Cisco Physical Access Manager User Guide Release 1.2.0 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-20930-02 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Physical Access Manager User Guide © 2008 -2010 Cisco Systems, Inc. All rights reserved. C O N T E N T S Preface xiii Obtaining Documentation and Submitting a Service Request xiii Safety Warnings xiii Safety Guidelines xvi General Precautions xvi Protecting Against Electrostatic Discharge xvii Rack Installation Safety Guidelines xvii CHAPTER 1 Overview 1-1 Contents 1-1 Overview 1-2 Installation and Configuration Summary 1-3 Install the Hardware and Software Components 1-3 Configure Doors and Users in Cisco PAM 1-4 User Guide Contents 1-9 Cisco PAM Software Overview 1-11 Cisco PAM Desktop Client Software 1-11 Cisco PAM Server Administration Utility 1-12 Cisco Physical Access Gateway Administration Utility 1-13 The Enterprise Data Integration (EDI) Desktop Studio 1-14 Cisco Video Surveillance Viewer 1-15 Badge Designer 1-15 CHAPTER 2 Configuring and Monitoring the Cisco PAM Server 2-1 Contents 2-1 About the Cisco PAM Server Administration Utility 2-2 Logging on to the Cisco PAM Server Administration Utility 2-2 Using Redundant Appliances for High Availability 2-2 Understanding IP Addresses on the Cisco PAM Server 2-3 Cisco PAM Appliance IP Address 2-3 Gateway Module IP Addresses 2-3 Entering the Initial Server Configuration 2-4 Before You Begin 2-4 Cisco Physical Access Manager User Guide OL-20930-02 i Contents Connecting a PC to the Appliance 2-4 Initial Setup Instructions 2-5 Performing Additional Configuration, Administration, and Monitoring Tasks 2-12 Understanding the Cisco PAM Server Username and Password 2-16 Changing the Cisco PAM Server Administration Utility Password 2-17 Resetting a Forgotten Password 2-18 Enabling the Forgot Password Feature 2-19 Recovering a Lost Server Password 2-20 Obtaining and Installing Optional Feature Licenses 2-21 Understanding Module Licenses 2-21 Licenses in a Redundant Configuration 2-22 Purchasing Additional Feature Licenses 2-22 Part Numbers for the Optional Feature Licenses 2-22 Installing Additional Licenses 2-23 Option 1: Enter the Product Authorization Key to Download the License File 2-23 Option 2: Obtain the License File from the Cisco Web Site 2-24 Displaying a Summary of Installed Licenses 2-25 Displaying the Cisco PAM Appliance Serial Number 2-25 Performing a Graceful Failover with Redundant Appliances 2-26 Troubleshooting and Monitoring 2-26 Next Steps 2-27 CHAPTER 3 Getting Started With the Cisco PAM Desktop Software 3-1 Contents 3-1 Before You Begin 3-2 Installing or Updating the Cisco PAM Desktop Software 3-2 Logging in to Cisco PAM 3-3 Understanding the Start Page and Window Management 3-4 Keeping a Module On Top 3-6 Choosing Multiple Always on Top Windows 3-7 Deselecting Always on Top 3-7 User Interface Elements 3-8 Toolbar Features 3-10 Creating Reports 3-10 Using Filters 3-12 Filter Example 3-12 Revising the Column Display 3-14 Using Group Edit 3-14 Cisco Physical Access Manager User Guide ii OL-20930-02 Contents Group Edit Example 3-15 Search 3-15 CHAPTER 4 Configuring User Access for the Cisco PAM Desktop Client 4-1 Contents 4-1 Defining User Profiles for Desktop Application Access 4-2 Creating User Login Accounts and Assigning Profiles 4-8 Configuring LDAP User Authentication 4-11 Configure the LDAP Server 4-11 LDAP Example: User Principal Name 4-12 LDAP Example: sAMAccountName 4-13 Create the LDAP User Account in Cisco PAM 4-13 Viewing Audit Records for Changes to Usernames 4-15 Managing Desktop Client Passwords 4-16 Changing Your Password 4-16 Changing Another User’s Password 4-16 Managing the cpamadmin Login and Password 4-17 CHAPTER 5 Understanding Door Configuration 5-1 Contents 5-1 Provisioned (Pre-Populated) vs. Discovered Gateway Configurations 5-2 Provisioned (Pre-Populated) Configuration 5-2 Discovered Configuration 5-2 Viewing Device and Door Configuration 