/4” only
Latch Bolt 1/2” throw security latch standard3/4” throw optional
3/4” throw security latch standard1” throw dead bolt on Mortise optional
Levers Pressure cast zinc, plated to match finish Steel, plated to match finish
StrikeANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center standard, optional strikes, lip lengths and ANSI strike box available
ANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center with dust box standard, optional lip lengths available
Key Override Key override not standard. Available upon request
ILS MECHANICAL SPECIFICATIONS
ILS READER SPECIFICATIONS
Reader Technologies Magnetic Stripe Smart Card ProximityFrequency or Track Triple track reader 13.56 MHz 125 KHz
Standards ABA, ISO 76 ISO 15593, ISO 14443
Maximum Read Range Not applicable Up to .75”
Compatibility (secure sector) High coercivity magnetic stripe cards
Lenel iCLASS (programmable format), HID iCLASS
Not Applicable
Compatibility (serial number only) Not applicableISO 15693, ISO 14443A, HID iCLASS, Lenel iCLASS
HID Prox, HID Corporate 1000, AWID/Lenel Prox, others
Certifications FCC, Canadian FCC, UL294 pending
ILS System Configurations (offline and wireless illustrated) Secure and Reliable. Communication for all wireless Lenel ILS locks is accomplished via the Lenel Wireless Gateway. AES 128 bit encryption over 900 MHz band offers secure transmission of system parameters and cardholder data. Portable Communications. Whichever lock you choose utilizes a Mobile Configuration device with Lenel ILS application for initial lock set up. The Mobile Configurator is used to port data from the OnGuard system to the lock. Once configured, Lenel ILS wireless locks receive and send all subsequent updates through the associated Lenel ILS Wireless Gateway.
One lock, flexible modes. Lenel ILS support a number of operation modes, based on the use and preference of the user
Card Only. Lock is set to be opened with card only Unlocked. The lock is unlocked First Card Unlock. First valid card presented unlocks the lock for a set duration Blocked. A lock remains locked until presented with a badge with overriding priverledges Secured. Lock remains locked until it transitions to new mode or presented with emergency lock card Unsecured. Lock remains unlocked until it transitions to new mode or presented with emergency unlock card Facility Code Only. Lock is opened by a card with a valid facility code, authorization level, and card
LNL-500W
Intelligent Lock
Chassis Cylindrical Mortise
ANSI Standard Meets or exceeds A156.13, Grade 1 strength and operational requirements
Meets or exceeds A156.25, Grade 1 operational and security
Door Thickness 1-3/4” standard, 1-3/8” to 2-3/4” optional (available in 1/8” increments
Back set 2-3/4” standard, 2-3/8”, 3-3/4” and 5” optional 2-3/4” only
Latch Bolt 1/2” throw security latch standard3/4” throw optional
3/4” throw security latch standard1” throw dead bolt on Mortise optional
Levers Pressure cast zinc, plated to match finish Steel, plated to match finish
StrikeANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center standard, optional strikes, lip lengths and ANSI strike box available
ANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center with dust box standard, optional lip lengths available
Key Override Key override not standard. Available upon request
ILS MECHANICAL SPECIFICATIONS
ILS READER SPECIFICATIONS
Reader Technologies Magnetic Stripe Smart Card ProximityFrequency or Track Triple track reader 13.56 MHz 125 KHz
Standards ABA, ISO 76 ISO 15593, ISO 14443
Maximum Read Range Not applicable Up to .75”
Compatibility (secure sector) High coercivity magnetic stripe cards
Lenel iCLASS (programmable format), HID iCLASS
Not Applicable
Compatibility (serial number only) Not applicableISO 15693, ISO 14443A, HID iCLASS, Lenel iCLASS
HID Prox, HID Corporate 1000, AWID/Lenel Prox, others
Certifications FCC, Canadian FCC, UL294 pending
ILS System Configurations (offline and wireless illustrated) Secure and Reliable. Communication for all wireless Lenel ILS locks is accomplished via the Lenel Wireless Gateway. AES 128 bit encryption over 900 MHz band offers secure transmission of system parameters and cardholder data. Portable Communications. Whichever lock you choose utilizes a Mobile Configuration device with Lenel ILS application for initial lock set up. The Mobile Configurator is used to port data from the OnGuard system to the lock. Once configured, Lenel ILS wireless locks receive and send all subsequent updates through the associated Lenel ILS Wireless Gateway.
