Implementation of Cisco Physical Access Control Solution

Implementation of Cisco Physical Access
Control
Session ID-BRKSEC-2081
Access Control Architectures of yesteryear
Up to 64
Serial
RS485
Cables
Controllers/
Access Panels
Network
Badging
Server
Up to 64
Mgmt
Server
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
Cisco Access Control Deployment Architecture
Cisco
Physical
Access
Manager
SSL (TLS)
RFC 2246
Cisco
Access Gateway
Layer 2
Switch
POE
LDAP / Microsoft
Active Directory
HTTPS
Cisco
IP
Network
Network
Admission Control
Video
Integration
HTTPS
Client PC
Oracle/SAP
CPAM
client
Cisco VSM/VSOM
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Product Overview
 Hardware:
Cisco Access Gateway controlling a door
Additional modules for readers, inputs and
outputs can be connected to the Access
Gateway via a CAN bus. (more on this later)
 Software:
Cisco Physical Access Manager (CPAM): A
management application with rich interfaces to
IT applications and Identity stores.
Web interface to Gateway for local management
and monitoring
Enterprise Data Studio for IT integration to
existing employee data bases
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Access Control Hardware Modules
1. Access Gateway: CIAC-GW-K9 can manage 1 or 2 doors
depending on associated reader and devices. Up to 15
additional modules can be connected. (K9 signifies
encryption hardware or software is present)
2. Reader Module: CIAC-GW-RDR Controls up to two readers,
connects to one Access Gateway via CAN bus
3. Input Module: CIAC-GW-IP10 Controls 10 inputs, connects
to one Access Gateway via CAN bus
4. Output Module: CIAC-GW-OP8 Controls 8 outputs,
connects to one Access Gateway via CAN bus
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Hardware Module Overview
Cisco Physical
Access Gateway
Reader
Module
Output
Module
Input
Module
Encryption SW
or HW present

Mandatory component.
Connects up to 2 doors,
and up to 15 additional
modules (connected via a 3
wire CAN bus).

Power: POE or 12V to 24V
DC

2 Ethernet ports

10 pin Weigand Reader port
: can be configured as two
5 pin Weigand ports

1 RS-485 port

3 Outputs (Form C Relays)

3 Supervised inputs

Tamper & PF inputs (can be
configured as additional
inputs)
.
Presentation_ID









Requires Access Gateway
Connects up to 2 doors, to
the Cisco Access Gateway
via CAN bus.
Power: 12V to 24V DC
10 pin Weigand port : can
be configured as two 5
pin Weigand ports
1 RS-485 port
3 Outputs (Form C
Relays)
3 Supervised inputs
Tamper & PF inputs (can
be configured to be used
as additional inputs)
CAN Termination switch
© 2010 Cisco and/or its affiliates. All rights reserved.

Requires Access Gateway

Requires Access Gateway

Connects up to 10 inputs
to the Cisco Access
Gateway via a CAN bus.

Connects up to 8 outputs
to the Cisco Access
Gateway cia CAN bus..

Example inputs are:
Pushbutton switches,
Glass Break sensors, or
any contact closure input.
circuit

Example outputs are:
lights, LEDs, or any
contact closure output
circuit.

Power: 12V to 24V DC

Power: 12V to 24V DC


10 Supervised inputs
8 Form C (5A, 30V)
outputs

Tamper & PF inputs (can
be configured to be used
as additional inputs)

Tamper & PF inputs (can
be configured to be used
as additional inputs)

