Cisco Physical Access Manager Appliance User Guide, Release 1.3.0

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Available Languages

Download Options

Book Title

Cisco Physical Access Manager Appliance User Guide, Release 1.3.0

Chapter Title

Configuring Cisco Access Policies

PDF - Complete Book (36.2 MB) PDF - This Chapter (2.35 MB)
View with Adobe Reader on a variety of devices

Results

Chapter: Configuring Cisco Access Policies

Contents
Configuring Access Policies
Managing Door Access With Access Control Policies
Using the Schedule Manager
- Modifying Types and Time Ranges
Creating Anti-Passback Areas
Configuring Two-Door Policies
Two-Door State Monitoring

Configuring Cisco Access Policies

This chapter describes how to create the Cisco Access Policies assigned to badge holders that define which doors they can access, and the dates and times of that access. Once created, access policies are assigned to personnel badges.

In addition, you can create access policy schedules for doors that define when the doors are available.

•Configuring Access Policies

•Managing Door Access With Access Control Policies

•Using the Schedule Manager

–Modifying Types and Time Ranges

•Creating Anti-Passback Areas

–Configuring Anti-Passback Areas

–Using Local (Gateway) Credentials if Network Communication is Lost

–Evicting a Badge from APB if the User Does Not Enter the APB Area

–Monitoring Anti-Passback Events

–Anti-Passback Events Displayed in the Events Module

•Configuring Two-Door Policies

•Two-Door State Monitoring

Configuring Access Policies

This section describes how to create an access policy and assign it to a user badge.


	To do this	Use this display
Step 1	Select Access Policy from the Doors menu, under the Access Policies sub-menu.
Step 2	Click Add, or select an existing entry and click Edit. Tip To remove a policy, highlight the entry and click Delete. Access policies cannot be deleted if they are assigned to one or more badges. Remove the policy assignment from all badges, and then delete the policy.
Step 3	Enter the general information for the policy: a. Name: Enter a descriptive name for the policy. b. Description: Enter a description of the purpose or usage of the policy. c. Enabled: Select the checkbox to enable or disable the policy. The policy is enabled by default. If disabled, the policy can be assigned to users, but will not impact the users' access privileges.
Step 4	Add or remove sets of door and schedule settings for the access policy. a. Select a door or door group from the list box on the left. You can change the doors listed using the following controls: •Search Door List: Search for a specific door using one or more keywords. •Door / Door Group: Select an option to display single doors or door groups in the list view. –See Chapter 6, "Configuring Doors" to add doors. –Door Groups allow you to create groups of doors, such as all lobby doors. See Configuring Device Groups, page 6-28. b. Select a Schedule. To create a new schedule, click the New Schedule button. See Using the Schedule Manager for information. c. Repeat these steps to add or remove doors or schedules for the access policy. d. Verify that the correct doors and schedules appear in the list box on the right: Door / Door Group and Schedule Pairs.
Step 5	Click Save and Close to save the access policy.
Step 6	Assign the access policy to one or more user badges: a. Open the Personnel module from the Users menu. b. Click Add, or select an existing personnel entry and click Edit. c. Select the Badges sub-menu. d. Click Add, or select an existing badge entry and click Edit. e. Select Cisco Access Policy (in the Badge window). f. Select the door access policies for the user badge. g. Click Save and Close to close the Badge window. h. Click Save and Close to close the personnel record. Tip See Chapter 8, "Configuring Personnel and Badges" for more information.

Managing Door Access With Access Control Policies

Access Policies can be deactivated and activated manually for one or more doors. For example, if you create three access policies for lobby doors: one for employees, a second for contractors, and a third for visitors, you can selectively deactivate the access policy for contractors on the main lobby door, or on all doors.

