Crystal Access System

(1)

Crystal Access System

Software Reference Manual

Updated to reflect changes in ISONAS Software V 15

(2)

Software Installation

The most recent versions of ISONAS software can be downloaded from http://www.isonas.com

(7)

Follow the Support link to SoftwareDownloads

You may run the self installing executables either by double clicking on them or by running them from the RUN command line.

The software will self license itself for 30 days. .

The installation process is self explanatory. The default installation directory is C:\APPS\ISONAS but you may install at any location you wish. NOTE: If you are installing in a Windows Vista, Window 7, Server 2007 or Server 2008

system, we strongly recommend that you DO NOT install in the Program Files or ProgramFiles(86) directory. These operating systems treat that folder in a highly specialized manner and upgrading the ISONAS software is very difficult if it is installed in the Program Files directory.

You will be given a choice of which components to install. We recommend that you install the Database Maintenance and Utilities and Interfaces for possible

(8)

future use.

The final screen of a successful installation confirms the success and tells you the default password for the Administrative module.

Software Registration

When you install the software, it automatically licenses itself for 30 days from the time of first execution. Each time you bring up either the Administrative program or the Monitor program or the Badge printing program you will see a message similar to the one shown below:

(9)

You may simply ignore this message and close the window to proceed with configuration and use of the software, but sometime before the expiration date you must register your software. Once you have registered, you will not see this screen again unless you request it as explained below under the Passwords and Options screen or by using the Help/Support menu.

The Site tab provides an area to record the administrative and support contact information for this site. All of the fields should be filled in before you register the software. Once you have completed filling in the Site Information screen you may register the software, either by direct submission (this is the recommended

approach) or by email.

The Register button will attempt to connect to the ISONAS server to complete the registration process. If this connection fails (typically because system security settings prevent the program from making the outbound connection) you can register by email. To do this, send an email with an attached file to:

[email protected]

The file which you should attach is in the …/ISONAS/LiveDB folder after you have pushed the Register button. That file is:

…/ISONAS/LiveDB/REGISTER_SITE.XML

It is recommended that you wait until you have successfully configured your system and communicated with all of the reader controllers before you Register. The reason for this is that information about your specific reader controllers will be provided to ISONAS as part of the registration process.

(10)

To register optional products you must use the Register tab:

To license the basic Crystal Access system, you do not need to fill in any sales order numbers. If you have purchased any of the optional features listed, you must enter the ISONAS order number for that purchase in the field provided. If the same order number was used to purchase multiple items, you only need to enter it once.

To register or reregister, simply push the Register button. The program will connect to the ISONAS site and provide the Site information and information about your configuration to ISONAS. ISONAS will send a response that will be displayed and will update your site ID and license information. You should review the response screen for any error messages. If you have incorrectly specified one of the ISONAS sales order numbers you may not be correctly licensed for all the options that you have purchased. After you accept the response screen the system will display the Current Licenses tab.

You should review this to confirm that you have received the correct licenses. You should reregister when you add reader controllers to an existing system so that your records are up to date.

(11)

If you do not have an intenet connection you can register by phone or by the email process previously described.

(12)

As the screen instructions indicate, you will provide the Software Identification Number and receive an Authorization String which you will need to enter into the fields on the screen.

The screen also has a tab for requesting technical support from ISONAS.

Pressing submit here will directly enter your request into the ISONAS call tracking system. You will receive an email confirming that the call has been logged and should then be contacted by ISONAS, either by email or by phone. The last tab on this screen simply identifies the site to which registration and support requests are sent.

(13)

Upgrade of Software

If you are reinstalling an upgrade, we strongly recommend that you make a complete backup copy of your current system (copy the entire ISONAS folder – this will save both the software and the database) before you start the installation process.

The installation process will automatically run one of the utility programs, DBRM (DataBase Repair and Maintenance) which will automatically convert all versions later than 11 to the current version. If you are converting from an older version, you may contact ISONAS for assistance.

If you have an older database and wish to proceed without contacting ISONAS, the recommended approach is as follows:

1) Run the older version to export the Names of people and group

assignments to ASCII files. This can be done either by using the reporting menu in the administrative module and choosing the ASCII file output or by using the Export tool in the DBRM utility program which is available with more recent version of the ISONAS software.

2) You will then need to use a tool such as Excel or Access to reformat the data as required for the most recent version of the software (add columns as necessary). You can then use the DBRM facility in the new version to import the data. You can easily discover the new format by creating a single record and exporting it to create an example file.

(14)

4) Redefine the controller network. 5) Redefine shifts and permissions.

Software Overview

Crystal Access Administrator

This is the administrative application (ISONAS.exe). It provides all of the facilities used to define the system and how it should operate, including the definition of people, assignment of badges, definition of doors and shifts and definition of permissions. It is only necessary for this program to be run when defining or revising this information. If the access control system is installed on a computer which is connected to a network, there can be many different computers in the network that are used from time to time to update the database that defines the system and how it operates.

Crystal Access Monitor and IP Monitor

The Monitor application (crystal.exe) and the IP Monitor (ipcrystal.exe) are nearly identical in functional capabilities. They display the current state and ongoing activity of the door controllers and IO Modules. If operations are enabled,they will allow the operator to manually unlatch a door, LOCK or UNLOCK a door, clear ALARMS or remove people from the “IN” list which is used to prevent “Passback” of badges so that multiple entries to the facility can be done with the same badge credential. It is not necessary for the Monitor or Administrator programs to be running for the access control system to be operating. In a network installation, there may be many copies of the monitor or administrative programs running at the same time.

The crystal.exe program uses direct file I/O to access the database tables. The ipcrystal.exe uses an IP Server program to access the database tables. The IP Server technique can offer both performance and security advantages when running the application over the network. The IP Server requires several

additional installation and configuration steps which are documented in Appendix B.

Badge Printing

This is the badge printing application (badging.exe) which can print photos and other information on the badges used by the access control system. This is an optional program sold separately from the access control system but running from a common database.