One lock, flexible modes. Lenel ILS support a number of operation modes, based on the use and preference of the user
Card Only. Lock is set to be opened with card only Unlocked. The lock is unlocked First Card Unlock. First valid card presented unlocks the lock for a set duration Blocked. A lock remains locked until presented with a badge with overriding priverledges Secured. Lock remains locked until it transitions to new mode or presented with emergency lock card Unsecured. Lock remains unlocked until it transitions to new mode or presented with emergency unlock card Facility Code Only. Lock is opened by a card with a valid facility code, authorization level, and card
ISC
Intelligent Lock
Chassis Cylindrical Mortise
ANSI Standard Meets or exceeds A156.13, Grade 1 strength and operational requirements
Meets or exceeds A156.25, Grade 1 operational and security
Door Thickness 1-3/4” standard, 1-3/8” to 2-3/4” optional (available in 1/8” increments
Back set 2-3/4” standard, 2-3/8”, 3-3/4” and 5” optional 2-3/4” only
Latch Bolt 1/2” throw security latch standard3/4” throw optional
3/4” throw security latch standard1” throw dead bolt on Mortise optional
Levers Pressure cast zinc, plated to match finish Steel, plated to match finish
StrikeANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center standard, optional strikes, lip lengths and ANSI strike box available
ANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center with dust box standard, optional lip lengths available
Key Override Key override not standard. Available upon request
ILS MECHANICAL SPECIFICATIONS
ILS READER SPECIFICATIONS
Reader Technologies Magnetic Stripe Smart Card ProximityFrequency or Track Triple track reader 13.56 MHz 125 KHz
Standards ABA, ISO 76 ISO 15593, ISO 14443
Maximum Read Range Not applicable Up to .75”
Compatibility (secure sector) High coercivity magnetic stripe cards
Lenel iCLASS (programmable format), HID iCLASS
Not Applicable
Compatibility (serial number only) Not applicableISO 15693, ISO 14443A, HID iCLASS, Lenel iCLASS
HID Prox, HID Corporate 1000, AWID/Lenel Prox, others
Certifications FCC, Canadian FCC, UL294 pending
ILS System Configurations (offline and wireless illustrated) Secure and Reliable. Communication for all wireless Lenel ILS locks is accomplished via the Lenel Wireless Gateway. AES 128 bit encryption over 900 MHz band offers secure transmission of system parameters and cardholder data. Portable Communications. Whichever lock you choose utilizes a Mobile Configuration device with Lenel ILS application for initial lock set up. The Mobile Configurator is used to port data from the OnGuard system to the lock. Once configured, Lenel ILS wireless locks receive and send all subsequent updates through the associated Lenel ILS Wireless Gateway.
One lock, flexible modes. Lenel ILS support a number of operation modes, based on the use and preference of the user
Card Only. Lock is set to be opened with card only Unlocked. The lock is unlocked First Card Unlock. First valid card presented unlocks the lock for a set duration Blocked. A lock remains locked until presented with a badge with overriding priverledges Secured. Lock remains locked until it transitions to new mode or presented with emergency lock card Unsecured. Lock remains unlocked until it transitions to new mode or presented with emergency unlock card Facility Code Only. Lock is opened by a card with a valid facility code, authorization level, and card
Schlage AD
Pros: • Direct hardware interface with OnGuard ISC’s • No additional software • Good battery life
– 4AA every 2 years
• Can be connected to spare reader points on installed LNL1320’s via PIM TD2
• Compatible with most trims (mortise, exit, etc.) • Long Range Receiver (200-1000ft) • Lock down capable with ‘Wake up on radio’
Schlage AD
Drawbacks: • Requires existing system + 500W board • Contributes to ISC reader limit • Limited status reporting • Requires a proprietary 900Mhz wireless access
point • Highest Installation Cost
Schlage AD
Other Thoughts: • Overall this lock appears to be the most reliable
based on our live testing to date • The infrastructure is the most expensive to
prepare because it must utilize either a RS485 connection from the ISC or be wired directly to the contacts on a RIM.