Access policies remain deactivated until one of the following events occur:

Table 9-1 Reactivating Access Control Policies
Command or action	Description
Activate Access Policies	Right-click a door and select the Activate Access Policies command to manually activate a policy that was deactivated. Select the policies to be activated from the pop-up window and click OK.
Reset Gateway	Right-click a Gateway icon and select the Reset Gateway command to perform a soft reset of the Gateway module. Access policies are activated during a soft reset.
Reload Gateway Configuration	Right-click a Gateway icon and select the Reload Gateway Configuration command to replace the existing Gateway configuration with a new copy. Access policies are activated during this process.
Power cycle the Gateway module	Access policies are activated whenever a Gateway is powered up. For example, after a power failure or anytime power is disconnected and restored.

Procedure

Complete the following instructions to deactivate and reactivate door access policies:


	To do this	Use this display
Step 1	View the status of access policies on a door: a. Select Hardware or Locations & Doors from the Doors menu. b. Click the door to highlight it. c. In the Extended Status field, click the Access Policies tab to view the policies and status for the door.
Step 2	To manually deactivate a policy, right-click the door icon and select Deactivate Access Levels. Tip To deactivate access policies for multiple doors, select the command from a location (Locations & Doors module) or from the Logical Driver (Hardware module).
Step 3	Select the access policies to deactivate and click OK. Tip Use Shift-click or Ctrl-click to select multiple items from the list.
Step 4	Verify that the status of the access policy is No: a. Click the door to highlight it. This also refreshes the Extended Status data. b. In the Extended Status field, click the Access Policies tab. c. Confirm that the access policy is No.
Step 5	To reactivate the access level, right click the door icon and select Activate Access Levels. Select one or more levels from the list and click OK. Note Access policies remain deactivated until manually reactivated using this command. See Table 9-1 for other methods to reactivate access control policies.

Using the Schedule Manager

The Schedule Manager defines schedules for users and doors, including the following:

•Access Policy schedules determine when a badge can be used to access doors. For example, you can create a basic access policy schedule for the weekdays, an additional schedule for the weekend, and a third that denies access for specified holidays when the building is closed. See Configuring Access Policies for more information.

•Door schedules are used in door configurations to define the state of the door based on the time and day. For example, each door configuration has a default mode that defines if the door is locked, unlocked, secured, or left open. The door remains in this mode at all times unless you configure an optional schedule to define exceptions to the default mode. For example, if the default mode for a door is Lock, and you define a door schedule that automatically unlocks the door between 8 am and 5 pm. (Close), then the door will be locked at all hours except 8 am to 5 pm. See the "Understanding Door Modes, Door Schedules, and the First Unlock Feature" section on page 5-25 and the "Configuring Doors" section on page 6-2 for more information.

To add or edit schedules, do the following:


	To do this	Use this display
Step 1	Select Schedules from the Doors menu, in the Schedule Manager sub-menu.
Step 2	Click Add, or select an exiting entry and click Edit. To remove a schedule, highlight the entry and click Delete. Note Schedules cannot be deleted if they are assigned to one or more access policies. To delete schedule that is assigned to an access policy, you must first remove the schedule assignment from all access policies.
Step 3	Enter the name and description for the schedule.
Step 4	Select a Schedule Type: –Door Policy: door schedules appear in the door Properties window under the menu: Door enable schedule. See Step 6, page 7-10 in Configuring Door Templates for more information. –Access Policy: access policy schedules define the schedule for user badge access. See Configuring Access Policies for more information.
Step 5	Select the Type, and then select an existing Value. To create or modify the available values, see Modifying Types and Time Ranges. •Select Holiday to define a single date, or range of consecutive dates. •Select Work Weeks to define the days of the week for a schedule. •Select Special Cases to define a schedule for a date or range of dates that repeat on a regular schedule. For example, the first Monday in each month. •The Time Entry Collection allows you to reuse Holiday, Work Weeks, or Special Case schedules. Note A Time Entry Collection can be used in more than one schedule, but only if the schedules have the same action (such as Allow or Deny). If a Time Entry Collection is assigned to schedules with different actions, then the schedule operation will be inconsistent.
Step 6	Select an Action: •Access Policy schedules: select Deny or Permit to define if the user should t have access during the defined schedule. •Door schedules: select Use Schedule Mode. Note The option Default Mode enables the default door mode defined in the door Properties window. See Step 6, page 7-10 in Configuring Door Templates for more information.
Step 7	Select a Time Range for the schedule. To create or modify the available values, see Modifying Time Ranges.
Step 8	Click Add to add the entry to the list of defined schedules.
Step 9	a. Repeat Step 5 to Step 9 to add additional schedules, if necessary. b. Click Save and Close.
Step 10	To apply schedules to an access policy, see Configuring Access Policies. To apply a schedule to a door configuration, see Configuring Door Templates, page 7-7 and Configuring Doors, page 6-2. Door schedules are selected in the Properties window, in the Use Schedule Mode menu.