Controller Supervisor

The Controller Supervisor (CSUP.exe) program is the application that actively communicates with the reader controllers. This program must be running for the

(15)

access control system to operate in HOST mode. There may be multiple copies of the program running if the installation has defined the reader controllers to be connected to different supervisors. These multiple copies may run on the same physical computer or on different computers in the network.

Recovery Supervisor

The Recovery Supervisor (RSUP.exe) program is responsible for reestablishing communications with any reader controllers that get “dropped” by a CSUP. Reader controllers will be dropped by a CSUP if they are not responding to commands or will not accept a TCP/IP connection. This architecture allows the CSUP to continue servicing working reader controllers without spending time and cycles attempting to connect/communicate with units that are not responding. The RSUP will continue to attempt to reestablish communications with the dropped units. Once the units are again responding, the RSUP will notify the CSUP that the unit is available and the CSUP will pick it up again.

Database Repair and Maintenance

The DBRM (Database Repair and Maintenance) application (DBRM.exe) is provided to allow import and export of the database of People. It also has utilities within it that will recover data from the database files in the unlikely event that there is a database corruption. It also contains conversion programs to assist in upgrading the database for some required changes.

CCheck

The Controller Check application (CCheck.exe) will read data back from reader controllers and compare the programming data in the controller to that in the host database. Discrepancies will be noted. (If a controller is offline when a compile is done or goes offline while the data is still being sent to the controllers it is

possible for the database in the controller to be out of sync with the host database.

CMLoad

The Controller Microcode Load (CMLoad.exe) will load PIC and Freescale microprocessor microcode and embedded web pages into the ISONAS reader controllers. (CTEST will also perform these functions, but CMLoad will start multiple simultaneous threads to do the loading for multiple units simultaneously.

CTEST

The CTEST application (CTEST.exe) will allow individual commands to be sent to specific controllers, These programs are normally used only during the initial installation and testing of a system and as a diagnostic tool to help isolate and correct problems during subsequent operation. The CTEST program also will load microcode into reader controllers. CTEST and CSUP are mutually exclusive,

(16)

so only one of them may be running for a specified group of reader controllers defined as connected to a specific controller supervisor.

Interfaces – INRServ (ISONAS Notification Request Server)

The INRServ program provides easy access to ISONAS supported interfaces including SNMP, ISOAscii, and TCP/IP. The interface to the Microsoft Active Directory is the (separate) ADBridge.exe program. The documentation for these interfaces is included in the download if the Intefaces component is selected.

IOSupervisor

The ISONAS IOSupervisor (IOSup.exe) is the program that communicates to the IOModules if any have been configured within the system. It is similar to

CSUP.exe described above, but instead of communicating with the ISONAS reader controllers, it communicates with IOModules. There can be multiple copies of this program running and they can all run on the same physical computer or on different computers.

ISONAS Copy

The ISONAS Copy application (ISOCOPY.exe) is provided to facilitate backing up the ISONAS database files. Some backup programs will not copy open files, and many of the key ISONAS database files are kept open when the ISONAS software is in execution. The ISOCOPY program will create a copy of the key tables used by the ISONAS access control system. After these files are created, they are closed and therefore will be backed up by standard backup programs. The ISOCOPY program can be run from a command line and can be scheduled using the standard windows scheduling program.

ISONASRPT

The ISONASRPT program is invoked by the IPCrystal program and executes on the server where the ISONAS software and database is installed. It creates an output file containing an attendance report. The IPCrystal program then opens and displays the report. The purpose is to avoid lengthy transmission of the database files over the network to create the report on the computer where IPCrystal is executing.

Virtual Reader

The ISONAS virtual reader (VirtualReader.exe) will provide an emulation of an ISONAS RC-02 reader controller. You can run it in conjunction with the rest of the ISONAS software to exercise and demonstrate the functions of the hardware and software.

PlugNPlay

The ISONAS PlugNPlay program is an installation aid for IP reader controllers. It will find ISONAS devices if they are communicating with the network (even if their IP address is out of the addressable range) and allow you to easily change the IP

(17)

address and set other parameters for the reader controller. If you are running the ISONAS reader controllers in a DHCP enabled mode, the PlugNPlay program should be set up to run as a windows service. It will automatically update the ISONAS database whenever reader controllers get new IP addresses from the DHCP process.

RSUP

The recovery supervisor RSUP.exe is a program that has the responsibility of “recovering” reader controllers that have been “dropped” by the CSUP program responsible for them. Here is the logic:

 When a CSUP can not communicate with a reader controller, it will retry the

communication up to the Network Retry count times and then “drop” the reader controller from its active list. The CSUP will not attempt further communications to the reader controller until it is notified that the unit is once again available.

 When a reader controller is dropped, the RSUP program will be started (if it is not already running). The RSUP program will attempt to reestablish communications with the

dropped reader controllers. If the RSUP is successful, it will notify the CSUP that the unit is once again available.

Virtual Input Output Box

The VirtualInputOutputBox.exe program is an emulator for a modbus compatible IOModule. It can be used to demonstrate, train, configure and test the ISONAS systems ability to connect to and integrate with third party IO devices.

Administrative Program (ISONAS.EXE)

Note: The descriptions below show the full capabilities of the Crystal Access software. If you are logged on to the system with less than full privileges you will find some controls missing or disabled.

Logging On

Each time you run the Administrative program you will be required to enter a password. The default password is ‘apassword’ (without the quotes). You will see how you may change that password from within the Administrative program below. (During the free 30 day license period the system displays the current password on the screen below.)

(18)

While the software is unlicensed it is also enabled for the EasyWeb/Advanced Security Option. With ASO, you may log on as the Administrator or may use an assigned Username and Password. If you choose to use an assigned username the screen you will see is shown below.

Virtual Reader

There is a software program that emulates an ISONAS Model RC-02 reader controller. This program can be used for demonstration and training purposes. To run the program select Virtual Reader from the Network menu

(19)

Select Yes to install and run the Virtual Reader.