CAN Termination switch

CAN Termination switch
Cisco Confidential
6
Gateway module connections
CAN2
RS485
Reader input (1 10 wire
or 2 5 wire readers)
Inputs
Power Fail
sensor input
Tamper
sensor input
Outputs
Unused at this point
Eth0 port used for
network
connection
POE support
Eth1 port
used for
management
3 wire CAN
bus
External
Voltage input
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
Additional modules
Input
Module
Reader
Module
Require external power to operate
Connected to Gateway module via 3
wire CAN bus. No other network
connectivity.
Each of these modules can function
as a CAN termination module.
Output
Module
Verify termination switch setting on
each module.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
Cisco Physical Access Manager (CPAM)
 Appliance form factor 1 RU server:
WebStart-based client-server architecture
Rich role-based access control (RBAC) policies using prifiles
Access control policies (two-door, anti-passback, etc.)
Ease of configuration and administration
Server pair deployment between Cisco Physical Security Manager
instances
Badge enrollment and design
Reporting (template based reports and custom reports)
Fully integrated with Cisco VSM server 3.1.1/5.1.1 thru 4.2/6.2
Global I/O and Device I/O policy management
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Video Integration
 Video integration with Cisco VSM Suite: Video associated
with device (door) can be pulled up instantly
 Video settings done on a per CPAM user profile basis.
 Associate a camera and its PTZ setting with an
event/device.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
Solution Details
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
The CPAM server
 CPAM server is first device to setup and install.
 ISO image is based on RedHat Enterprise Server 4.x
 CPAM application is included on ISO, and upgraded via
the normal Linux RPM process. (under the covers)
 Web based access to manage and configure the server
once it is installed.
 Client (Micro Soft only at this point) is downloaded from
the server, and used to manage, monitor, and configure
the rest of the hardware
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
The CPAM server (continued)
 Install and IP addressing
 HA considerations
 Upgrade
 Configuration backup and restore
 Licensing
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
CPAM server Install
 CPAM server comes pre-loaded from factory
 Also can be installed from scratch using ISO image and CD/DVD.
 Default IP for ETH0 after a fresh install is 192.168.1.2.
 Initial username and password are cpamadmin
 Upon first login to CPAM web server, you are prompted to continue the
initial configuration of the server.
Select the server type Active or Standby
Enter the Site Name….only for Active Server
Don’t use space in the site name
Under the User panel you will be
prompted to change the password for
user cpamadmin. Client will use this
password for login until changed. User
cpamadmin can have different passwords
for web admin and client login there after
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Install continued
Under the Network panel, you
are prompted for the Host name,
Eth0 IP, and Shared IP Address if
you are configuring for a
Standby server operation. You
also have the option to enter a
non-default TCP port if you wish.
The default is 8020. SSL is
enabled by default.
• After configuring the information on this
interface, the server application is restarted.
• User will then continue with DNS, Email, Date
and Time, and License settings.
• After licensing information is entered, the
application restarts and completes the install.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
NTP (Network Timing Protocol)
 Standards method to ensure all devices clocks are
in sync resulting in correlated timestamps on log
entries.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
High Availability for CPAM
 Active Server ETH0 IP address
 Standby Server ETH 0 IP address
 Shared IP address
 All must share same subnet
 Active and Standby keep the configuration in sync between them
 Stopping the Active Server via the web interface triggers the
standby to go active.
 If active server powers down, or is shutdown, lack of keep alive
frames as seen by the standby server triggers it to become active.
 Standby server assumes module licenses from the active server
Standby server operation is a licensed feature.
 Switch over is non-disruptive to operation and not automatically
reverted if the original active server comes back up.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
High Availability for the CPAM server
 Type determined at initial install time.
Active server should be
brought online prior to the
Standby server being
brought online.
Active, Standby, and Shared
IP address must be on the
same IP subnet.
The server pair exposes a single
IP address. The active server
owns the address in the normal
state. Should the active server
fail, the standby server assumes
ownership of the shared IP
address.
Clients and Gateways must
reconnect after failover occurs.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
Cisco PAM High Availability
Utilizes LINUX-HA project for this. (http://linux-ha.org) for more details.
At install time servers are designated either Active or Standby.
All licenses except the HA license are keyed by serial number, and installed on the
Active Server.
The HA license is keyed by serial number, and installed on the Standby Server.
Once HA pair is established, the licenses are copied to the other server, resulting in
both servers containing all licenses.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
Stopping the CPAM server application
Stop option is available on the Monitor Screen, or under the
Commands tab.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
Software upgrades for CPAM server, CPAM is
always upgraded first, then the Gateway modules
Upgrade option
is located under
the Setup menu.
Option to
browse for a file
on the client
machine to use
for the upgrade.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
CPAM database backup
Performed from the CPAM web
interface
Backup is located under the Setup
menu
Once completed on the CPAM
server you can download and save
the file on the client machine, or
network attached drive.
Back up file is encrypted, and
requires a password when created.
Automated backup, and
remote file placement are
available.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
CPAM database restore
CPAM server application
must be stopped before
the restore option can be
used.
Option to STOP server is
under the Commands
menu or Monitor - Status
panel.
Restore is located under
the Setup menu.
Option to Browse for a
