Cisco Physical Access Manager Appliance User Guide, Release 1.1.0
Configuring Cisco Access Policies
Downloads: This chapterpdf (PDF - 2.45MB) The complete bookPDF (PDF - 36.19MB) | Feedback

Configuring Cisco Access Policies

Table Of Contents

Configuring Cisco Access Policies

Contents

Configuring Access Policies

Managing Door Access With Access Control Policies

Configuring Door Groups

Using the Schedule Manager

Modifying Types and Time Ranges

Modifying Work Weeks

Modifying Holidays

Modifying Time Ranges

Modifying Special Cases

Modifying Time Entry Collections

Configuring Anti-Passback Areas

Monitoring Anti-Passback Events

Anti-Passback Events Displayed in the Events Module

Configuring Two-Door Policies

Two-Door State Monitoring


Configuring Cisco Access Policies


This chapter describes how to create the Cisco Access Policies assigned to badge holders that define which doors they can access, and the dates and times of that access. Once created, access policies are assigned to personnel badges.

In addition, you can create access policy schedules for doors that define when the doors are available.

Contents

Configuring Access Policies

Managing Door Access With Access Control Policies

Configuring Door Groups

Using the Schedule Manager

Modifying Types and Time Ranges

Configuring Anti-Passback Areas

Monitoring Anti-Passback Events

Configuring Two-Door Policies

Two-Door State Monitoring

Configuring Access Policies

This section describes how to create an access policy and assign it to a user badge.

 
To do this
Use this display

Step 1 

Select Access Policy from the Doors menu, under the Access Policies sub-menu.

Step 2 

Click Add, or select an existing entry and click Edit.

Tip To remove a policy, highlight the entry and click Delete. Access policies cannot be deleted if they are assigned to one or more badges. Remove the policy assignment from all badges, and then delete the policy.

Step 3 

Enter the general information for the policy:

a. Name: Enter a descriptive name for the policy.

b. Description: Enter a description of the purpose or usage of the policy.

c. Enabled: Select the checkbox to enable or disable the policy. The policy is enabled by default. If disabled, the policy can be assigned to users, but will not impact the users' access privileges.

Step 4 

Add or remove sets of door and schedule settings for the access policy.

a. Select a door or door group from the list box on the left. You can change the doors listed using the following controls:

Search Door List: Search for a specific door using one or more keywords.

Door / Door Group: Select an option to display single doors or door groups in the list view.

See Chapter 8, "Configuring Doors" to add doors.

Door Groups allow you to create groups of doors, such as all lobby doors. See Configuring Door Groups.

b. Select a Schedule. To create a new schedule, click the New Schedule button. See Using the Schedule Manager for information.

c. Repeat these steps to add or remove doors or schedules for the access policy.

d. Verify that the correct doors and schedules appear in the list box on the right: Door / Door Group and Schedule Pairs.

Step 5 

Click Save and Close to save the access policy.

Step 6 

Assign the access policy to one or more user badges:

a. Open the Personnel module from the Users menu.

b. Click Add, or select an existing personnel entry and click Edit.

c. Select the Badges sub-menu.

d. Click Add, or select an existing badge entry and click Edit.

e. Select Cisco Access Policy (in the Badge window).

f. Select the door access policies for the user badge.

g. Click Save and Close to close the Badge window.

h. Click Save and Close to close the personnel record.

Tip See Chapter 10, "Configuring Personnel and Badges" for more information.

Managing Door Access With Access Control Policies

Access Policies can be deactivated and activated manually for one or more doors. For example, if you create three access policies for lobby doors: one for employees, a second for contractors, and a third for visitors, you can selectively deactivate the access policy for contractors on the main lobby door, or on all doors.

Access policies remain deactivated until one of the following events occur:

Table 11-1

Command or action
Description

Activate Access Policies

Right-click a door and select the Activate Access Policies command to manually activate a policy that was deactivated. Select the policies to be activated from the pop-up window and click OK.

Reset Gateway

Right-click a Gateway icon and select the Reset Gateway command to perform a soft reset of the Gateway module. Access policies are activated during a soft reset.

Reload Gateway Configuration

Right-click a Gateway icon and select the Reload Gateway Configuration command to replace the existing Gateway configuration with a new copy. Access policies are activated during this process.

Power cycle the Gateway module

Access policies are activated whenever a Gateway is powered up. For example, after a power failure or anytime power is disconnected and restored.


Reactivating Access Control Policies

Complete the following instructions to deactivate and reactivate door access policies:

 
To do this
Use this display

Step 1 

View the status of access policies on a door:

a. Select Hardware or Locations & Doors from the Doors menu.

b. Click the door to highlight it.

c. In the Extended Status field, click the Access Policies tab to view the policies and status for the door.