5-3 Viewing Doors and Devices in the Hardware View 5-3 Viewing Doors and Devices by Location 5-5 Creating the Location Map 5-6 Filtering the Devices Displayed in the Locations View 5-7 Changing the Location of a Device or Door 5-8 Viewing Device and Door Status 5-9 Viewing a Status Summary for All Devices 5-9 Viewing the Status for a Single Door, Device or Driver 5-10 Understanding Device Status Colors 5-12 Monitoring Device Errors 5-13 Viewing the Recent Events for a Device, Driver, or Location 5-14 Generating a System Sanity Report 5-16 Understanding Door Configurations and Templates 5-20 Overview 5-20 Cisco Physical Access Manager User Guide OL-20930-02 iii Contents Sequence for Configuring Templates and Doors 5-21 Door Configurations and Templates 5-22 Template Types 5-22 Impact of Template Changes on Configured Doors and Devices 5-23 Gateway Templates 5-23 Understanding Door Templates 5-23 Understanding Device Templates 5-24 Understanding Credential Templates 5-24 Understanding Reader LED Profiles 5-24 Understanding Door Modes, Door Schedules, and the First Unlock Feature 5-25 Overview 5-25 Understanding Door Modes 5-26 Viewing the Door Mode Status 5-27 Understanding the Default Door Mode 5-28 Understanding the Scheduled Door Mode 5-28 Understanding First Unlock Impact on the Scheduled Mode 5-29 Manually Override the Door Mode Using Commands 5-29 Impact of Gateway Reset on the Default and Scheduled Modes 5-31 Example: Configuring the Default and Scheduled Door Modes 5-32 Locating Serial Numbers 5-36 Locating Gateway and Expansion Module Serial Numbers 5-36 Displaying the Cisco PAM Appliance Serial Number 5-36 Related Documentation 5-37 CHAPTER 6 Configuring Doors 6-1 Contents 6-1 Configuring Doors 6-2 Adding Gateways and Doors Using Templates 6-2 Adding Doors Using Door Templates 6-7 Modifying Door Configurations 6-14 Modifying Door and Device Templates 6-14 Modifying Devices in the Hardware Device View 6-14 Modifying Devices in Hardware Location View 6-15 Modifying Devices in the Locations & Doors Module 6-16 Applying Configuration Changes 6-17 Applying Configuration Changes to Gateways 6-17 Applying Configuration Changes in the Hardware Module 6-17 Applying Configuration Changes in the Locations & Doors Module 6-18 Configuration Management in Provisioned vs. Discovered Configurations 6-18 Cisco Physical Access Manager User Guide iv OL-20930-02 Contents Disabling or Deleting a Device or Door 6-19 Disabling a Device or Door 6-19 Deleting Devices and Doors 6-20 Enabling the Delete Options 6-21 Deleting a Device 6-22 Deleting a Gateway Controller 6-22 Enabling a Device or Door 6-23 Disable and Enable a Device and Door: Example 6-23 Cloning a Gateway Configuration 6-27 Configuring Device Groups 6-28 Replacing a Gateway or Expansion Module 6-31 Changing Gateway Passwords 6-31 Device and Driver Commands in the Hardware Device View 6-34 Access GW Driver Commands 6-34 Gateway Controller Commands 6-35 Reader Module Commands 6-37 Input and Output Module Commands 6-37 Logical Driver Commands 6-38 Door Modes and Commands 6-39 Door Modes 6-39 Door Commands 6-39 CHAPTER 7 Configuring Door and Device Templates 7-1 Contents 7-1 Creating Custom Gateway Configurations and Templates 7-2 Configuring Door Templates 7-7 Configuring Device Templates 7-14 Creating a Device Template 7-15 Configuring Credential Templates 7-17 Overview 7-17 Credential Templates Settings Summary 7-18 Wiegand Keypad 7-18 Wiegand 7-18 Keypad 7-18 Creating a Credential Template 7-19 Configuring Reader LED Profiles 7-21 Configuring Reader LED and Buzzer Profiles 7-22 Duplicating Templates 7-23 Cisco Physical Access Manager User Guide OL-20930-02 v Contents Duplicating Door, Device, and Credential Templates 7-23 Duplicating Gateway Templates 7-24 Door Configuration Properties 7-25 Device Configuration Properties 7-27 CHAPTER 8 Configuring Personnel and Badges 8-1 Contents 8-1 Configuring Personnel 8-2 Downloading Credential Changes to the