backup file located on the
client machine or network
attached drive..
Since file is encrypted,
you need to enter the
password that was used
to generate the file.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
Licensing
Installed via WEB connection to
CPAM active server.
Customer can view
installed license files from
same menu using the
Features or Files tab.
Licensing issues should
be directed to
licensing@cisco.com.
Licenses are key to server
software serial number.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
Cisco PAM Licensing Model
Simple licensing model. No limits on number of badges enrolled, or on number
of administrative users/ monitors of the system.
Capacity license upgrades for: 64, 128, 512 and 1024 modules (Access GW,
Reader, Input or Output), allowing for flexible deployment choices
Module licenses are cumulative.
Additional feature licenses available for the following:
Badge Designer
Enterprise Data Integration
High Availability
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
License SKUs
SKU
Description
CIAC-PAME-BD=
Badge Designer License
CIAS-PAME-HA=
High Availability License
CIAC-PAME-EDI=
Enterprise Data Integration License
CIAC-PAME-WSAPI-
Web Services API License
CIAC-PAME-M64=
Additional 64 modules License
CIAC-PAME-M128=
Additional 128 modules License
CIAC-PAME-M512=
Additional 512 modules License
CIAC-PAME-M1024=
Additional 1024 modules License
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
Hardware SKUs
SKU
Description
CIAC-PAME-1125-K9
Version 1 CPAM appliance (32 modules licensed)
CPS-MSP-1RU-K9
Version 2 CPAM appliance (32 modules licensed)
CIAS-GW-K9
Gateway Module
CIAC-GW-RDR
Reader Module
CIAC-GW-IP10
Input Module (10 inputs)
CIAC-GW-OP8
Output Module (8 outputs)
Note: CPAM release 1.1 and 1.0 provided support for 4 modules with the bas license installed.
If a 1.0, or 1.1 server is upgraded to 1.2, the base license will still support 4 modules.
With a fresh install of the 1.2 release, the base license will support 32 modules
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Gateway and associated modules
 Web Configuration Tool.
 Power Over Ethernet
 Initial Configuration
 Configuring the CPAM address and port number
 Additional module information display
 Image management and embedded software
 The CAN bus
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
The Gateway Module
 The second device to configure and install is the gateway module.
 Powered via POE, or 12 to 24 VDC
 It requires IP address (static or DHCP), the CPAM server IP
address, and the TCP port number to use when communicating
with the CPAM server.
 Software image is pushed to the gateway module from the CPAM
server or directly from the gateway web interface..
 External device attachment to the gateway can be done before, or
after the configuration is completed.
 Additional module attachment is made via the 3 wire CAN bus,
and are powered via 12 to 24 VDC only. No POE for the add on
modules.
 Configuration is loaded to the gateway and the downstream
modules via the CAN bus from the gateway module. No user
action needed to push configuration to the downstream modules.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
Gateway module Web Configuration tool
 Eth0
IP Address assignment (connection to IP network)
 Static (manually assign Gateway module IP, default router, CPAM
server IP address, and TCP port number.)
 DHCP (Which is the module default)
 DHCP 0ption 150 should be the CPAM server IP address
 DHCP Option 151 should be the TCP port used
 Gateway will not fall back to any default IP address if DHCP is configured.
 Default gateway router, DNS server for the Gateway module and it’s IP
address are standard DHCP items provided by the DHCP server. You can use
a mix of DHCP for these, and static configuration for the CPAM IP and port.
• Eth1
pre-configured and not alterable
 Used only for a Mgmt interface
 IP address set to 192.168.1.42/24
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
NTP
 If NTP is not configured on the gateway , it will use the time from
the CPAM server. Under system configuration you can set the
default time zone for discovered gateways.
 Gateway time zone should be configured before creating doors on
the gateway
If Time on Gateway is + or – 20 seconds from CPAM server, or NTP server,
upon connection, the gateway will reload.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
POE for the Gateway
 GW POE budget can be used to power readers and
locks attached to the Gateway module
 If Aux power and POE are present, Aux power takes
precedence. A switch from Aux to POE will cause a
gateway reload.
 POE backup should be provided at the POE switch in
the datacenter.
 Total external power supplied is limited to 650 mA at 12
V DC (7.8 Watts). This can be used to power readers
and a strike, as long as total peak current between all
devices is less than 650 mA.
 Wire gauge depends on distance from Gateway:
choose 20 AWG for up to 100 Feet.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
Sample of Single Door POE Connection
Reader & Lock
Power: Total Draw
650 mA at 12 V
Weigand
Reader
Weigand readers can be
configured with a single 10 wire
interface (including Power and
GND) or as two 5 Wire readers.
The Power and GND connections
are shared between the two
readers in this instance.
REX
Door Sensor
Strike/Lock
Ouput (NO)
Example POE Devices
Device
HID 6005
CAN2 and RS-485 connections are for
future use.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
HES RF5010
Cisco Confidential
Description
HID Prox
Point Reader
HES
Integrated
Reader &
Strike
Peak Current
Consumption (mA)
75
240
33
Weigand slot wiring on Gateway or Reader
modules.
Chassis
Label
One
10 Wire
First
5 Wire
Second
5 Wire
10
PWR
PWR (red)
PWR (red)
PWR (red)
9
GND
GND (black)
GND (black)
GND (black)
8
D0
D0 (green)
D0 (green)
----------
7
D1/CLCK
D1/CLCK (white)
D1/CLCK (white)
----------
6
DRTN
DRTN (shield)
DRTN (shield)
DRTN (shield)
5
GRN
GRN (orange)
GRN (orange)
----------
4
RED
RED (brown)
----------
GRN (orange)
3
BPR
BPR (blue)
----------
----------
2
HCRD
HCRD (yellow)
----------
D1/CLCK (white)
1
CP
CP (purple)
----------
D0 (green)
Wire colors show in parentheses
---------- means wire slot is unused
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
34
Initial configuration of the Gateway module
using Eth1
User and
password are
preset to
gwadmin
ETH1 IP is
192.168.1.42
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
35
Setting the IP and CPAM on the GW
module
DHCP is on
by default
IP address
Mask
Default
gateway
SSL enabled by default. If
enabled here, must be
enabled on CPAM server
Network tab also.
CPAM server IP address
and port number
Gateway module Reboot,
Reset to Factory Defaults,