Step 2 

To manually deactivate a policy, right-click the door icon and select Deactivate Access Levels.

Tip To deactivate access policies for multiple doors, select the command from a location (Locations & Doors module) or from the Logical Driver (Hardware module).

Step 3 

Select the access policies to deactivate and click OK.

Tip Use Shift-click or Ctrl-click to select multiple items from the list.

Step 4 

Verify that the status of the access policy is No:

a. Click the door to highlight it. This also refreshes the Extended Status data.

b. In the Extended Status field, click the Access Policies tab.

c. Confirm that the access policy is No.

Step 5 

To reactivate the access level, right click the door icon and select Activate Access Levels. Select one or more levels from the list and click OK.

Note Access policies remain deactivated until manually reactivated using this command. See Table 11-1 for other methods to reactivate access control policies.

Configuring Door Groups

Door groups allow you to apply access policies to sets of doors.

For example, a door group for all lobby doors can be included in an access policy and then assigned to one or more users. Those users will then have access to all the lobby doors in the group.

To configure door groups, do the following:


Step 1 Select Door Groups from the Doors menu, as shown in Figure 11-1. The existing door groups are listed in the Device Groups section.

Figure 11-1 Door Groups Main Window

Step 2 Add, edit or delete the door groups.

To add a new door group, click Add....

To modify an existing record, select the record and click Edit...,or double-click the entry.

To remove a door group, select the title of the door group and choose Delete. Access to the doors in the door group is removed from all access policies.

Step 3 Enter a Name for the door group in the detail window, as shown in Figure 11-2.

Figure 11-2 Door Groups Detail Window

Step 4 Select the doors to include in the door group. For example, in Figure 11-3 the lobby doors are selected to create a lobby door group.


Tip Doors can belong to multiple door groups.


Figure 11-3 Door Groups: Choose Devices Window

Step 5 Click OK to exit the Devices window (Figure 11-3), and then click Save and Close to exit the Device Group window (Figure 11-2). The new door group appears in the main window (Figure 11-1).


Using the Schedule Manager

The Schedule Manager defines schedules for users and doors, including the following:

Access Policy schedules determine when a badge can be used to access doors. For example, you can create a basic access policy schedule for the weekdays, an additional schedule for the weekend, and a third that denies access for specified holidays when the building is closed. See Configuring Access Policies for more information.

Door schedules are used in door configurations to define the state of the door based on the time and day. For example, a door schedule can define a lobby door as being open and unlocked from 8 am to 5 pm, but locked all other hours. See Configuring Doors, page 8-2 for more information.

To add or edit schedules, do the following:

 
To do this
Use this display

Step 1 

Select Schedules from the Doors menu, in the Schedule Manager sub-menu.

Step 2 

Click Add, or select an exiting entry and click Edit.

To remove a schedule, highlight the entry and click Delete.

Note Schedules cannot be deleted if they are assigned to one or more access policies. To delete schedule that is assigned to an access policy, you must first remove the schedule assignment from all access policies.

Step 3 

Enter the name and description for the schedule.

Step 4 

Select a Schedule Type:

Door Policy: door schedules appear in the door Properties window under the menu: Door enable schedule. See Configuring Doors, page 8-2 for more information.

Access Policy: access policy schedules define the schedule for user badge access. See Configuring Access Policies for more information.

Step 5 

Select the Type, and then select an existing Value.

To create or modify the available values, see Modifying Types and Time Ranges.

Select Holiday to define a single date, or range of consecutive dates.

Select Work Weeks to define the days of the week for a schedule.

Select Special Cases to define a schedule for a date or range of dates that repeat on a regular schedule. For example, the first Monday in each month.

The Time Entry Collection allows you to reuse Holiday, Work Weeks, or Special Case schedules.

Note A Time Entry Collection can be used in more than one schedule, but only if the schedules have the same action (such as Allow or Deny). If a Time Entry Collection is assigned to schedules with different actions, then the schedule operation will be inconsistent.

Step 6 

Select an Action:

Access Policy schedules: select Deny or Permit to define if the user should t have access during the defined schedule.

Door schedules: select Use Schedule Mode.

Note The option Default Mode enables the default door mode defined in the door properties window.

Step 7 

Select a Time Range for the schedule.

To create or modify the available values, see Modifying Time Ranges.

Step 8 

Click Add to add the entry to the list of defined schedules.

Step 9 

a. Repeat Step 5 to Step 9 to add additional schedules, if necessary.

b. Click Save and Close.

 

Step 10 

To apply schedules to an access policy, see Configuring Access Policies.