Modifying Types and Time Ranges

The values for Type can be modified in the schedule window, or by selecting the item from the Doors menu, under the Schedule Manager sub-menu (Figure 9-1).

Figure 9-1 Schedule Manager Menu

The items in the Schedule Manager only define the available work weeks, holidays, time ranges, special cases and Time Entry Collections. You must still assign these values to a schedule. Once the schedule is defined, assign the schedule to an access policy, or to a door configuration. See Using the Schedule Manager for more information.

•Modifying Special Cases

•Modifying Holidays

•Modifying Time Ranges

•Modifying Special Cases

•Modifying Time Entry Collections

Modifying Work Weeks

Work Weeks define the days of the week for a schedule.

Step 1 Select Work Weeks from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 Enter the name of the value and a short text description.

Step 4 Select the days to include in the work week. For example, select Monday through Friday to define a Work week for the weekdays, or select Saturday and Sunday to define a value for the weekend.

Step 5 Click Save and Close when you are done.

Modifying Holidays

Holiday defines a single date, or range of consecutive dates.

Step 1 Select Holiday from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 Enter the name and a short text description.

Step 4 To enter a Start Date and an End Date for the holiday, click each date field to open a calendar, and then double click on a date.

Step 5 For a holiday that is one day, select the same day for both the beginning and end dates.

Step 6 Click the Today button to reset the calendar to the current date.

Step 7 Click Save and Close when you are done.

Modifying Time Ranges

Time Ranges specify the time span for a schedule type.

Step 1 Select Time Range from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 In the detail window, enter the name and a short text description.

Step 4 Enter a start and end time in 24 hour format. For example, enter 13:00 for 1 p.m.

Step 5 Click Add to add a time range to the list Start Time - End Time. You can add multiple time ranges to a single entry.

Step 6 To remove a range, highlight the entry and select Remove.

Step 7 Click Save and Close when you are done.

Modifying Special Cases

Select Special Cases to define a schedule for a date or range of dates that repeat on a regular schedule. For example, you can create a special case for the first Monday in each month. Select an existing Special Case from the Value drop-down menu, or do the following.

Step 1 Select Special Cases from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 Enter the name of the value and a short text description.

Step 4 Select the Recurrence. For example, Every Year.

Step 5 Select a Day of Year or Month for the recurring schedule. If you select month, select the specific month for the schedule, or select Every Month.

Step 6 Select the options for Week or Day of month.

Step 7 Click Save and Close when you are done.

Modifying Time Entry Collections

Time Entry Collections allow you to create groups of other schedule types, including Holidays, Work Weeks, or Special Case schedules.

For example, you can define individual holidays and then group all the holidays on the calendar as a timeEntryCollection - US Holidays Calendar. This can then be used in a schedule entry with "Permit" or "Deny".

Note A Time Entry Collection can be used in more than one schedule, but only if the schedules have the same action (such as Allow or Deny). If a Time Entry Collection is assigned to schedules with different actions, then the schedule operation will be inconsistent.

Step 1 Select Time Entry Collection from the Doors menu, under the Schedule Manager sub-menu.