and Reset Application
actions are also available.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
Additional module inventory
Using the Show
Inventory panel you
can view status of
the modules that
are attached via the
CAN bus.
You can scroll down
and view specific
information for each
attached module.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
37
Gateway Image management
You can use the web
interface to manage
images on the
Gateway,
Only non active
image is overwritten.
Download occurs,
then the you have
the option to make
the newly
downloaded image
the active image.
Once the new image
is marked ‘active’
the next reboot will
cause this image to
be loaded and
running.
Presentation_ID
Recommended to check all
options when loading a new
version of Gateway firmware
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38
CAN bus
 Controller Area Network bus
 3 wire, parallel bus connecting Gateway module to
additional modules. (plus, minus, and shield)
 Must be terminated on both ends
 Gateway has CAN bus automatically terminated
 Last module (reader, input or output module) on bus
must be set to terminate the CAN bus. This is manually
configured with a switch setting on the module.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
39
To IP
network
CAN bus layout
Gateway is always
first module on
CAN bus
Other modules can be any combination
of reader, input or output modules
CAN termination set on
for this module and off
for all other modules
MAX of 15 modules plus the gateway
Current speed 125bps
Current distance limit 1320 feet (400 Meters)
Verify CAN termination switch settings!
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40
CPAM client (configuring the hardware)
 Where do I get it from?
 Credential Templates (Card Formats)
 Device Templates
 Door Templates
 Gateway Templates
 Logical Door
 Locations
 Gateway image management via the client
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
41
Where do I get this ‘client’?
HTTPS into the CPAM
server.
Under Downloads
menu, click on
Cisco CPAM Client…
Or click on Launch
Client
New versions can be
installed over existing
versions.
Required Java module
is also available.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
42
Log in via the client
Found under Programs, in the directory noted below.
Client login username and password will
be provided by the CPAM server
administrator.
This ‘client’ is used for all monitoring, and
configuration.
Hardware configuration information is
stored on the CPAM server, not on the
client machine.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
43
Window jumping, from here to anywhere
Different application windows
are used to monitor the
hardware, perform hardware
configuration, input users, and
perform other tasks related to
the Access Control solution.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
This menu bar is available on each window
that is opened. You can get to any window
from any window.
Only one instance of a window (single
window instance) will be opened by default.
Window behavior is configurable under
system settings. Default is single window
instance for each panel.
Cisco Confidential
44
Templates
 Used for credentials, devices, doors, and gateways
 Samples of each type included with default
configuration. Samples can not be modified.
 Customer can create their own templates
 Edits to customer generated templates do affect
previously configured items, and will be used for any
newly created items.
 Changes can be made on logical door and device items
if the template was not exactly as desired.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
45
Templates
Device
template
created
or edited
and
saved
Credential
template
created or
edited and
saved
Door
template
created or
edited
using
device
and
credential
templates
Logical
door
created
using
door
template
Logical
door
properties
modified if
desired
Desired final configuration
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
46
Flexible Door Template
 Doors templates can consist of any number of devices.
 Several Door Templates are pre-existing
 Custom Door Templates can be created as needed
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
47
Template theory in use example
 You have 50 doors that will be configured.
 1 of the doors will have a different REX operation than the
other 49.
 Do I create 2 door templates?
 Or should I create 1 door template, use it for all 50 doors,
and then on the 1 door with the different REX make the
change on the logical door?
 Templates provide a set of default properties that can be
changed as needed on the logical entity.
 If you have 25 doors with configuration A and 25 more
with configuration B, you would create 2 different door
templates.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
48
Credential template
Card data must be obtained from the
card provider.
No way to determine this information
if it is not provided.
• Credential template must match the bit lay out of the access cards being used.
•Total number of bits on card, and number of bits in each field must be configured.
•A begin and end bit position is needed for each field.
•If not configured correctly, the badge information can not be decoded and compared against
the badge database correctly.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
49
Associating Credential templates with
reader
 Done on the reader device
template.
 More than 1 credential template
can be associated with the
reader.
 ADA mode is for the Americans
with Disabilities Act. This is used
to configure a longer door open
time to permit disabled
individuals extra time to pass
through the door.
 Specific badges can be flagged
as ADA enabled, or the entire
reader can be made ADA
enabled.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
50
What if the badge layout is unknown?
Reader Decode Failed message is posted…this indicates that the badge can be read,
but the system does not know how to decode the bit layout on the card, so we can’t
identify the facility code or the badge number.
Could be that the Credential Template is incorrect for the badge presented, or that the
badge layout does not match any of the current Credential Templates in use.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
51
If the badge is known!
Badge number
also displayed
on the right side
of the Door
Grant Access
entry.
Here we see that the badge was read and successfully decoded, and the door
access was granted.
The badge number used was 5344. We can view statistics and audit records for
that badge number in the badge database.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
52
Audit trails
While viewing the badge record, we can look at Recent Events to see what the
