MorphoAccess TM 100 Series User Guide Produced by SAGEM Défense Sécurité Copyright ©2006 SAGEM Défense Sécurité www.sagem.
SAGEM Défense Sécurité document.
Table of content INTRODUCTION 6 INTERFACES PRESENTATION 7 MAN-MACHINE INTERFACE ELECTRICAL INTERFACES 7 8 SETTING UP THE TERMINAL IP ADDRESS 9 ACCESS CONTROL PRESENTATION 10 IDENTIFICATION - AUTHENTICATION “HIT OR NO HIT” RESULT COMMUNICATION “PROXY” MODE 10 12 13 CONFIGURING A “CONNECTED” MORPHOACCESS 14 INTRODUCTION NETWORK FACTORY SETTINGS 14 15 CONFIGURING A STANDALONE MORPHOACCESS 16 “USB” KEY ADMINISTRATION PRINCIPLE 16 17 CHANGING A PARAMETER 18 CONFIGURATION INTERFACE CONFIGUR
CONTACTLESS AUTHENTICATION WITH TEMPLATES ON LOCAL DATABASE CONTACTLESS AUTHENTICATION BASED ON CARD MODE BYPASSING THE BIOMETRIC CONTROL IN AUTHENTICATION MERGED MODE MORPHOACCESS 220 320 COMPATIBILITY 24 25 26 27 28 PROXY MODE 29 RECOGNITION MODE SYNTHESIS 30 SETTING UP RECOGNITION MODE 31 TWO ATTEMPTS MODE PARAMETERS 31 31 SETTING UP MATCHING PARAMETERS 32 RELAY ACTIVATION 33 LED IN ACTIVATION 34 LOG FILE 35 REMOTE MESSAGES 36 PRESENTATION SUPPORTED PROTOCOLS 36 36 TAMPER SWITCH MAN
NETWORK PARAMETERS 42 SECTION [BOOT PROTO] SECTION [PARAMETERS] 42 42 TERMINAL INFORMATION 43 SECTION [INFO] (READ ONLY) 43 ADMINISTRATION PARAMETERS 44 SECTION [REMOTE MANAGEMENT TCP] SECTION [TERMINAL] 44 44 ANNEX: CONTACTLESS MODES TABLE 45 ANNEX: REQUIRED TAGS ON CONTACTLESS CARD 46 FAQ 47 TERMINAL IP ADDRESS IS UNKNOWN OR TERMINAL IS NOT REACHABLE SENSOR IS OFF TERMINAL RETURNS ERRATIC ANSWERS TO PING REQUESTS 47 47 47 BIBLIOGRAPHY 48 SAGEM Défense Sécurité document.
INTRODUCTION Congratulations for choosing the SAGEM Automatic Fingerprint Recognition Terminal. MorphoAccess™ 1XX MorphoAccess™ provides an innovative and effective solution for access control or time and attendance applications using Fingerprint Verification or/ and Identification. Among a range of alternative biometric techniques, the use of finger imaging has significant advantages: each finger constitutes an unalterable physical signature which develops before birth and is preserved until death.
INTERFACES PRESENTATION Man-machine interface The MorphoAccess™ 1XX offers a simple and ergonomic man-machine interface dedicated to access control based on fingerprint recognition: A high quality optical scanner to capture fingerprints (1). A multicolor led (8 colors) (2). A multi-toned buzzer (3). A MifareTM contactless reader on MA12X, to read reference templates from a contactless card (4). SAGEM Défense Sécurité document.
Electrical interfaces The terminal offers multiple interfaces dedicated to administration and control information: A multiplexed Wiegand / Dataclock / RS485 output (5). Two LED IN inputs to improve integration in an access control system (6). A relay to directly command an access (7). A tamper switch (8). An Ethernet interface (LAN 10 Mbps), allowing remote management through TCP and sending control result through UDP (9). A USB Host port dedicated to local configuration (10).
SETTING UP THE TERMINAL IP ADDRESS The MorphoAccess™ can run in stand alone mode but a TCP/IP connection is required to download records in the terminal and to configure its recognition mode. It is possible to specify standard TCP parameters: terminal network address, network gateway and mask. These parameters can be set using a USB mass storage key. The complete procedure is described in section Configuring a “standalone” MA1XX.
ACCESS CONTROL PRESENTATION Identification - authentication The MorphoAccess™ works according two biometric recognition modes: identification or authentication. Both identification and authentication can be activated (fusion mode). Identification The captured fingerprint is matched against a database – 1 vs. N. Minutiae are stored in terminal local database. The terminal can store 500 users (2 fingers per user) in its local database. In this mode the sensor will be always switched on, waiting for a finger.