If you choose to run a virtual reader the system will configure one in the database using your computer name as the Supervisor name, your current IP address as the connection, and Virtual Reader as the reader controller name. The system will also start execution of a program which will display the following screen and will emulate the behavior of a real reader as it receives commands from the ISONAS software and as you manipulate the various buttons and controls provided by the virtual reader.

(20)

You can elect to skip this step in the future by checking the “Don’t Show this offer again” box, and you can bring up the screen from the Network/Virtual Reader menu at any time. There is a comprehensive document describing the use of the virtual reader in the DOC sub directory created by the installation process.

Viewing the Network

If the Administrative program has not automatically displayed the network you may display it by selecting the ViewNetwork option under the Network Menu.

Here is an example of what will be shown.

This network contains three controller supervisors:  Atlanta CSUP (nine IP reader controllers)  Boulder CSUP (two IP reader controllers)

(21)

 Tampa CSUP (nine IP reader controllers ) There is also a recovery supervisor

 ~Recovery Supervisor

The function of the recovery supervisor is to attempt to recover any controllers that are dropped because they fail to respond to commands. When the recovery supervisor has successfully reestablished communications with a dropped reader controller, it will notify the responsible CSUP of the recovery so the CSUP can resume communications with it.

You can also see checkmarks beside the CSUP and RSUP programs indicating that the programs are running. A red X icon would show that the program is not running.

Defining the network

You may use the Insert, Change and Delete buttons shown on the network display above to define the network. First you must use the mouse cursor to select a level in the tree structure of the display. If you select the top Network line, you can insert or change Supervisors.

The Supervisor name must be unique and may be set to any value you choose. The Supervisor ID is two alphanumeric characters and may be set to anything you wish. It must also be unique.

(22)

The Port is the TCP/IP port that you want to assign to the communications

program for this Supervisor. You may choose this arbitrarily as long as you avoid conflicts with ports used by other processes. In a network installation, it may also be necessary to modify the configuration of firewall or other network protection software to allow communications of this port.

If the checkbox is checked, the system will install and run the communications program for this Supervisor as a Windows Service. ISONAS recommends that you do NOT select this option until your system has been installed and running satisfactorily. Running as a service can complicate some of the debugging and shakedown steps typically required at installation.

Checking the Enable Server checkbox will configure the controller supervisor to accept incoming connections from reader controllers configured for client mode of operation. The reader controllers must be configured to locate the server where the controller supervisor (CSUP) is running and to connect to the defined server port.

The reader controllers can be configured to require a periodic reset of an

expiration date to keep them in operation. If this is the case then setting the PIC Expiration to a non zero value will cause the controller supervisor to send the necessary reset command.

It is also possible to configure the controller supervisor to use encryption for communications with all client readers, and to specify the 32 byte encryption key. When a communications program is running, the IP Address and Host Name will be filled in with the appropriate values of the computer where the

communications program is running.

The normal case is to leave the Configure IPAddress on the Automatic selection, allowing the system to select the IPAddress when it starts up. In rare cases with multiple NIC cards it may be necessary to use Manual IPAddress configuration and set a specific IP Address to be used.

(23)

Defining Doors

Selecting anything other than the “Controller Network” label at the top of the display will allow you to define a door (reader controller).

(24)

Client mode specifies that the reader controller opens the connection to the controller supervisor program. In Server mode, the controller supervisor program opens the connection to the reader controller. Client mode is only available for RC-03, IPBR-2 and IPBR-3 model reader controllers.

The MAC Address uniquely identifies the reader controller. In Client mode, the server port that the unit will connect to must be preconfigured in the reader, and must match the port that is configured for the controller supervisor.

For reader controllers in server mode, here is the screen that configures the connection:

For IPBridge (IPBR-2 and IPBR-3) units there are some additional configuration requirements because these units use a single IP address to connect two or three readers to the computer.

 The Controller Id can not be set. It will always be 1 for the first reader, 2 for the second reader, and 3 for the third reader (if it is an IPBR-3 unit).  The IP address for the two or 3 readers must be the same

 For units configured to operate in Server mode (where the computer initiates the connection to the unit) the port assigned to the base unit may be any valid port in the range 1 <= port <= 65533. The ports for the

second and third units must be port +1 and port +2.

 For units configured to operate in Client mode (where the reader controller initiates the connection to the computer) the port must be the same for all two or three readers. (In this case the Controller Id differentiates the units.) Note: If you use the PlugNPlay program to configure the units these rules are applied automatically.

(25)

For older reader controllers the connection could be a COMM port.

The MAC address is read from the reader by the CSUP when it is started. The IP reader controllers all come from the factory with preset ports. (PORT 10001 for all units except IPBridge), and there is no reason to change that setting except in special cases using Port Forwarding to connect to the units. IPBridge units allow you specify a base port only. The second and third readers in the IPBridge will use the specified port +1 and +2 respectively.

The Controller ID is also preset at the factory. For all IP units except the IPBridge, it will be set to one and there is no reason to change it. For the

IPBridge, the units must be set to 1,2 and 3. For serial units it will be preset to a value between 1-254. In the case of serial units, the Controller ID must be unique on a given serial network so it may be necessary to change a factory preset value if it creates conflict with another unit on the network. NOTE: There is a reset button on the back of the reader controller (model RC-01 and RC-02). If the button is pressed and held in, the unit will clear all settings and revert to factory default. The factory default IP address for ALL RC-02 reader controllers is 192.168.1.27. For RC-03 and IPBridge units the default is 192.168.1.119. The fields on the Door definition screen have the following significance:

 Door Name – a name, up to 20 characters. Must be unique.  Description – optional description, up to 50 characters.

 Area – the area the door is associated with. May be COMMON or one of the areas you have defined. (See Area explanation under View Area later in this document).

 Controller ID- For IP reader-controllers, this field will almost always be set to a value of one. For older serial readers, this is the one byte subaddress of the controller. It will be a value between 1 – 254 and will be printed on the controller label. If you are installing multiple serial controllers on the same connection (the same comm port or the same thin server) they must all have a unique Controller ID. If the factory assigned controller id values happen to not be unique, you can use the CTEST utility program

described later in this document to change the controller Id of one of the units.