badge has done lately. If we high light the Door Grant Access at the top, we can
see which specific door the badge was used at on 7/23/2008 at 19:20:55.000
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
53
Device templates (Inputs)
•Accessed from CPAM client main
menu.
•Edit of existing device template is
denied. Creation of new template is
the way to configure unique operation.
•Sensor input state: What is normal state of this
device when not in the active state, it is open?
•Device state: What does it mean if this device is in
the normal state, the door is closed.
•See next slide for details on supervised inputs.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
54
What is a supervised input?
 An unsupervised input has 2 states, active or inactive.
 Supervised input has 4 states, active, inactive, short, and open.
 Why do I care? What if a wire is cut or shorted between the module input
and a normally open device. The server could not determine this and the
device would remain in inactive state even when the switch is closed!
 How do I make the device/input supervised?
 Use 2 1K resistors in the circuit. In the inactive state, the circuit measures
2000 ohms, in the active state, the circuit measures 1000 ohms, short state
would measure 0 ohms, and open state would measure infinite ohms. Now I
can tell if a wire is cut or shorted
Example used: Door Sensor
Presentation_ID
OHMs
State
Door
State
Error
Posted?
Input
Trusted?
2000
Inactive
Closed
No
Yes
1000
Active
Open
No
Yes
Zero
Short
?????
Yes
No
Infinite
Open
?????
Yes
No
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
55
Generic Output
Creates from the Device Template
main menu.
Not associated to a specific door.
Normally associated to a Global
I/O or Device I/O action to be
taken as a result of a trigger being
detected.
If the output is sent a ‘timed
activate’ command, how long is the
output to be in the activated state?
Example of use: If you want to turn on a
light when an alarm condition exists.
Wire the light circuit to the C and NO
output connectors. Configure Global IO
to use command ‘Activate Relay’ when
the trigger is detected.
The relay will move from NO to Closed
and complete the circuit, turning on the
light, when the trigger is detected and the
CPAM server initiates the ‘action’.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
56
Door Template
Used to create logical door layout. Each
device points to a specific Device
Template and inherits it operational
characteristics from that Template.
Predefined Door Templates can not be
edited.
User can use these for input on how to
generate Door Templates specific to their
environment.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
57
Gateway Template
Useful for multiple Gateways that will be
configured with the same additional
modules, and the same device
attachment.
Once you have a Gateway
configured the way you want,
you can save the configuration
as a Gateway Template. When
you add additional Gateway
modules, you can use the
template to populate the
configuration for that Gateway
and associated modules.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
58
Gateway Cloning
Useful when you are pre-provisioning the
CPAM server for future Gateways that will
be added. If the Gateway is standalone,
the 3 additional modules seen in this
example would not be shown. This
generates a new Gateway configuration,
along with associated module, that is
identical to the Gateway being cloned.
You must have the Gateway and additional
module serial numbers handy to use this
feature.
For single Gateway cloning, all
you need is the Serial number,
and a unique name
Big difference between gateway template
and cloning is that the cloning includes all
the configuration associated including
doors, access policies etc related to doors
on that gateway. Gateway template
consists of only the interface to
device/device template information
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
59
Gateway module replacement
All devices controlled by the Gateway should be disabled prior
to starting the Gateway Replacement process
Second, set display
filter to All Devices
Third, perform
Replace Gateway
At this point you should see
the Gateway in the Hardware
Tree as Disabled, and if you
right click on the Gateway, the
Replace Gateway option
should be enabled.
First, Disable
the Gateway
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
60
Replace non Gateway module
On the client, Hardware tree display, right click on the module being replaced.
Left Click on the Replace Module option.
Key in the new serial, and click OK
You can now move the power, CAN bus, and device connections to the new
module.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
61
Disable/Delete function
By default, devices can only be
disabled, not deleted. If the customer
wishes to be able to delete items from
the configuration, then they must
enable the function.
Making changes to the
System Configuration
requires a STOP and
START be issued on the
CPAM application from
the Web administration
interface.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
62
Creating the Door
Logical door is created under the
Locations & Doors tab.
You name the door (must be unique to
location)
You specify the Door Template to use.
You specify which Gateway will be used
to monitor/control the devices
associated with the door. Devices could
be attached to modules via the CAN bus
to the Gateway specified.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
63
The door theory!
 Basic door has 4 devices involved
 The reader…reads the badges presented and transfers decoded
bit stream to gateway where gateway module or CPAM server
decides whether to grant access or not.
 Door sensor… what position is the door in? Is it open or closed?
 Rex… request to exit. If the door opens, was it forced open or is
someone leaving from secure side? The Rex lets us know the
door was not ‘forced open’.
 The lock…Once a valid badge is presented, the door has to be
unlocked. Depending on the lock is wired to the Output, the
module will open the circuit (C & NC) or close the circuit (C & NO)
 Some doors may have additional devices like a second reader to
be used by ADA personnel. This reader might provide extra time
for the people moving through the door.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
64
Door Device Associations
Under Associate Devices, you select the device type, and then associate that
device with a specific module (list is based on the Gateway selected under the
General tab) and specific interface on that module.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
65
Deviations from the Templates
The device template used in
the door template will dictate
what the default behavior is.