To apply a schedule to a door configuration, see Configuring Door Templates, page 9-7 and Configuring Doors, page 8-2. Door schedules are selected in the Properties window, in the Use Schedule Mode menu.

 

Modifying Types and Time Ranges

The values for Type can be modified in the schedule window, or by selecting the item from the Doors menu, under the Schedule Manager sub-menu (Figure 11-4).

Figure 11-4 Schedule Manager Menu

The items in the Schedule Manager only define the available work weeks, holidays, time ranges, special cases and Time Entry Collections. You must still assign these values to a schedule. Once the schedule is defined, assign the schedule to an access policy, or to a door configuration. See Using the Schedule Manager for more information.

Modifying Special Cases

Modifying Holidays

Modifying Time Ranges

Modifying Special Cases

Modifying Time Entry Collections

Modifying Work Weeks

Work Weeks define the days of the week for a schedule.


Step 1 Select Work Weeks from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 Enter the name of the value and a short text description.

Step 4 Select the days to include in the work week. For example, select Monday through Friday to define a Work week for the weekdays, or select Saturday and Sunday to define a value for the weekend.

Step 5 Click Save and Close when you are done.


Modifying Holidays

Holiday defines a single date, or range of consecutive dates.


Step 1 Select Holiday from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 Enter the name and a short text description.

Step 4 To enter a Start Date and an End Date for the holiday, click each date field to open a calendar, and then double click on a date.

Step 5 For a holiday that is one day, select the same day for both the beginning and end dates.

Step 6 Click the Today button to reset the calendar to the current date.

Step 7 Click Save and Close when you are done.


Modifying Time Ranges

Time Ranges specify the time span for a schedule type.


Step 1 Select Time Range from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 In the detail window, enter the name and a short text description.

Step 4 Enter a start and end time in 24 hour format. For example, enter 13:00 for 1 p.m.

Step 5 Click Add to add a time range to the list Start Time - End Time. You can add multiple time ranges to a single entry.

Step 6 To remove a range, highlight the entry and select Remove.

Step 7 Click Save and Close when you are done.


Modifying Special Cases

Select Special Cases to define a schedule for a date or range of dates that repeat on a regular schedule. For example, you can create a special case for the first Monday in each month. Select an existing Special Case from the Value drop-down menu, or do the following.


Step 1 Select Special Cases from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 Enter the name of the value and a short text description.

Step 4 Select the Recurrence. For example, Every Year.

Step 5 Select a Day of Year or Month for the recurring schedule. If you select month, select the specific month for the schedule, or select Every Month.

Step 6 Select the options for Week or Day of month.

Step 7 Click Save and Close when you are done.


Modifying Time Entry Collections

Time Entry Collections allow you to create groups of other schedule types, including Holidays, Work Weeks, or Special Case schedules.

For example, you can define individual holidays and then group all the holidays on the calendar as a timeEntryCollection - US Holidays Calendar. This can then be used in a schedule entry with "Permit" or "Deny".


Note A Time Entry Collection can be used in more than one schedule, but only if the schedules have the same action (such as Allow or Deny). If a Time Entry Collection is assigned to schedules with different actions, then the schedule operation will be inconsistent.



Step 1 Select Time Entry Collection from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 Enter the name of the value and a short text description.

Step 4 Select the Type. For example, Holiday, Work Week, or Special Case.

Step 5 Select a Value for the selected Type. For example, if you selected the Type Holiday, select Christmas. To create a new value, click New to open the Add window.

Step 6 Select a Time Range. For example, Default Time Range Group. To create a new time range, click New to open the Add window.

Step 7 If you select month, select the specific month for the schedule, or select Every Month.

Step 8 Click Add to add the entry.

Step 9 Repeat these steps to add additional entries to the collection.

Step 10 Click Save and Close when you are done.


Configuring Anti-Passback Areas

Anti-passback provides a higher level of security by recording and controlling badge holder exit points as well as entry points. Anti-passback areas provide the following controls:

Records a badge holder's entry and exit through a door or set of doors.

Requires that the badge holder exit through a specified door or set of doors.

Prevents a badge holder from entering a door and then passing their badge to another person to enter the same door.

The consequences of violating the anti-passback conditions vary depending on the anti-passback mode for the access point.

To create or modify an anti-passback area, do the following:


Step 1 Select Anti-Passback Areas from the Doors menu, under the Access Policies sub-menu. The main window lists the currently defined areas, as shown in Figure 11-5.

To modify an existing area, select the area name and choose Edit... to open the detail window.

To add a new area, click Add... to open the detail window.

To remove an area, highlight the area name and click Delete.