 Port – This is the TCP/IP port that the reader controller will communicate over (if it is an IP or Wireless IP device). The factory default is 10001 and you can accept this default unless you have to change it to conform to corporate network rules and conventions or to use Port Forwarding. For a more complete discussion of Port Forwarding, reference the ISONAS Installation and Wiring document which can be downloaded from the ISONAS website.

(26)

 IOGroup – this specifies that the Door is associated with a group of IOModules. You can define IO Profiles and Permissions using those IO Profiles so that digital output points on the selected IO Modules are activated or deactivated when people present badges to the reader controller.

 There are seven settings for the Model:

o RC-01 – RC-02 RC03 use these models for ISONAS PowerNet reader controllers, including those that have a built in keypad. The correct model number is shown on the label on the back of the reader, and can also be seen in PlugNPlay.

o PRC-001B – use this model for all controllers that have PRC-001B on the label, including IP, Wireless IP and Serial units.

o PRC-001 – use this model for all controllers that have PRC-001 on the label except for the early models as defined below for dPRC-001

o Use KTP-Keypad for external serial connected keypads. These must be attached to a dedicated serial connection (either a Comm port or a thin server emulating a comm. port).

o Use Serial_1 for HID MaxiProx readers. These must be attached to a dedicated serial connection (either a Comm port or a thin server emulating a comm. port).

o Use dPRC-001 for early model ISONAS controllers. (Serial numbers beginning 02xxxx or 01xxxx). These early models required some delays in the communications protocol. If you incorrectly define one as a PRC-001 you may see a high error rate on the controller.

 Network Timeout – the reader controller will automatically drop into

standalone mode if it does not see communication from the host computer for this number of seconds.

The Host Fields have the following significance

 Monitor Authority Level – this is the authority level (0-3) that the user must have within the monitor program in order to directly operate the door. If the user has a lower authority level they may not perform operations on the door including ADMIT, UNLOCK, LOCKDOWN, and RESET.

 Dual Authentication – this specifies that the door will only open if two valid badges are presented within the latch interval. You can specify a number of different conditions:

(27)

o Any – this specifies that any two different valid badges (or a valid badge and a valit pin code) will open the door.

o Same – the two badges/pin codes must be assigned to the same person

o Different – the two badges/pin codes must be assigned to two different people.

 Latch Interval – this is the default latch interval for the reader controller. This is how long the controller will remain unlocked when a valid badge is presented.

 Relatch

o Full Interval – the reader controller will relatch at the end of the latch interval

o On Open – the reader controller will relatch when it detects that the door has been opened

o On Close – the reader controller will relatch when it detects that the door has been opened and closed

 Clear Alarm on Authorized Open – if this item is checked then specially authorized badges will cause the system to clear alarm conditions at the reader controller when the badge is presented. This would allow a guard who went to the reader controller to investigate an alarm to clear it “on site” without having to return to the monitor location.

 Admit – there are four checkboxes that control system behavior when an admit event occurs:

o Beep – causes the buzzer to sound o TTL1 – activates TTL1

o TTL2 – activates TTL2

o w/o Unlatch – does NOT activate the relay to unlatch the door  Reject – there are three checkboxes that control the system behavior

when a reject event occurs:

o Beep – causes the buzzer to sound o TTL1 – activates TTL1

o TTL2 – activates TTL2

 REX Input - the radio buttons and checkbox under REX input control system behavior when the REX signal is activated:

o Disable – the signal is ignored

o Use REX DB – the system looks up the permissions defined for REX in the database and admits if REX is currently authorized to open the door.

o w/o Unlatch – if this checkbox is checked, then an admit will not activate the relay to unlock the door.

o ALARM – create a REX ALARM event

o LOCKDOWN – puts the door into LOCKDOWN – no badges will be accepted, even if authorized, except for MASTER badges.

 AUX Input - the radio buttons and checkbox under AUX input control system behavior when the AUX signal is activated:

(28)

o Use AUX DB – the system looks up the permissions defined for AUX in the database and admits if AUX is currently authorized to open the door.

o w/o Unlatch – if this checkbox is checked, then an admit will not activate the relay to unlock the door.

o ALARM – create a AUX ALARM event

o LOCKDOWN – puts the door into LOCKDOWN – no badges will be accepted, even if authorized, except for MASTER badges.

 Alarms - there are three alarms associated with the reader controller o Unauthorized Open – the door sense input is indicating that the

door is physically open but the system has not authorized it to be unlatched. The Delay field can be set to delay signaling the alarm for up to 255 seconds.

o Extended Open – the door has been open for too long. The Interval value specifies how long the door may be open without creating the alarm condition.

o Tamper – the tamper detector on the reader controller is indicating a temper condition.. the unit has been disturbed or remove from the wall. For PowerNet and ClearNets w/optical tamper sensors, the tamper count should be set to zero. For older units, the tamper count can be set to require a number of sequential tamper indications before the alarm is created to compensate for overly sensitive tamper conditions such as a location with a lot of physical vibration.

If you select the Local Operation Tab, you have access to the following fields:

These have the following significance:

 Latch Interval – this is the standalone latch interval

 TTL2 on Unauthorized Open – activate TTL2 if an unauthorized open alarm is activated

 TTL1 on Tamper – activate TTL1 if a Tamper alarm is activated  BEEP – the controller will beep on the selected events

(29)

 BEEP on Accept – if a valid badge is presented in local or standalone mode and the controller unlocks, it will beep as set here

 REX Input may be set to either Admit or to activate TTL2.  AUX Input may be set to any of the following:

o Disable – AUX input signal will be ignored

o Authorized Access – the reader controller will unlock for the latch interval (identical behavior to REX in standalone mode)

o TTL1 – Activate TTL1 when AUX input is detected o TTL2 – Activate TTL2 when AUX input is detected

If you select the Local Special Badges tab you will have access to the following screen. The green arrows allow you to select special badges that work in Local or Standalone Mode.

(30)

The additional buttons show whether or not a GUID is assigned and allow the GUID to be set or viewed.