• Due to the limit of 16 readers per PIM, this solution may not be the best option for high density deployment
Sargent S2
Intelligent Lock
Chassis Cylindrical Mortise
ANSI Standard Meets or exceeds A156.13, Grade 1 strength and operational requirements
Meets or exceeds A156.25, Grade 1 operational and security
Door Thickness 1-3/4” standard, 1-3/8” to 2-3/4” optional (available in 1/8” increments
Back set 2-3/4” standard, 2-3/8”, 3-3/4” and 5” optional 2-3/4” only
Latch Bolt 1/2” throw security latch standard3/4” throw optional
3/4” throw security latch standard1” throw dead bolt on Mortise optional
Levers Pressure cast zinc, plated to match finish Steel, plated to match finish
StrikeANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center standard, optional strikes, lip lengths and ANSI strike box available
ANSI curved lip strike 1-1/4” x 4-7/8” x 1-3/16” lip to center with dust box standard, optional lip lengths available
Key Override Key override not standard. Available upon request
ILS MECHANICAL SPECIFICATIONS
ILS READER SPECIFICATIONS
Reader Technologies Magnetic Stripe Smart Card ProximityFrequency or Track Triple track reader 13.56 MHz 125 KHz
Standards ABA, ISO 76 ISO 15593, ISO 14443
Maximum Read Range Not applicable Up to .75”
Compatibility (secure sector) High coercivity magnetic stripe cards
Lenel iCLASS (programmable format), HID iCLASS
Not Applicable
Compatibility (serial number only) Not applicableISO 15693, ISO 14443A, HID iCLASS, Lenel iCLASS
HID Prox, HID Corporate 1000, AWID/Lenel Prox, others
Certifications FCC, Canadian FCC, UL294 pending
ILS System Configurations (offline and wireless illustrated) Secure and Reliable. Communication for all wireless Lenel ILS locks is accomplished via the Lenel Wireless Gateway. AES 128 bit encryption over 900 MHz band offers secure transmission of system parameters and cardholder data. Portable Communications. Whichever lock you choose utilizes a Mobile Configuration device with Lenel ILS application for initial lock set up. The Mobile Configurator is used to port data from the OnGuard system to the lock. Once configured, Lenel ILS wireless locks receive and send all subsequent updates through the associated Lenel ILS Wireless Gateway.
One lock, flexible modes. Lenel ILS support a number of operation modes, based on the use and preference of the user
Card Only. Lock is set to be opened with card only Unlocked. The lock is unlocked First Card Unlock. First valid card presented unlocks the lock for a set duration Blocked. A lock remains locked until presented with a badge with overriding priverledges Secured. Lock remains locked until it transitions to new mode or presented with emergency lock card Unsecured. Lock remains unlocked until it transitions to new mode or presented with emergency unlock card Facility Code Only. Lock is opened by a card with a valid facility code, authorization level, and card
Sargent Apache-based
DSR
Security! Advanced data security with standard encryption techniques! AES 128-bit encryption! Supports most current WiFi network security standards. For specific
security information, please contact your local ASSA ABLOY DoorSecurity Solutions sales representative or call 800-810-Wire.
Software! Lock Management Tool available for small installations! To ensure quick and easy integration, our products are tested and certified
to work with access control software and systems from many providers.Visit www.intelligentopenings.com for a complete list of partners.
! Software Development Kits (SDK) and support available to integrate intoother third party access control systems. Call 800-810-WIRE for assistance.
Available with SARGENT Designer Levers! Studio Collection! Coastal Series
Extend the Reach of Access ControlThe Profile Series v.S2 gives you more access control for your budget. An ANSI/BHMA Grade 1lock, the v.S2 connects to the building’s existing WiFi network, and can make decisions at the doorif the network fails. Because there are no wires to run, installation and labor is significantlyreduced, and commission is expedited. With door status monitoring and alarm notification, thev.S2 is available in exit device, mortise and cylindrical lock configurations.
Technical Specifications
InternalBuildingNetwork
EAC Server
WirelessNetworkDevice
90627:C 3/11
Features BenefitsUtilizes 802.11b/g wireless network infrastructure Cost-effective installations, no proprietary equipment required;
ideal for hard-to-wire locations
Integrated ANSI/BHMA Grade 1 hardware, available in:10 Line Bored Lock; 8200 Series Mortise Lock; 80 Series Exit Device
Flexibility to support a variety of openings; industry leading Grade 1hardware offers the highest degree of physical security available inaccess control locks
Intelligence built into lock for local decision making Lock operates regardless of network status; supports up to 2,400 usersper lock and provides a 10,000 event transaction history/audit trail
Supports HID® 125 kHz prox or 13.56 MHz iCLASS® credentials (26 - 39 bit);supports CSN reads for other common 13.56 MHz cards, including MiFare,DesFire, and Felica
Integrates easily with existing credential systems
Full iCLASS® credential authentication Offers enhanced security through encryption and mutual authentication
Built-in door status monitoring and configurable alarm notifications Provides real-time alarms for immediate response
Weatherseal gasket and conduit included. Shroud available. Can be used on a variety of exterior doors
Open architecture design Facilitates integration with any access control system
Uses six AA batteries Easy, cost effective deployment and maintenance
Keypad option available Two-factor authentication offers enhanced security
Typical System Configuration
SARGENT Manufacturing CompanyFor information call 800-727-5477 or visit us online atwww.sargentlock.comCopyright © 2010 Sargent Manufacturing Company, an ASSA ABLOY Group company.All rights reserved. Reproduction in whole or in part without the express writtenpermission of Sargent Manufacturing Company is prohibited.The Genuine HID Technology logo is a trademark owned and licensed by HID Global.HID and iCLASS are registered trademarks of HID Global Corporation.