Authentication The captured fingerprint is matched against a reference template – 1 vs. 1. In authentication, user minutiae can be stored on a contactless card. It is also possible to store minutiae in terminal local database. Contactless card containing: ID Biometrics If the user is matched access is granted. If the user is not recognized access is refused. See section Access Control By Authentication. SAGEM Défense Sécurité document.
“Hit or No Hit” result communication If access is granted (the user has been recognized) the led lights green and the buzzer emits a high-pitched “beep”. If access is denied (the user has not been recognized) the led lights red and the buzzer emits a low-pitched “beep”. Control result: RS485 Wiegand Dataclock UDP Various messages or interfaces can be activated to send the control result: Relay After a successful control the MorphoAccess™ relay may be activated during a given period.
“Proxy” mode Proxy Mode is not strictly speaking a recognition mode. In this mode, the MorphoAccess™ works as “a slave” waiting for external orders such as: Identification Verification Relay activation Read data on a contactless card. … TCP IP Proxy orders: Identification Verification Relay activation Read card … Section Remote Management gives more information about remote management. Please refer to MA100 Series Host System Interface for a complete description of TCP orders possibilites.
CONFIGURING A “CONNECTED” MORPHOACCESS Introduction A PC (typically a station with MEMSTM) connected to a MorphoAccess™ can manage the terminal. Available remote operations are: Biometric template addition, Control settings modification, Configuration reading, Local database deletion, Record deletion, Control diary downloading, Firmware upgrade. TCP IP Remote management : Change mode Add template Get configuration … The MorphoAccess™ works as a server waiting for PC request.
Network factory settings By default the terminal IP address is 134.1.32.214. This address can be changed through Ethernet or with a USB mass storage key. The default server port is 11010. SAGEM Défense Sécurité document.
CONFIGURING A STANDALONE MORPHOACCESS “USB” key administration MA100 series have no keyboard, no screen. However it is possible to change TCP/IP parameters without connecting the terminal on a network. This operation only requires a standard USB Mass Storage Key (FAT16). A dedicated PC application, USB Network Configuration Tool, allows writing these new parameters on the key. Please refer to MA100 Series USB Network Tool User Guide. 16 SAGEM Défense Sécurité document.
Principle This feature is available to change network parameters (IP address, mask and gateway). Store a file on a USB Key The administrator creates a configuration file on a PC using the USB Network Configuration Tool. This configuration file contains new network parameters. This file must be stored on a USB Mass Storage Key.
CHANGING A PARAMETER Configuration interface Terminal parameters are stored in files. These files can be retrieved and modified through TCP/IP using ILV commands. For more information about remote management please refer to MA100 Series Host System Interface. Configuration organization The terminal contains four files: app.cfg. adm.cfg. bio.cfg. net.cfg The app.cfg file contains the application settings, adm.cfg contains administration parameters, bio.cfg the biometric sensor settings and net.
“Configuration tool” The Configuration Tool allows changing these parameters. This program is an illustration of utilization of the TCP API. Please refer to Configuration Tool User Guide for more information about this program. SAGEM Défense Sécurité document.
UPGRADING THE FIRMWARE It is possible to upgrade your MorphoAccess™ firmware. Two packages type are available. One dedicated to terminal system, another one dedicated to biometric library. Use the MA1XX Downloader to upgrade your terminal system. Use the MA1XX BioLoader to upgrade your terminal biometric library. Please refer to the MA100 Series Upgrade Tools User Guide for more information about upgrade procedures. 20 SAGEM Défense Sécurité document.
ACCESS CONTROL BY IDENTIFICATION Access control by identification app/bio ctrl/identification 1 To configure MorphoAccess™ terminal in this mode, set the parameter app/bio ctrl/identification at 1. After starting the MorphoAccess™ terminal waits for fingerprint detection in identification mode. If the identification is successful, the terminal triggers the access or returns the corresponding ID to central security controller. The ID can be sent through various interfaces.
ACCESS CONTROL BY AUTHENTICATION (MA120 / MA110 ONLY) Various recognition modes can be applied depending on the templates localization, the required security level. These modes can be combined with a local identification (fusion mode). Following modes are available: Contactless authentication with templates on card: Captured fingerprints are matched against templates read on the card (PK). Identifier and fingerprints must be stored on the card.
Contactless authentication with templates on a contactless card Contactless authentication with templates (PK) on card 1 app/bio ctrl/authent PK contactless MorphoAccessTM 110 or 120 can work in contactless authentication mode: the user presents its card, the terminal reads the reference biometric templates (PK) on the card and launches a biometric control based on the read templates. In this case the card will contain the user identifier and biometric templates: no local database is required.
Contactless authentication with templates on local database Contactless authentication with templates on local database 1 app/bio ctrl/authent ID contactless The user identifier can be used as an index in the local database of the MorphoAccess™: in this case the reference biometric templates are stored in the local database. The content of the “ID” tag must match with the user identifier in the terminal database. To enable this mode set app/bio ctrl/authent ID contactless to 1.