Step 2 Click Add, or select an existing entry and click Edit.

Step 3 Enter the name of the value and a short text description.

Step 4 Select the Type. For example, Holiday, Work Week, or Special Case.

Step 5 Select a Value for the selected Type. For example, if you selected the Type Holiday, select Christmas. To create a new value, click New to open the Add window.

Step 6 Select a Time Range. For example, Default Time Range Group. To create a new time range, click New to open the Add window.

Step 7 If you select month, select the specific month for the schedule, or select Every Month.

Step 8 Click Add to add the entry.

Step 9 Repeat these steps to add additional entries to the collection.

Step 10 Click Save and Close when you are done.

Creating Anti-Passback Areas

An anti-passback area is a secure area where you want to prevent someone from badging in and then passing their badge back to another person who can use it again to gain access.

To create an anti-passback area, configure a door with two readers: one as an entry reader (to gain entry into the anti-passback area) and one as an exit reader (to leave the anti-passback area). Once a badge is inside the anti-passback area, it must be used to exit the anti-passback area before it can be used to enter the area again.

Anti-passback provides a higher level of security by recording and controlling badge holder exit points as well as entry points. Anti-passback areas provide the following controls:

•Records a badge holder's entry and exit through a door or set of doors.

•Requires that the badge holder exit through a specified door or set of doors.

•Prevents a badge holder from entering a door and then passing their badge to another person to enter the same door.

The consequences of violating the anti-passback conditions vary depending on the anti-passback mode for the access point.

Configuring Anti-Passback Areas

Procedure

To create or modify an anti-passback area, do the following:

Step 1 Select Anti-Passback Areas from the Doors menu, under the Access Policies sub-menu. The main window lists the currently defined areas, as shown in Figure 9-2.

•To modify an existing area, select the area name and choose Edit... to open the detail window.

•To add a new area, click Add... to open the detail window.

•To remove an area, highlight the area name and click Delete.

Figure 9-2 Anti-Passback Area Main Window

Step 2 Complete the following fields in the detail window (see Figure 9-3).

a. Name: Enter a descriptive name for the area.

b. Anti-Passback Area Number: Read only.

c. Comments: Enter a description of area.

d. Site: Read-only.

e. Anti-Passback mode: Select one of the following modes:

–Hard (deny access): Will deny access if the badge has an incorrect entry area.

–Soft (grant access): Will grant access even if the badge has an incorrect entry area, but reports the passback violation to the Cisco PAM appliance. The monitoring screen refreshes to display the new swipe-in time.

–Timed: The same badge cannot be used twice in a row at this access point within the time specified in the Anti-passback delay field. If the badge is used within the specified time, then the mode is Hard and access is denied. If the badge is used after the time specified, then access is granted in Soft mode.

f. Anti-passback delay: Enter the delay time, in seconds, used for the Timed anti-passback mode.

Figure 9-3 Anti-Passback Areas Detail Window

Step 3 Click Save and Close to save the settings and close the detail window.

Step 4 Add an entry door and exit door to the Anti-Passback area (see Figure 9-2):

a. Choose a door from the left column.

b. Choose Entry or Exit for an Anti-Passback area in the fight column.

c. Click the arrows to add or remove the door for an entry or exit point.

Using Local (Gateway) Credentials if Network Communication is Lost

If network communication is lost between the Access Control Gateways and the Cisco PAM appliance, the entry and exit doors will fail to grant access to users since the user credentials cannot be verified. To prevent this scenario, you can configure the doors to authenticate user credentials locally (using credential data stored on the door's Gateway module).

Usage Notes

•Allowing local Gateway authentication as described in this section means that the badge can be used multiple times (potentially by different users) at the entry Gateway. Use the local authentication option only if necessary. APB areas are only fully effective when stable network communication exists between the Gateway modules and the Cisco PAM appliance.

•We recommend using the Soft (grant access) anti-passback mode when local Gateway credentials are used. See the "Configuring Anti-Passback Areas" section.