ASSA ABLOY is the global leader in door opening solutions, dedicated tosatisfying end-user needs for security, safety and convenience.
MicroShield®
As part of their promise to provide innovative solutions to their customers, certain ASSA ABLOYGroup brands offer the MicroShield® technology, a silver-based antimicrobial coating designed toinhibit the growth of bacteria.MicroShield® is a registered trademark of Yale Security Inc., an ASSA ABLOY Group company.
ASSA ABLOY Group brands are the only providers of a complete range of accesscontrol solutions with full iCLASS® authentication.
Sargent S2
Pros: • Can be configured on campus WiFi
– Support most authentication methods (WPA2,WEP, etc.)
• Great Status Reporting • Compatible with most trims (mortise, exit, etc.) • Synchronize on command with keypad • Decisions made at lock • Real time alarms
Sargent S2
Drawbacks: • Poor battery life
– 6AA every year
• Long sync delay – Only twice a day
• Beta interface with Lenel OnGuard (Spring 2011)
• Additional interface server required
Sargent S2
Other Thoughts: • Very promising once interface issues are
addressed – 2500 cardholders per virtual panel
• Issues with segments that have more then 2500 cardholders
• Should be fixed in an update coming in next few weeks – Unpolished toolset for configuration
• Battery life may be problematic with widespread deployment
• Though there have been issues with the interface, Assa Abloy has been very responsive and eager to fix bugs as they are found
The Pilot
• Proposal for vendors – 5-6 Locations per vendor – Hardware – Installation
• Infrastructure provided by Cornell (IP, RS485, Power)
• Locations selection: – External – High Traffic – Low Traffic – High Change over
Pilot Testing
Users were asked to perform various tasks, tests, and analysis throughout the pilot: • Time zone & holiday • Web Access Manager • Limit Testing • Durability Tests - “The drunk football player test” • Aesthetic • Proximity Range
Our Analysis - Schlage
Schlage • Time zone & holiday
– Full functionality support • Web Access Manager
– Fully compatible • Limit Testing
– FIFO (first in first out) • Durability Tests - “The drunk football player test”
– Grade 1 hardware, feels very solid • Aesthetic
– Modern looking with a good selection of handles and finishes • Proximity Range
– Short but acceptable, can read through most wallets
Our Analysis - Sargent
Sargent • Time zone & holiday
– Full functionality support but limited capacity – Limits on time zones per cardholder
• Web Access Manager – Fully compatible
• Limit Testing – Random on sync
• Durability Tests - “The drunk football player test” – Grade 1 hardware, feels very solid
• Aesthetic – Modern looking with a good selection of handles and finishes
• Proximity Range – Very short, no thick wallets
Overall Analysis
• Both Schlage and Sargent appear to have very promising solutions – Selection will vary depending on installation
circumstances • Cornell has decided that wireless will not be
used for the following installations – Perimeter – High Risk/Value Spaces
• Though Schlage is theoretically capable, we will not utilize wireless locks at any locations that must be capable of a lock down
Lessons Learned
• Consider existing infrastructure when choosing a solution – ISC present with space – Distance from ISC to location – Network or wireless available nearby
• Consider your project specifics – Small additions – Large scale or dense deployment
• Consider the lock limitations – Software – Capacity
• Check references • Test and verify system compatibility prior to any ‘live’
install
Future Wireless Plans
• Expansion of online access control • Succession planning of offline BASIS V locks • Exploration and planning of future Campus Life
– Expanded integration with StarRez to accommodate extensive card access use
• Continued testing of new solutions as they become available and viable – Likely to be running a second pilot fall 2012
Questions
Questions?
Please feel free to contact us with any additional questions
Curtis Baker [email protected]
607-255-7874
Peggy Matta [email protected]
607-255-4393
Thank you!