If this specific door requires
deviation from the device
template, you can uncheck the
default box and make the edit
here.
This does not alter the
template.
When completed with any
edits, click on Save and Close.
Each device must be added in
the same fashion.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
66
Logical door device associations
•Here is where we map the physical door connections to the hardware modules
•The reader is on M00, the gateway module in reader 1 position.
•The REX is on an Input module M02, in the input 1 position
•The door sensor is on the gateway M00, in the input 1 position
•The lock is on an output module M01, in the output 1 position
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
67
Door properties (defaults are based on
door template used to create the door)
Relock time – Once opened by
valid badge, how long is lock
held open
Held open timer - how long can
door stay open after valid user
passing through before alarm is
posted advising that the door
did not close.
What happens if badge is not in
database?
Access on timeout? I can reach
CPAM, but it doesn’t answer!
Defaults are based on what is configured in
the door template. Changes on this panel do
not alter the template, only the operation of
this specific door.
What to do if server is
unreachable?
How long to wait for server
response.
If badge is ADA enabled,
multiply relock and held open
timers by this number
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
68
Door Usage Profile
Default is based on door template used to create the door.
Changes here do not affect the door template, just this specific door/reader
The profile dictates how the LEDs on the reader device will operate.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
69
Facility Code and Duress Specification
Credential templates are mapped to the door. What type of badges will be used
to access this door. The readers have to be configured to decode the bits on
the badge. Decisions can be made using the facility code. IE: for an outdoor
restroom at the company recreation facility…do we really care who enters? We
can configure the door to open if any badge with a specific facility code is
presented. IE: any company badge can open the door.
Duress Specification is used to enable a person
to signal for help when using a key pad for entry,
with out alerting anyone near them.
Assume the duress code is 8
If a user is being coerced into opening a door, and
their PIN is 1234x, if they enter 12348 as the PIN,
the door will open and a message will be posted
to the site security that a duress code was used.
It provides a silent alert that the door was not
opened under normal circumstances even though
a valid badge and PIN were used.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
70
Configuration download to the gateway
 Once the devices and doors are configured via the
client, the configuration needs to be pushed to the
gateway.
 Check properties, specify time zone then commit your
changes.
Apply configuration
changes - only sends
the "Full" configuration
the first time
configuration is sent to
the gateway - otherwise
it sends delta changes.
Consequently the
gateway will reload only
the first time
configuration is applied.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
71
Logical device locations
 Easy way to determine what
devices for a door are attached to
what module
 Edits to devices and doors can
made directly from this tree
 Changes made here do not affect
device or door templates
Hierarchal tree of
base =>
campus=>
building=>
floor=>
area=>
sub-area=>
door=>
devices
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
72
Firmware upgrades for Gateway module
 2 step process…image file is uploaded from client
machine to CPAM server using ‘Image Manager’
Next the Gateway File Manager is
used to push the image file to the
Gateway module.
Gateway keeps 2 versions of code
in flash, the currently running
version, and the previous version.
Next slide shows the Gateway File
Manager panel.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
73
Firmware upgrade on Gateway continued
Once image is on the CPAM server, the Gateway File Manager is used to Initiate
the file download, and activation.
You can also use Gateway File Manager to change the active image on the
Gateway from one image to the other.
There is an option to specify time of the gateway reload.
1.0.0(0.1.168)
| | | build
| | branch
| schema
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
74
Gateway Bulk Image upgrade
Same options as seen on the Gateway
Web interface for upgrades.
Performs a rolling upgrade of
Gateways by upgrading 5 at a time,
then moving on to the next batch.
Setting the start time of the upgrade is
allowed.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
75
CPAM client (configuration for access)
 Schedules
 Access Policies
 Badge creation/import
 Configuration and Credential download
 Event Monitoring
 Global I/O
 Integration with VSM (Video Surveillance Manager)
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
76
Schedules
 Schedules are created to fit the specific customer’s
schedule.
 Schedules are mapped to Access Policies, Door
Policies, or Event Policies.
Customer can define specific
schedules to meet their needs.
They can define how their work
weeks are laid out. Unique
Time Ranges, Special cases,
and Time entry collection are
all managed by the Schedule
Manager.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
77
Gateway timezone
Before schedules can be
accurately put in place, the
Gateway time zone should be
set or verified.
The Gateway clock operates
on UTC and uses the time
zone to determine the local
time.
Time zone must be set to the
time zone the Gateway is
physically located in.
IE: If Gateway is in New York,
and CPAM server is in
Chicago, set the Gateway time
zone for US/Eastern.
Presentation_ID
Can only be set
via the Hardware
menu, Gateway
Edit, Properties
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
78
Schedule example
 We want to create a schedule and associate it to a
policy to permit ‘contractors’ badges to have access
Monday to Friday, 9AM to 5PM.
 We also want these ‘contractors’ badges to be denied
access on July 4th, and December 25th if those dates
happen to fall on a weekday.
 Deny entries are checked first, any match = deny
access.
 Permit entries are checked next, any match = grant
access
 If no match is found in either Deny or Permit entries,
access is denied by default.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
79
Schedule creation
We added a schedule entry to use the
default work week of Mon – Fri, and coupled
it with a Time Range of 09:00 to 17:00
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