 ADD – when this badge is presented in Local or standalone mode, it will toggle the reader between ADD and normal state. In ADD state, the lower LED is green and any badges presented will be added to the internal database of authorized badges. As each badge is added, the reader controller will sound the buzzer and flash the LED.

 VOID – when this badge is presented in Local or standalone mode, it will toggle the reader between VOID and normal state. In VOID state, the lower LED is red and any badges presented will be removed from the internal database of authorized badges. As each badge is removed the reader controlle will sound the buzzer and flash the LED.

 VOID ALL – when this badge is presented and the reader is already in the VOID state, the reader controller will void all badges and remove them from the internal database. The reader controller will sound the buzzer and flash the LEDs in a distinctive pattern.

 LOCKDOWN – when this badge is presented in standalone mode, it will toggle the reader between lockdown and normal state. In lockdown state, it will not accept any badges.

 UNLOCK – when this badge is presented in standalone mode it will toggle the reader between unlocked and normal state.

 NORMAL - when this badge is presented in standalone mode it will force the reader into a normal (latched) state.

Note: When programming these special badges for RC-03 readers, the full GUID value associated with the credential must be available for the assignment to work properly. (The Crystal software will temporarily assign short GUIDs to credentials

(31)

that have BadgeId values as an aid to conversion. These short GUIDS will be replaced by full GUIDs when the credentials are read by RC-03 readers. The short GUIDs will not work as special Badges.

If you have an ISONAS PowerNet reader (model RC-01, RC-02 or RC-03) the Keypad/Serial Port tab will be available to you. If you select that tab you will have the following screen fields available if you have an RC-02 or earlier unit:

 Serial Port Mode

o Disabled – the port is disabled

o Local – the port is handled by the microcode in the reader controller. (not currently implemented)

o Keypad - silent– the reader controller has an ISONAS integrated keypad.

o Keypad – beeping – the reader controller has an ISONAS integrated keypad. The unit will beep on every key press.

o Bitmask – the port is connected to an HID reader and the specified HID Bitmask will be used to determine the card id reported to the system.

o Data Mangle – the port is connected to an HID reader and the HID Data Mangle algorithm will be used to determine the card id

reported to the system.

o Passthrough – the port will pass data to the PC for processing. Passthrough data must be further defined using the drop box to specify that the data is:

(32)

 Ascii

 AsciiHEX (i.e., the character string 4C33 would be interpreted as 19507 decimal

 Binary

In Passthrough mode if the Advanced HID global flag is set on (in the Program Doors/NetworkMode screen) it is displayed here and the HID bitmask is applied to values received through the serial port.

 Length

o Variable – no fixed message length for messages from the attached device

o Fixed – all messages from the device will be exactly the specified number of bytes long.

 Timeout

o The port will not timeout

o The port will discard partial message fragments after the timeout interval (in 1/16 seconds) if a complete message is not received within the timeout interval.

 Start Characters – you may specify zero, one or two start characters (by specifying the decimal value of the byte representing the ascii character (i.e., “1” = 49, “*” = 42,”#” = 35 ). Values of 0 and 255 are not allowed. The port will watch the incoming data and if the start character(s) have been specified it will use them to identify the start of a message.

 End Characters – you may specify zero, one or two end characters (by specifying the decimal value of the byte representing the ascii character (i.e., “1” = 49, “*” = 42,”#” = 35 ). Values of 0 and 255 are not allowed. The port will watch the incoming data and if the end character(s) have been specified it will use them to identify the end of a message.

For reader controllers with keypads, another common configuration is to use a single stop character and no start character. The value 35,which is the “#” character or the value 42 (the “*” character) may be used.

(33)

In this case the serial port can be configured for Wiegand data input. When it receives the input it will either use it as a credential number directly (RAW) or will first process it with its current HID handling technique before using it as a

credential.

The Mocrocode tab can be used to display information about the microcode levels in the reader controller.

PRC-001B. RC-01, RC-02and RC-03 controllers have PIC processors. The Freescale microcode is only valid for RC-01, RC-02 and RC-03 units.

(34)

The AdvancedIO settings are available for RC-03 reader controllers and they modify the operation of the reader controller in Local or Standalone mode. The ISONAS RC-03 has three external inputs which are normally used as DS (Door Sense), REX (Request Exit) and AUX (Auxilliary). Any or all of these inputs may be set to Advanced IO input mode by checking the box under “Use Advanced”

The software interpretation of the electrical state of the REX and AUX input switches is also modified when the Advanced IO mode is used. The table below summarizes the behavior in both normal and AdvancedIO cases.

Normal Mode Advanced IO Mode

Electrical State

Door Sense

REX AUX Input 1 Input2 Input 3

Open Circuit

open off off open open open

Short Circuit

(35)

For the inputs that are set to “Use Advanced” you may then set the system to signal Unauthorized Open alarms and/or Extended Open alarms, and may set the Extended Open alarm time out value.

You may also Invert the signal so that the “meanings” of the switch on/off states are inverted.

The LABELS values you specify will be used to report activity of the three inputs in the monitor and in history reports.

The AdvancedIO Output settings are shown below:

The Advanced Output settings for the RC-03 allow for individual credentials (badges/GUIDs) to be defined with specific outputs (Relay, TTL1, TTL2 and TTL1 and 2 together). When a valid credential is presented to the RC-03 operating in Advanced Output mode, the specific outputs defined with the credential will either be set immediately or are used to define which outputs are permissible. The individual presenting the credential can then press a key on the keypad to request selected outputs, and if the requested outputs are permitted they will be set.

The Output mode settings are:

 Mixed – allows the KP Required settings for the individual outputs to determine whether the output occurs automatically or the reader controller waits for a keypad entry

 Auto – all outputs are automatic

 KP – all outputs require a key pad entry

The individual badges can have special properties assigned to them as

described later in this document. These special properties can include values for the Local operation of the four outputs. (Relay, TTL1, TTL2 and TTL1 & 2

combined).