Gateway Modules 8-10 Viewing Audit Records and Events for Personnel Records 8-11 Viewing Audit Records 8-11 Viewing Recent Events 8-13 Editing Organization and Department Lists 8-13 Importing Personnel Records Using a Comma Separated Value (CSV) File 8-15 Configuring Badges 8-20 Configuring Badge Templates 8-20 Badge Properties 8-22 Badges Module: General 8-22 Badges Module: Cisco Access Policy 8-24 Badges Module: Advanced Gateway 8-25 Badges Module: HSPD-12 Badge Extension 8-26 Badges Module: Audit Records 8-27 Badges Module: Recent Events 8-27 Using the Badge Designer 8-28 Printing Badges 8-35 Printing Individual Badges 8-35 Printing Multiple Badges 8-36 Printing High Resolution Images 8-40 Changing the Default Badge Printer 8-40 System Configuration Settings for Badge Printing 8-41 Setting Up Image and Signature Options for Personnel Records 8-44 Enabling Image Capture Devices 8-44 Enabling Signature Capture Devices 8-45 CHAPTER 9 Configuring Cisco Access Policies 9-1 Contents 9-1 Configuring Access Policies 9-2 Managing Door Access With Access Control Policies 9-4 Cisco Physical Access Manager User Guide vi OL-20930-02 Contents Using the Schedule Manager 9-7 Modifying Types and Time Ranges 9-10 Modifying Work Weeks 9-10 Modifying Holidays 9-11 Modifying Time Ranges 9-11 Modifying Special Cases 9-12 Modifying Time Entry Collections 9-12 Configuring Anti-Passback Areas 9-14 Monitoring Anti-Passback Events 9-16 Anti-Passback Events Displayed in the Events Module 9-16 Configuring Two-Door Policies 9-17 Two-Door State Monitoring 9-19 CHAPTER 10 Events & Alarms 10-1 Contents 10-1 Viewing Events, Alarms and Audit Trail Records 10-3 Viewing Events 10-3 Viewing Alarms 10-8 Main Alarm Window 10-8 Alarm States 10-9 Alarm Detail Window 10-9 Alarm Properties 10-10 Viewing Audit Trail Records 10-13 Viewing Recent Events for a Device, Driver, or Location 10-16 Viewing Events Using Personnel Photos 10-17 Viewing Event Photos 10-17 Adding a Color Border to Event Photos (Credential Watch) 10-18 Using Filters to Limit the Photos and Doors Events Displayed by Event Photos 10-21 Recording External Events 10-25 Define External Event Types Using the Event Definition Format 10-25 Create a Text File to Define the Event Names in Cisco PAM 10-26 Import the Files into Cisco PAM 10-26 Viewing Workstation Activity 10-27 Configuring Events and Alarms 10-28 Contents 10-28 Modifying Default Event Policies 10-28 Configuring Custom Event Policies 10-28 Event Policy Properties 10-31 Cisco Physical Access Manager User Guide OL-20930-02 vii Contents Automatically Open the Alarm Window 10-33 Configuring Time Schedules 10-34 Configuring Alert Sounds 10-36 Setting Event and Alarm Priorities 10-37 Defining User Privileges for Editing Events 10-38 Using Graphic Maps 10-39 Graphic Maps Viewer 10-39 Icon Colors and Status 10-40 Device Commands 10-40 Layers and Views 10-40 Toolbar and Navigation Controls 10-41 Graphic Map Editor 10-42 Archiving Historical Events 10-47 Using Driver Commands to Copy and Prune Historical Events 10-48 Creating an Automated Rule to Archive Historical Events 10-51 Creating Reports from the Historical Events Archive 10-55 CHAPTER 11 Configuring Automated Tasks 11-1 Contents 11-1 Creating Quick Launch Buttons 11-2 Creating a Button 11-2 Creating a Button That Runs An Automated Rule 11-7 Creating Panels (Windows) of Related Buttons 11-7 Restricting User Access to Button Panels 11-8 Configuring Device Automated Rules 11-9 Configuring Global I/O Automated Rules 11-12 Enabling the Automation Driver 11-12 Configuring Automated Tasks Using Global I/O 11-14 Understanding Automated Rule Actions 11-17 Example: Automated Weekly Report 11-21 Defining Reports (Report Manager) 11-25 Using the Report Manager 11-26 Filter-based Report Template 11-27 Object SQL-based Report Template 11-28 SQL-Based Report Template 11-29 CHAPTER 12 System Integration 12-1 Contents 12-1 Cisco Physical Access Manager User Guide viii OL-20930-02