Figure 11-5 Anti-Passback Area Main Window

Step 2 Complete the following fields in the detail window (see Figure 11-5).

a. Name: Enter a descriptive name for the area.

b. Anti-Passback Area Number: Read only.

c. Comments: Enter a description of area.

d. Site: Read-only.

e. Anti-Passback mode: Select one of the following modes:

Hard (deny access): Will deny access if the badge has an incorrect entry area.

Soft (grant access): Will grant access even if the badge has an incorrect entry area, but reports the passback violation to the Cisco PAM appliance. The monitoring screen refreshes to display the new swipe-in time.

Timed: The same badge cannot be used twice in a row at this access point within the time specified in the Anti-passback delay field. If the badge is used within the specified time, then the mode is Hard and access is denied. If the badge is used after the time specified, then access is granted in Soft mode.

f. Anti-passback delay: Enter the delay time, in seconds, used for the Timed anti-passback mode.

Figure 11-6 Anti-Passback Areas Detail Window

Step 3 Click Save and Close to save the settings and close the detail window.


Monitoring Anti-Passback Events

Use Anti-Passback Monitoring to view the badges that are in an anti-passback area. For example, if a user enters an anti-passback area using their badge, an entry is added to the Anti-Passback Monitoring window as shown in Figure 11-7. This entry remains in the list until the user exits the anti-passback area.

To view the badges currently in any anti-passback area, select the Anti-Passback Monitoring module from the Doors menu, under the Access Policies sub-menu. Figure 11-7 shows the main window.

To reset the state of a badge, select an entry and click the Reset button.

Figure 11-7 Anti-Passback Monitoring Window

Table 11-2 Anti-Passback Monitoring Properties 

Field
Description

Area Name

The anti-passback area accessed by the badge. See Configuring Anti-Passback Areas for more information.

Badge ID

The ID number of the badge.

Door Name

The name of the door accessed.

Policy Name

The name of the Anti-Passback area. See Configuring Anti-Passback Areas for more information.

Swipe In Time

The day and time when the entry door was accessed.

Facility Code

The facility code.


Anti-Passback Events Displayed in the Events Module

An event is also generated whenever a badge holder swipes a badge in an anti-passback area. These events are displayed in the Events module, as described in Viewing Events, page 12-3.

For example, if a badge is swiped at a door configured with the anti-passback mode Hard (deny access), an event is generated such as "Badge is not Authorized due to Hard Anti-Passback policy". A badge swiped at a door with the mode Soft (grant access) generates an event "Badge is Authorized".

Configuring Two-Door Policies

A two-door policy requires that when a user accesses a door, they must also access a second door in a set number of seconds.

To configure two-door policies, do the following:


Step 1 Select Two-Door Policy from the Doors menu, under the Access Policies sub-menu. The main window is shown (see Figure 11-8).

To modify an existing policy, select the entry and choose Edit... to open the detail window. You can also double-click the entry.

To add a new policy, click Add... to open the detail window.

To remove an policy, highlight the entry and click Delete.

Figure 11-8 Two-Door Policy Main Window

Step 2 Complete the fields in the detail window, as shown in the following Figure 11-9:

Figure 11-9 Two-Door Policy Detail Window

Name: Enter a short description of the policy. For example: Building 1 lab doors.

Door 1: Click Select Door 1 to open the pop-up window (Figure 11-10). Select a door from the list and click OK. The door should include an exit reader in addition to an entry reader. Use the search field at the top of the window to narrow the list of doors, if necessary.

Door 2: Click Select Door 2 to open the pop-up window. Select a door from the list and click OK. Use the search field at the top of the window to narrow the list of doors, if necessary. Door 2 does not require an exit reader.

Time Interval (sec): Enter the maximum time, in seconds, that a user is allowed between accessing the first door and the accessing the second door.

Enabled: Check the enabled box to enable the policy.

Figure 11-10 Select Door 1 Window

Step 3 Click Save and Close to save the changes and close the detail window.


Two-Door State Monitoring

Use the Two-Door State Monitoring module to display events for doors configured with the Two-Door Policy module.


Step 1 Select Two-Door State Monitoring from the Doors menu, under the Access Policies sub-menu. The main window is shown (see Figure 11-11).

Step 2 To display details for the event, highlight an entry and click Edit....

Figure 11-11 Two-Door State Monitoring Main Window

An two-door state event has the properties described below, available in the table view or detail window:

Table 11-3 Two-Door State Monitoring Properties 

Field
Description

Badge ID

The ID number of the badge.

Door Name

The name of the door accessed.

Policy Name

The name of the two-door policy. See Configuring Two-Door Policies for more information.

Swipe In Time

The day and time when the entry door was accessed.

Facility Code

The facility code.


Step 3 Click Close to close the detail window.