If the credential has the special property set for an output and that output does not have the KP Entry Required check on, then when the badge is read the output will activate (turn on) immediately and will remain on for the duration of the specified latch interval.

(36)

If the credential has the special property set but the KP Entry Required is checked for that output the behavior is different. When the badge is read the reader controller will wait for a keypad entry. If a keypad entry is made within the keypad timeout interval, the special property settings show which outputs are authorized. If the entry requests an authorized output, the output will operate for the latch interval. The keypad entries request the following outputs:

Key Entry Outputs Requested 1 TTL1 & Lock Relay 2 TTL2 & Lock Relay 3 TTL1 & TTL2 & Lock

Relay 4 Lock Relay

5 TTL1

6 TTL2

7 TTL1 & TTL2

The Output Labels are used to report activity in the monitor program and in reports for the history file.

NOTE: If the Advanced Output feature is set for the door then any badges that are read by the reader must have the special bits set to define the behavior of the reader. If no bits are set then the reader will not activate any of the outputs. Any credentials that are added using the special ADD card will not have any of the special bits set and therefore will not operate any of the advanced output features.

The Encryption Key fields allow you to specify that encryption is to be used and to specify the 32 byte hex key for the encryption. The format of this key is a character string (64 chars maximum), which uses the characters 0-9, A-F. If you choose to encrypt communications you must also set the encryption key in the reader controller or thin server. This can be done with the ISONAS PlugNPlay program.

The Persistent Configuration flag will cause the system to skip some controller configuration initialization steps when the communication program starts up or is reset. If you have used other programs to modify the settings, this will preserve those settings rather than resetting them to ISONAS default values. Most

customers should leave the persistent configuration flag unchecked and allow the system to initialize the reader controllers each time the controller supervisor is restarted.

The ACS Server and ACS Server IP are associated with DHCP enabled RC-02 reader controllers. When a DHCP enabled unit receives an IP address from the DHCP server, it will attempt to use DNS to get the IP address of the named ACS Server. In a properly configured system, this name will be defined in the DNS

(37)

server as an Alias for a computer in the network where the ISONAS PlugNPlay program is running as a windows service. Once the reader has the IP address of that computer, it will send a directed UDP message to port 0x77BC. The ISONAS PlugNPlay program, if it is running on that computer, will receive the message and use the data in the message to update the ISONAS database with the current IP address of the reader controller.

If DNS is not available or able to provide the IP address of the ACS Server Alias name, the reader will use the preset ACS Server IP address to attempt to reach the PlugNPlay program.

There are several Modes of Operation that can be set for a reader controller:

 LOCAL – the computer will communicate with the door at startup time and any time the programming for the door is changed. For older models, the system will also request any stored events from the controller on the heartbeat interval (default 15 seconds). Decisions about whether to accept a badgeid will be made locally by the controller using the database stored in the controller. For RC-02 models, the reader controller will

asynchronously inform the host of all events as they occur in real time. NOTE: If a reader controller is programmed to operate in LOCAL mode and is subsequently sent a command to UNLOCK, LOCKDOWN or RESETNORMAL (from the Monitor program or from one of the supported interfaces), the reader controller will be forced into HOST mode. The override of programmed behavior may be set to be either temporary or permanent. Similarly, it the reader is presented with a badge that has been programmed to Toggle between those states the reader controller will be forced to HOST mode of operation.

o Temporary override – the unit will respond to the next periodic or scheduled event. (i.e., the beginning or end of an automatic unlock or badge unlock shift) and will resume its programmed behavior at that time.

o Permanent override – the unit will ignore periodic or scheduled events. It will remain in its setting indefinitely until explicitly CLEARed.

(38)

 DISABLE – this door will be ignored completely by the computer. The door will operate completely in standalone mode and there will be no

communication with the computer.

 STANDALONE – the computer will communicate with the door at startup time and anytime the programming (permissions or other control setting) are changed. Otherwise the door will be operating in standalone mode. Decisions about whether to accept a badgeid will be made locally by the controller using the database stored in the controller.

NOTE: THE FOLLOWING FEATURES ARE NOT AVAILABLE WHEN OPERATING IN STANDALONE OR LOCAL MODE

o RC-01 and earlier reader controllers ignore Holiday shifts

o Special Badges with the TTL1 or TTL2 operation tag will not cause the TTL lines to activate

o Anti Passback is not enforced

o Extended latch intervals for individuals are not used o Dual Authentication is not available

o In Standalone Mode, count limits are not updated until the records are processed by the host. If badges are used in excess of the limit before the records are processed, the count limit may be exceeded. o The Count Limit Interval is not used.

o The Relatch on Open and Relatch on Close features are not operational

o External Keypads (controller model KTP-Keypad) may be associated with controllers that are operating in LOCAL mode. ISONAS integrated keypads on RC-01 and later readers do work properly, and devices connected to the controller built in serial interface operate properly.

o IO Profiles are ignored. (Output points will not be directly activated by badges being accepted. However, script actions as a result of badge accepts or rejects WILL be executed, including setting of output points if configured.

o Extended Open Alarm is not available for older model readers. For RC-02, it is operational.

o With reader controller models earlier than RC-02, Unauthorized Open and Tamper alarms are not reported to the host computer. In addition, for RC-01 and earlier models,

 If an older model (PRC-001 or PRC-001B) reader controller is

programmed to have an “UNLOCKED (Automatic” or an “UNLOCKED (Badge)” shift and the unit falls into STANDALONE mode, the door will relock.

(39)

The direction of the door may optionally be set to the 4 values which have the following meanings:

 Unspecified – the direction of the door is not defined as inbound or outbound. A person passing through this door will not cause any change to their “on site” status setting

 IN – the door is an inbound door. People who pass through it will be marked as “on site” and if Anti-passback is enabled, the person will be refused entrance to other IN doors.

 OUT – the door is an outbound door. People who pass through it will be marked as “off site”. If Anti-passback is enabled the person will be cleared for entry to IN doors.

