Issue
How to setup OSDP Readers on Access Expert
Product Line
Access Expert
Environment
- Access Expert Hosted Software
- Access Expert Premise Software
Cause
Clear recommendations and instructions needed for the process
Resolution
OSDP Readers with Access Expert
Overview
OSDP stands for Open Supervised Device Protocol. It is the replacement of the older clock and data style and Weigand protocols that have been used across the industry for many years.OSDP is based upon an industry-standard from SIA (Security Industry Association) and has various levels. The original version was called OSDPv1 which was followed by OSDPv2 then Secured Channel Communications was added to OSDPv2. This document will address how to add an OSDPv2 and/or OSDPv2 Secured Channel reader to an Access Expert system. As we move more into a data secured and encrypted environment, it is recommended that all deployments be installed based upon OSDPv2 at a minimum. More information on OSDP can be found at https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/.
When compared to Weigand, OSDP offers various technological advancements with the increased level of security being one of the key benefits associated with OSDPv2 Secured Channel.
- More Security: OSDP v2 with Secure Channel protects readers against hacking using AES-128 encryption and OSDP constantly monitors wiring to protect against tampering. OSDP helps overcome the growing threat of “man in the middle” attack.
- More Functionality: OSDP uses fewer wires, allows for multi-drop installation, supervises connections to indicate reader malfunctions, and can disable the reader automatically when removed from the wall.
- Bidirectional communication: OSDP supports bidirectional communication. This means that the reader configuration can be set at the software and then sent to the reader via the intelligent controller
- More Interoperability: Using OSDP enables communication among different manufacturers' devices.
- More Consistency: Not only does OSDP provide a concise set of commonly used commands and responses, but it also eliminates guesswork since encryption and authentication are predefined.
- Ease of Use: Low cost of implementation on an embedded device and simplification of the encryption and authentication process.
Most readers come with both Weigand and OSDP support already available.
Reader Wiring & Prerequisites
Prerequisites:
- Readers wired for OSDP
- Readers that support OSDP
- HID Mobile Reader Manager App (iTunes or Google Play)
- HID Reader configured for OSDP and addressed
It is possible to deploy OSDP readers on Access Expert without using the HID Reader Manager App provided you are not “stacking” readers on the same controller port.Stacking is a process of putting multiple readers on the same controller and the same port. If stacking is being used, the HID Reader Manager App will be required to set the 2nd readers' address. As an example:
|
Application |
Need |
Reader Port 1 |
Reader Port 2 |
|
Parking Garage |
The project will have 2 Parking gates where each will have dual readers |
Reader 1 on Port 1 is set to address 0 Reader 2 on Port 1 is set to address 1 |
Reader 1 on Port 1 is set to address 0 Reader 2 on Port 1 is set to address 1 |
When deploying OSDP, the reader and port address designation for each reader port will default to address 0. This means you can deploy a system without using the HID Reader Manager App provide only a single reader is being used per controller port. Note that the AX-MR62e supports a total of 4 OSDP readers but only has a single reader port. This means the HID Reader Manager App is needed to set the addresses accordingly for readers 2 through 4.
OSDP wiring is different from what most installers are accustom to. Rather than Weigand which takes 6 wires to the reader, OSDP is an RS-485 connection where 2 wires are used for data, and 2 are used for power as noted in the images below. These pictures show an HID R900 reader is connected to an AX-MR52-S3 controller for OSDP. The same wiring method is used when deploying OSDPv2 Secured Channel. No additional wiring is needed for the reader to pick up additional signals such as Reader Tamper alarms.
Adding OSDP Readers to Access Expert
To Add an OSDP Reader to your Access Expert system:
- Open the desired downstream controller or right-click the downstream and select Add OSDP Reader.
- Click “Add OSDP Reader”.
- Enter the Reader Display Name.
- Select the Address. This field will default to 0 or 1and represents the controller port.
- Complete the Reader Information for the other fields similar to how a traditional Weigand Reader is configured.
- Click "Save & Close".
Take note of the Addressing being used on your system. The address is the Controllers Port address while OSDP Address is the Readers address and will vary when Stacking is being used. At this point, the OSDP reader is added to the Access Expert system without Secured Channel being enabled. Leaving the Assurance Profile to None and using the Default Baud Rate settings will leave the reader connected to the system without using the Secured Channel. It is recommended to set up as default first then enable Secured Channel. OSDP readers have many of the same fields as a Weigand reader so the setup processes will be similar.
- Assurance Profile: This is used only by PIV class cards for FIPS deployments.
- Use Default: Using the default sets the Baud Rate to 9600, the address to 0, and does not use a secure channel.
- Use Secure Channel: To leverage the extra security that comes from OSDP readers, it is best practice to turn on a secure channel.
- Baud Rate: Because OSDP readers have bi-directional communication, the downstream and the reader need to be using the same rate of the communication (baud rate). Make sure this is set according to the reader's needs. It is recommended that 9600 be used for OSDPv2 and that Auto Negotiate be used for OSDPv2 Secured Channel.
- OSDP Address: Multiple OSDP readers can be connected to the same reader port on a controller. As an example, the MR-62E supports a total of 4 Readers on the controller but nly has one reader port. When this is done, each reader on that port needs a unique address and is set in the HID Reader Manager App.
Setting up OSDPv2 Secure Channel
The reader must first be configured as an OSDP reader in Access Expert to be successfully configured for Secure Channel communications.
- Right Click the Reader and select View Live Monitoring. This will allow you to monitor the reader communications as you enable Secured Channel.
-
Check the "Use Secure Channel" option.
- Set baud rate to auto-negotiate.
- Click "Save"
- The reader will show as offline in the hardware tree.
- From the Reader setup page, Click Actions then Select Start Linking mode. The linking mode is automatic, and the process can be monitored from the Live Monitoring page.
- The reader will negotiate the secure communication with the controller and come online.
With Secure Mode, if the Reader Tamper is in alarm, the reader will not process any card reads by design.
How to - Remove Secure Channel on an OSDP reader
At some point, you may need to remove an OSDP reader which has been connected to a system via Secured Channel.
- Uncheck Secure Channel.
- Click "Save".
- From the "Actions" drop-down menu, select "Send OSDP Command".
- Select the Manufacturer.
- Choose "Set Install Mode".
- Click "Execute".
- The LED on the reader should blink green once completed
Note: The 'Send OSDP Command' modal has several OSDP Command options so make sure you are selecting the correct manufacturer and command.
How to - Know if a reader is in Secure Channel
There will be an event indicating the reader mode changed to card only after the start linking mode command. As the reader comes on/offline, you will notice an event/message that says “OSDP Secured Channel for, Reader Name, is Enabled but not Online or Encrypted” and “OSDP Secure Channel for, Reader Name, is Online and Encrypted.”