•A Gateway authenticated APB Grant Access event is generated when an APB Gateway authenticates a badge locally.

–Once network communication is reestablished between the Gateway and the Cisco PAM appliance, any Gateway authenticated APB Grant Access events are synchronized with the appliance.

–The appliance uses the events to determine the APB status of badges. For example, if a Gateway used local credentials to grant access to a badge at the entry door while the network was down, the badge will be added to the APB area by the Cisco PAM appliance when the network communication is reestablished. When the user swipes their badge at the exit door, the Cisco PAM appliance evicts the badge from the APB area.

•If the entry and exit doors are configured to use two different Gateway modules, it is possible that a user can become trapped in an APB area. This can occur under if the user is granted access to the APB area using local credentials stored on the entry Gateway, and network communication is restored between Cisco PAM and the (second) exit door Gateway while the user is still in the APB area (before they access the exit door Gateway). This occurs because there is no record on the Cisco PAM appliance that the user entered the APB area (the record only exists on the entry Gateway). To prevent this scenario, we recommend the following:

–Configure all APB area doors on a single Gateway. To support more than two doors on a single Gateway, a Reader module is required.

–Install working phones that can reach the CPAM administrator within the APB area. A badge can be modified to allow one free APB pass for the trapped user.

Procedure

To configure local authentication of user credentials (using data stored on the local Gateway module and not the Cisco PAM appliance), do the following:

Step 1 Use either the Hardware or Locations & Door module to edit the door or door template configuration.

•For example, choose Hardware from the Doors menu, expand the hardware tree, right-click on the door name, and select Edit. You can also double-click the device name to open the edit window.

•To change the setting for a single door, see the "Modifying Door Configurations" section on page 6-14.

•To change the setting for a door template, see the "Configuring Door Templates" section on page 7-7 and the "Door Configuration Properties" section on page 7-25.

Step 2 Select the Properties tab (Figure 9-4).

Figure 9-4 Authenticating Credentials Locally (at the Gateway)

Step 3 Uncheck the box for If server unreachable (APB). This allows you to edit the setting.

Step 4 Choose Authenticate locally from the menu.

Step 5 Click Save and Close.

Step 6 Download the configuration change.

See the "Applying Configuration Changes to Gateways" section on page 6-17.

Evicting a Badge from APB if the User Does Not Enter the APB Area

If a user presents their badge and is granted access to an Anti-Passback Area, but decides not to enter the door, then a Door Not Used event is generated by the door's Gateway module. To prevent the badge from being added to the Anti-Passback monitoring list, enable the System Configuration setting for Evict most recent badge from APB area when door not used.

Usage Notes

•This setting is only effective when the user presents their badge and then walks away without physically opening the door. If the user physically opens the door but then walks away without actually entering the APB area, the Door Not Used event is NOT generated and the badge is added to the APB area for monitoring. If this occurs, you must manually evict the badge from the APB area using the Anti-Passback Monitoring module.

•If a user presents their badge at the exit door of an APB area, the badge is evicted from the APB area. However, if the user does not open the door, and a Door Not Used event occurs, the badge is re-added to the APB monitoring area. In this scenario, the exit door name will be used as the new entry door (as opposed to the original entry door name).

•If a badge is evicted from the APB area after a Door Not Used event, as described above, and then later added back to the APB area when the user accesses the door again, then the entry door is not displayed in the Anti-Passback Monitoring module. The exit door is displayed instead.

•We recommend using the Soft (grant access) anti-passback mode when local Gateway credentials are used. See the "Configuring Anti-Passback Areas" section.

Procedure

To evict badges from an APB area when a Door Not Used event is generated by the door's Gateway, do the following:

Step 1 Select System Configuration from the Admin menu.

Step 2 Click the Cisco Settings tab (Figure 9-5)

Step 3 Select the check box for Evict most recent badge from APB area when door not used.