 INOUT – the door is used for both entrance and exit. The status of a person who uses this door will be “toggled” between “on site” and “off site”. If Anti-passback is enabled and the person is IN at a specific door, the person will be refused entrance to IN doors or to any other INOUT door except the one that they entered by. At that door, the person will be “toggled” out if they present their badge.

The Permanent Manual Override checkbox shows whether or not the reader controller is in a “permanent” manual override state (typically in either an

UNLOCKED or a LOCKDOWN condition). This occurs when a command is sent (from either the Monitor program or through the TCP/IP or IADI Interfaces) to UNLOCK or LOCKDOWN a reader controller, with a “permanent” tag on the command. This will typically only be done in an emergency situation where it is desired to override and suspend the normal programmed behavior of the system. If the Manual Override flag is set, the system will operate the reader controller in HOST mode and will ignore further changes to the reader that would be caused by the beginning or ending of shifts used for Automatic or Badge Unlock

permissions, or for Scheduled Events.

“Permanent” Manual Override is intended to allow users to correctly manage the behavior of the system during emergencies such as fires or security emergencies when the desired operation of the system may require that some reader

(40)

controllers be unlocked and others be locked down and those conditions must remain in effect until explicitly cleared by an authorized user.

Some additional comments on Serial_1 and KTP-Keypad model controllers: If you choose model KTP-Keypad or Serial_1 the controller is a serial device which is used in conjunction with another standard ISONAS controller . In this case. a slightly different screen will appear. The associated controller field is used to select the standard controller that is used with this serial device..

It is required that serial device be on a COM port connection and

Supervisor by themselves. That is, it must be the only controller defined on that connection and the connection must be the only one on the logical Supervisor. Badge Ids entered in via the keypad or scanned at the serial reader will appear to have been presented to the associated controller, and will either be admitted or rejected based on the defined permissions for the associated controller. No permissions may be defined for a model KTP-Keypad or a Serial_1 controller.

You may also get into these same screens by starting with the DOORS menu option from the main screen.

The Doors menu will display a list of the currently defined DOORS and DOOR GROUPS as shown below.

(41)

By using the Insert, Change and Delete buttons under the Door Groups display you can create or modify the list of names of Door Groups in the system. By using the arrow buttons between the two list (with appropriate values selected in the lists) you can add or remove individual doors from door groups.

When you Insert a Door Group, you will see this screen:

You may give the group any Name you wish (must be unique) using up to 20 case sensitive alpha, numeric or special characters. If you check “Tracking Zone” the system will treat the door group as a Roster tracking zone and will keep track of people who are “IN” or “OUT” of the zone as they enter or exit through doors that are marked as IN or OUT (or Toggle IN/OUT).

(42)

If the Door Group is marked as a tracking zone, you may optionally enable the Antipassback feature for that zone. A person will not be permitted to reenter an zone marked as Antipassback without first exiting it.

If a zone is marked as Antipassback, the enforcement of the reentry prohibition can be set to expire after a specified time. E.g., setting it to 48:00:00 would cause the antipassback enforcement to expire after 48 hours.

A door may be defined to be a member of as many different door groups as you wish. The Door Groups are used in the Permissions screen to define which doors a group of people has permission to open.

The Sort button will sort the doors in each group alphabetically.

Network Status

The Network screen shows the current status of communications programs for each defined Supervisor, and allows you to start and stop those communications programs. A red X indicates that the communication program is not running While a blue checkmark shows that it is running

(43)

If you select one of the running Supervisors, you will see additional information as displayed below:

The Communication Supervisor Status box shows the most recent status for the selected Supervisor, including the number of active controllers, the most recent communications interval, the error count, and the next periodic and scheduled events if any. Every time you press the button with the question mark the communications program status is updated. This is an easy way to confirm whether or not the communications program is successfully communicating with the programmed number of controllers defined in the database.

The Trace setting controls diagnostic output from the CSUP Controller

Supervisor Program. It can quickly generate a very large log file. It is typically used under the direction of ISONAS Technical Support staff when diagnosing problems.

Suppressing Alarms for Doors

You can program the system to suppress alarms for selected doors or door groups during selected shifts. Here is the screen that is used for this function.

(44)

Choose a door or door group from the left most list and a shift name from the shift list and press Insert to add the record to the suppress alarms table.

Programming Reader Controller Behavior for Multiple Units

The Doors menu also provides access to Program Multiple Doors.

(45)

The Global Settings tab allows you to set the following parameters, which will apply to all of the reader controllers in the entire system:

 Communication Retry Count – this is the number of times a message will be resent to a reader controller if it is not acknowledged. After the count is exceeded, the system will signal a Controller Error alarm. The system will then initiate recovery logic to try to reestablish communications with the unit. If the recovery is successful, the system will automatically clear the alarm.

 Throttle – for newer ISONAS reader controllers (RC-01 and later) this will normally be zero. For older models, it could be used to “slow down” the transmission of compilation records to the reader controllers. If the reader controllers were very busy receiving database updates they would be slow to respond to presentation of credentials by users.

 Comm Wait – the system will wait at least this long between sending commands to a specific reader. Again, older models would sometimes fail to process commands if they were sent too soon after the previous

command. Does not apply to newer models.

 Response Wait – this is how long the system will wait for a response from a reader controller.

(46)

 Heart Beat – the system sends heartbeat messages at this frequency. If you are running a unit in HOST mode it is important that this heart beat be shorter than the network timeout value for the unit. In Host mode, the heartbeat will “flash” the LED(s) on the front of the reader controller. In Local mode operation the heartbeat is sent but does not cause the LEDs to flash.

 Count limited interval – if you are using credentials that are good for a fixed number of uses, this value will prevent the count from being

decremented if a credential is presented before the interval has expired. This prevents a badge from being “double counted” if the user were to hold it up to the reader controller for a long time. You could also set the value high and allow a user to enter multiple times during a day and only use up one of the authorized uses. Available only for reader controllers operating in HOST mode.

 Log Open/Closed – if this is set then the history log will include the times at which doors are physically opened and closed.

 Suppress Redundant REX/AUX – If a reader controller is in an

UNLOCKED or UNLOCKED LOCAL state it will continue to report events caused by REX or AUX inputs. If the Suppress Redundant REX/AUX checkbox is checked these events will not be reported in the History and Current History tables.