80
Deny action for desired Holidays
After adding the Permit for
Mon – Fri Weekdays, we
created two Deny entries.
One for the 4th of July, and
one for the 25th of
December.
We selected Time Range of
Always Time Range Group
which means 00:00 to 23:59
(all 24 hours of the day we
are working with)
The Start and End date for
the holiday for both July 4
and December 25 are the
same date.
Holidays can not span
between months. Create an
entry for each month if
needed to span a month
boundary.
The schedule is now complete. Access will be granted week days from 9 to 5,
and access is denied on July 4th and December 25th for this schedule. Next step
is to associate this schedule with an Access Policy.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
81
Policy creation
Here we created a Policy
and added the
description.
We associated the Door
with the schedule and
created the policy.
Door Group can be used
to associate multiple
doors to a policy.
Example, we could have
created a door group
that included all
perimeter access door,
and applied this policy to
the door group as
opposed to having to
apply the policy to each
perimeter door
individually.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
82
Configuring a badge for access
Accessed from main menu.
Can Add, Edit, or Disable badges.
For audit reasons badges are never
deleted, only disabled.
Card number is imbedded in the
card.
PIN is required even if not used,
can be disabled globally.
Facility code is imbedded in
card, decisions can be made
based on this code.
If not entered, Effective and
Expires dates are not used and
badge is valid from today until it
is manually changed.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
83
Badge Access Level and Policy
Cisco Access Policy is what is used to tie
badges, to time/date and door access.
Which location and what access policy will this badge adhere too?
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
84
Badges continued
Credential template must
be associated to the badge.
Temporary deactivation can
be configured for the
badge.
Role must be assigned.
Audit records for available for badge record edits
Badge can be exempt from
need to also enter PIN when
readers at facility include
keypads.
ADA access mode can be
assigned to the badge.
This would provide longer
access time for disabled
persons when passing
through a door.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
85
Badges are then associated to people
Personnel records are created or
edited to add in the badge, or badge
numbers associated to that person.
It is possible for a person to have
multiple badges associated to them.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
86
Credential download
 Credential database is synced between the CPAM
server and the Gateways every 60 minutes by default.
 This interval is configurable under System Settings
Default Gateway time zone is
also set under System
Configuration
Changing the download interval
requires CPAM application to
be stopped and re-started to
make changes effective
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
87
Manual download of credentials
If you update a badge credential and
want to manually push the change to
the Gateways, right click on the
Gateway Driver, and then left click
on Apply Credential Changes.
This message means the update
was sent to the Gateway. Should
see this message for each Gateway
Credential
changes
applied
manually
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Badge record
is updated.
88
Event Monitoring
Flashes on
every
window
when
alarm
occurs
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
89
Global I/O to take action on a trigger
 Automation driver must be started
 Used to trigger some action
 Examples:
Turn on light or send email
Next we go to the Global I/O menu and
define what the trigger event is, and
what action to take on the event.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
90
Global I/O
Add option is used to
allow multiple actions
on a single trigger
External triggers can be
wired and configured as
inputs as required.
Event trigger is
defined, this can
based on any
event or
message posted
in the log.
Actions to perform
are defined. The
action can be to
perform a specific
command a specific
device. IE: close the
relay for module 3,
output 2 to turn on a
light.
Also can generate a
notification email.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
91
The trigger
Here we have the
ability to use any
event message
logged as the trigger
event.
In this instance, we
are using the Door
Forced Open Cleared
message as our
trigger.
We did not specify a
specific door, so this
message for any door
will be considered a
trigger.
Choose provides a
menu to select a
specific message
from the logged
events.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
92
The action
Under Action, we added a
Device Command.
We then selected the
specific device we want to
take action on from the
hardware tree.
In this example, we are
using a generic output to
turn off a light if the trigger
event occurs.
We use the Command and
Choose to select the action
to be performed.
Here we used a trigger of ‘Door Forced Open’ to turn on a light, and a second
trigger of ‘Door Forced Open Cleared’ to turn the light off.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
93
Email notification TEST
You can use the
CPAM web interface
to test the SMTP
options.
The Test option is
located under the
Setup menu, Email
item.
Configuration here
will not be used for
the Automation
Driver to send email
notifications.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
94
Email notification for events
Here we see and Automation
Rule that uses ‘Door Forced
Open’ message/event to
generate an email to
‘mikbrown@cisco.com’
Automation driver must be
configured with SMTP
settings before the
Notification email can be
sent from the CPAM server.
The driver must be restarted
once the SMTP server
settings are configured.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
95
Sample email text
Test email generated by the CPAM server
Test option
Email generated by the Automation
Driver triggered by the Door Forced
Open event.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
96
Video Integration
 EDI driver will start automatically, user must manually
start the VSOM Camera Driver. EDI and VSOM
Camera Driver should both be running.
Check for both to show
Started status.
If they are missing, or Stopped, Right click
on the Gateway, and then in the drop down
start, or create new driver.
You can only start 1 instance of each. If it is
already created, the New driver is grayed
out.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
97
Camera associations
Once the drivers are started, you