Figure 9-5 Cisco Settings

Step 4 Restart the Cisco PAM appliance to activate the change. See the Using the Web Admin Menus, Commands and Options, page 2-16 for more information, or ask your system administrator for assistance.

Monitoring Anti-Passback Events

Use Anti-Passback Monitoring to view the badges that are in an anti-passback area. For example, if a user enters an anti-passback area using their badge, an entry is added to the Anti-Passback Monitoring window as shown in Figure 9-6. This entry remains in the list until the user exits the anti-passback area.

•To view the badges currently in any anti-passback area, select the Anti-Passback Monitoring module from the Doors menu, under the Access Policies sub-menu. Figure 9-6 shows the main window.

•To reset the state of a badge, select an entry and click the Reset button.

Figure 9-6 Anti-Passback Monitoring Window

Table 9-1 Anti-Passback Monitoring Properties
Field	Description
Area Name	The anti-passback area accessed by the badge. See Creating Anti-Passback Areas for more information.
Badge ID	The ID number of the badge.
Door Name	The name of the door accessed.
Policy Name	The name of the Anti-Passback area. See Creating Anti-Passback Areas for more information.
Swipe In Time	The day and time when the entry door was accessed.
Facility Code	The facility code.

Anti-Passback Events Displayed in the Events Module

An event is also generated whenever a badge holder swipes a badge in an anti-passback area. These events are displayed in the Events module, as described in Viewing Events, page 10-3.

For example, if a badge is swiped at a door configured with the anti-passback mode Hard (deny access), an event is generated such as "Badge is not Authorized due to Hard Anti-Passback policy". A badge swiped at a door with the mode Soft (grant access) generates an event "Badge is Authorized".

Configuring Two-Door Policies

A two-door policy requires that when a user accesses a door, they must also access a second door in a set number of seconds.

To configure two-door policies, do the following:

Step 1 Select Two-Door Policy from the Doors menu, under the Access Policies sub-menu. The main window is shown (see Figure 9-7).

•To modify an existing policy, select the entry and choose Edit... to open the detail window. You can also double-click the entry.

•To add a new policy, click Add... to open the detail window.

•To remove an policy, highlight the entry and click Delete.

Figure 9-7 Two-Door Policy Main Window

Step 2 Complete the fields in the detail window, as shown in the following Figure 9-8:

Figure 9-8 Two-Door Policy Detail Window

–Name: Enter a short description of the policy. For example: Building 1 lab doors.

–Door 1: Click Select Door 1 to open the pop-up window (Figure 9-9). Select a door from the list and click OK. The door should include an exit reader in addition to an entry reader. Use the search field at the top of the window to narrow the list of doors, if necessary.

–Door 2: Click Select Door 2 to open the pop-up window. Select a door from the list and click OK. Use the search field at the top of the window to narrow the list of doors, if necessary. Door 2 does not require an exit reader.

–Time Interval (sec): Enter the maximum time, in seconds, that a user is allowed between accessing the first door and the accessing the second door.

–Enabled: Check the enabled box to enable the policy.

Figure 9-9 Select Door 1 Window

Step 3 Click Save and Close to save the changes and close the detail window.

Two-Door State Monitoring

Use the Two-Door State Monitoring module to display events for doors configured with the Two-Door Policy module.

Step 1 Select Two-Door State Monitoring from the Doors menu, under the Access Policies sub-menu. The main window is shown (see Figure 9-10).

Step 2 To display details for the event, highlight an entry and click Edit....

Figure 9-10 Two-Door State Monitoring Main Window

An two-door state event has the properties described below, available in the table view or detail window:

Table 9-2 Two-Door State Monitoring Properties
Field	Description
Badge ID	The ID number of the badge.
Door Name	The name of the door accessed.
Policy Name	The name of the two-door policy. See Configuring Two-Door Policies for more information.
Swipe In Time	The day and time when the entry door was accessed.
Facility Code	The facility code.

Step 3 Click Close to close the detail window.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)