 Default Door – If a default door is defined the system will use it as a model when a new Client mode RC-03 reader first connects to the Controller Supervisor. The system will automatically copy the default door

configuration to the new reader. It will also:

o Put the new door into any Door Groups to which the default unit belongs

o Create equivalent individual door premissions o Create equivalent special badges

Note: It does NOT create Scripts even if there are some scripts that deal with the default door.

 IPBridgeKPSiteCode – If there are keypad readers connected to an IPBridge this value must be set to a site code value that is different from the site code being used by any HID readers attached to this system. This allows the microcode in the IPBridge unit to properly differentiate the data coming in from the keypad from data coming from a proximity badge reader. The default value is 1 and would only need to be changed if that conflicts with the HID site code.

 There are three fields associated with the recovery of readers that have been “dropped” by the system because they can not be reached or are not responding

o Recovery Interval – this is the amount of time the system will wait between recovery cycles. At each recovery cycle, the system will attempt to recover each dropped reader controller. The recovery interval keeps the system from being continuously attempting to recover units which may be unavailable for an extended time.

(47)

o Connection timeout – the system attempts to open a TCP/IP connection to each reader controller. This is the timeout value for that connection attempt.

o Number of Parallel Processes – this is the maximum number of recovery processes that will be simultaneously used. For small systems this is not an important parameter. It is intended to prevent a large system from being overwhelmed by a massive recovery. E.g., consider a system with 1000 reader controllers. If a network problem were to interrupt service and all 1000 were dropped, the system would be made too busy if 1000 recovery processes were initiated.

The Set Mode tab will display the screen shown below:

This will allow you to set the operational mode for the selected doors as shown in the lower half of the screen. These operational modes were defined earlier in this manual under the door definition description.

The lower portion of the screen shows which doors will be affected by the

settings. The green checkmark beside the door name indicates that the door is to be included in the settings when the Apply button is pushed. You may double click on the checkmark to change it to a red x, indicating that the door is not included. You may also use the Include or Exclude All buttons to establish the include list, and on the DoorGroups tab you will find additional controls to manipulate the inclusion or exclusion of doors by door group.

(48)

The Set Like button will set the values of all Host, Local and Serial Port

configurations from the currently selected door in the list. This allows you to then use those values to set the selected doors to be the same as the “example” door.

Here is the Host Mode screen.

The meanings of the settings on this screen were explained earlier in this document under the door definition section.

(49)

The Keypad/Serial Port tab will display this screen.

(50)

The HID Mask tab will display the following screen:

The selected bitmask setting is sent to the reader controllers each time the Controller Supervisor program (CSUP) is started. Pressing the test button (after selecting a reader controller) allows you to present cards to the selected reader controller and see the resultant card number with the different bitmask settings, including a custom bitmask which you may define.

(51)

The Advanced tab allows you to set parameters for the Advanced I/O features available on RC-03 reader controllers. The meanings of these settings are explained in the earlier secition of this document describing the programming of individual doors.

Starting and Stopping Communication Programs

The administrative program can stop the execution of CSUP programs anywhere in the network and can start the execution of CSUP programs on the computer or server where the administrative program itself is running.

If an administrative program is running on a different computer from where the CSUP programs are running, it may be desirable to disable the administrative program’s ability to start and stop CSUP programs. This can be done by adding a command line parameter

/NOCSUP

(52)

If this has been done and the user attempts to start or stop CSUP programs they will see the following message:

If the command line parameter has not been added, then the facilities described below will start and stop the CSUP programs.

If you select the “Controller Network” at the top of the screen, you will have access to a Start All and a Stop All button.

(53)

These buttons will start or stop all of the Controller Supervisors. If you highlight a Supervisor for which there is not a currently running communication program you will be given the opportunity to start the communication program for that Supervisor on the local computer.

Note: For older serial-base reader-controllers, it is only correct to start

communications programs for Supervisors that have defined Comm Port type connections on the computer where the door controllers are physically attached to the Comm Ports. If you start the communication program on a different computer it will be unable to communicate with the doors because they are attached to a Comm Port on a different computer.

Controller Supervisors with only TCP/IP connections may be run on any computer within the network.

The communications program can be started as a Windows Service program or as a console application by configuring the Supervisor definition as explained earlier.

(54)

If a CSUP has been defined to run as a windows service it will show in the windows services manager as illustrated below:

A communications program running as a Windows Service has the advantage of running as a background application within Windows and will remain running even though a user is not logged into the Windows workstation/server.

When first installing an ISONAS access control system it is recommended that you run the communication programs as a Windows Console Application, NOT as a Windows Service. This will simplify some of the diagnostic steps that may be required during initial installation and setup.

(55)

This application can be maximized/minimized from view as any other Windows application and will remain active and functional even when a user is logged into Windows but has “locked” the computer. However, if the user logs out of

Windows with the communications program running as a console application, the communications program will be stopped by Windows and the associated reader controllers revert to standalone mode operations.

If you highlight a Supervisor for which the Communications Supervisor program is already running, you will be given the opportunity to stop it as illustrated below.

In the example above, the communications program was not configured to run as a windows service. If it had been, the screen would indicate it with a YES beside the Windows Service line. Note that if you stop a program that has been installed as a windows service you do not remove it as a service, and it will restart when the computer is rebooted unless you have changed the automatic start setting within the windows services manager.

(56)

As a convenience, the ISONAS administration program will also remove

communications programs that have been installed as services, BUT ONLY ON THE COMPUTER WHERE THE SERVICE IS INSTALLED. The removal of services can NOT be done over the network to another physical computer. To remove an installed service, simply uncheck the “run as service” checkbox in the Supervisor definition screen to display the following screen. If you select “Yes” the program will attempt to remove the service and will provide feedback on the success or failure of the removal operation.

Application Menu –Passwords and Options

Here is where you can change the passwords and options. If you are logged on as a User, here is the screen you will see:

Crystal Access System