need to point to the VSOM server
so CPAM can obtain the camera
list. Right click on the VSOM
driver to get to the Setup VSOM
menu.
You enter the IP address, or the DNS name of the
VSOM server. If this works, the Cameras should
be displayed under the VSOM driver
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
bas is the default
database name in the
VSOM server, and 3306 is
the default port for
MYSQL.
98
Camera Manager and door associations
Camera Manager is under
Events & Alarms
Check the Live Video feed
to validate that the
camera is functioning
Edit the Camera
to associate it
with a Door
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
99
Alarms and video
 Once camera and door are associated, any Alarm
event at the door can generate a video popup window
showing the camera feed. This depends on the user
profile.
 By default, a max of 4 video feeds will be automatically
popped up on the client screen so that client PC
resources (memory) are not exhausted.
 Video Player must be downloaded separately from the
VSOM server.
For PTZ cameras, you use
the presets from VSOM to
populate the preset field in
the camera configuration
in CPAM.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
100
User profile must be configured to show video
CPAM user profile must be set
to allow pop up video window.
The default Administrators
profile has this box
unchecked, and it can not be
checked
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
101
Alarm can trigger live video popup
Alarm caused by
Door Forced
Open event.
Camera feed
associated to the
door is
automatically
opened and
displayed for the
operator
This opens a TCP
connection from
client machine to
the VSOM server
and the video is
streamed over the
TCP connection
using port 80.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
102
The advantage of Gateway Cloning
1.
Doors  Templates  Credential Templates - configure the credential format
2.
Doors  Templates  Device Templates - assign the credential format to the appropriate
reader type
3.
Locations and Doors - Add base and location hierarchy
4.
Doors  Hardware - Use gateway template (say 2 reader template) to create gateway and
doors.
5.
Doors  Access Policies - create access policies for the doors
6.
Users  Badges - add badges and assign to personnel. Also enable appropriate access
policies (created in the last step) for these badges
7.
Locations and Doors (or Hardware)  Right click on Locations (or Gateway controller) and
issue Apply Configuration Changes
8.
Wait for gateway to connect and credential data to be sent to the gateway (takes a couple of
minutes)
9.
That's it
10.
Now you can use gateway cloning to clone this gateway any number of times (only need to
plug in the new gateway serial number and door names into the wizard)
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
103
Troubleshooting the system
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
104
The infamous ‘show tech’ for CPAM
Once the file is created…Click on the file
name, and you will see an option to Save
the file on your client machine.
Show Technical Support
option is available under
Commands pull down on
the main Web interface
on the CPAM server
Click on Start Show Tech
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
105
Gateway Log collection
 Performed via CPAM client using Gateway File Manager option.
 Once open, high light the file to upload, then click on Initiate Upload.
 When prompted, enter the IP address of the CPAM server. (you may
have to include a / in the path field)
 Upload files as directed by support. Might want to upload all files as a
precaution.
 Once files are uploaded to CPAM, we need to move them to the
client machine, and email them to support.
 Create a folder on the client in C:\
 Upload log files from CPAM server to folder in C:\
In CPAM release 1.1 the Gateway ‘all logs file’ was introduced which will
create a zip file containing all of the Gateway logs.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
106
Uploading logs to CPAM server
Left Click on the Gateway, then Right
Click on File Manager to open the
panel below
3
2
Enter the IP address of
the CPAM server, and
enter a / in the path. You
can use a different TFTP
server if one is available.
Once the entries are
completed, click OK to
upload the file.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
1
Once the panel is open, click
on the Log File tab. Logs
are uploaded 1 at a time.
Click on the log file, then on
Initiate Upload
Cisco Confidential
107
Moving file from the CPAM to client machine
2
1
Open Image Manager, then migrate to the folder in C:\
and double click the folder name. Once the Path is
correct, click on the log file, and then click on
Download.
3
4
In this release we can not
navigate the directories on the
local machine. Only 1 file at a
time may be downloaded.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
108
Zipping and emailing the Gateway Logs
Once the files are on the client machine, in the C:\ directory, they can be
zipped into 1 file, and emailed to support.
Best practice is to upload files one Gateway at a time, and use a different
directory in C:\ for each Gateway. If the logs are zipped, create one zip file
for each Gateway.
Good ideal would be to name the directory C:\GW-wxyx where wxyz are
the last 4 characters of the Gateway serial number.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
109
CPAM log collection
 SSH (user and password needed) into the CPAM
server command line.
 Go to /opt/cisco/cpam/logs
 To view the logs use the ‘cat’ or ‘more’ command.
These files can be retrieved by SFTP from the CPAM server and zipped for
emailing to the development engineers. The CPAM server is running an
SFTP server, no configuration is necessary.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
110
CPAM client logs
 Log is kept on the client machine where the client is
running from.
 File can be zipped and emailed to development
engineering as needed.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
111
Firewall considerations
 TCP port 80
HTTP
 TCP port 443
HTTPS
 TCP port 1236 BVCONTROL
 TCP port 3306 MYSQL
 All these need to be open between the client machine
and the CPAM server.
 Gateway to CPAM server uses TCP port 8020 by
default.
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
112
Additional features
 Graphic Maps with active ICONs
 Quick Launch panels for 1 click action ICONs
 URL notifications sent upon trigger being met
 Integration with Active Directory for personnel
import and login user authentication.
 Robust report generation
 Custom user roles to limit views and permissions
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
113
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
114