Contactless authentication based on card mode Contactless authentication with card mode 1 app/bio ctrl/authent card mode In this mode the card “decides” on the control progress. The “CARD MODE” tag is required. This tag can take two values: • PKS [0x02]: user identifier, template 1 and template 2 are required on the card. Biometric authentication is triggered with biometric templates. • ID_ONLY [0x01]: only the user identifier is required.
Bypassing the biometric control in authentication In this mode only the user id is required on the card. This flag must be combined with an authentication mode. Activating this flag means that the biometric verification is bypassed. When combined “authent ID contactless” the MorphoAccess™ verifies that the identifier read on the card is present on the local database before granting the access.
Merged mode This mode is the fusion of identification mode and contactless authentication without database mode. So this mode allows: Running an identification if user places his finger (operation identical to identification mode), Running a contactless authentication if user places his contactless card (operation identical to contactless authentication without database mode). If there is no database contactless card presentation is still possible.
MorphoAccess 220 320 compatibility These tables present parameter equivalence between MA320/220 family and MA120 family. Merged mode (/cfg/Maccess/Admin/mode 5 on 220 and 320) is activated when app/bio ctrl/identification is set to 1.
PROXY MODE This mode allows controlling the MorphoAccess™ remotely (the link is Ethernet) using a set of biometric and databasing management function interface access commands. Identification and authentication must be disabled. It means that all control must be turned off: the terminal becomes a “slave”.
RECOGNITION MODE SYNTHESIS The MA100 series operating mode is driven by: • The authentication or identification mode required: Card Only, Card + Biometric, Biometric only • Who defined the operating mode: Card or Terminal Mode defined by Card Mode defined by Terminal app/bio ctrl/authent card mode app/bio ctrl/authent card mode 1 0 Operating mode Authentication ID in card ID in card Card only Card Mode Tag = ID_ONLY bypass authentication 1 authent ID contactless 1 (MA120/MA110) Check ID on
SETTING UP RECOGNITION MODE Two attempts mode If the recognition fails, it is possible to give a “second chance” to the user. In identification mode if a bad finger is presented the user has 5 seconds to present a finger again. The result is sent if this period expires or if the user presents a finger again. In authentication mode, if the user presents a bad finger, he can replace his finger without presenting his card again. The result is sent only after this second attempt.
SETTING UP MATCHING PARAMETERS Setting up matching threshold 1-10 bio/bio ctrl/matching th The performances of a biometric system are characterized by two quantities, the False Non Match Rate - FNMR - (Also called False Reject Rate) and the False Match Rate - FMR - (Also called False Acceptance Rate). Different trade-off are possible between FNMR and FMR depending on the security level targeted by the access control system.
RELAY ACTIVATION If the control is successful, a relay may be activated to directly control a door. This installation type offers a low security level. Relay activation app/relay/enabled 1 The relay aperture time can be defined and is set by default to 3 seconds (i.e. 300). Relay aperture time in 10 ms app/relay/aperture time in 10 ms 300 ( 50 to 60000 ) SAGEM Défense Sécurité document.
LED IN ACTIVATION Use this signal to wait a controller “ACK” before granting the access. User ID LED1 to GND: Access authorized. LED2 to GND: Access refused. 1- If the user is recognized the MA1XX sends the user identifier to the controller. 2 - The MA1XX waits for a GND signal on LED1 or LED2. A timeout can be defined. 3 - The controller checks the user rights. 4 - The controller sets LED1 to GND to authorize the access or sets LED2 to GND to forbid the access.
LOG FILE MorphoAccessTM is logging its activities app/log file/enabled 1 The MorphoAccess™ can log its biometric activities. It stores the result of the command, the date and time, the matching mark, the execution time, and the ID of the user. It is possible to download the diary file. For more information on this feature, refer to the MA100 Series Host System Interface. SAGEM Défense Sécurité document.
REMOTE MESSAGES Presentation The MorphoAccessTM terminal can send status messages in real time to a controller by different means and through different protocols. This information, called Remote Messages can be used, for instance to display on an external screen the result of a biometric operation, the name or the ID of the person identified…depending on the role of the controller in the system.
TAMPER SWITCH MANAGEMENT Alarm activation The MorphoAccess™ can detect that the back cover has been removed. The device can send an alarm to the central controller in case of intrusion. It can also play a sound alarm whilst sending the alarm. Sound alarm Alarm message •UDP •RS485 •Wiegand •Dataclock To send an alarm on an output (UDP, Wiegand, Dataclock or RS485), the corresponding interface must be activated otherwise no alarm will be sent.
Tamper switch management feature is configured by setting the key app/tamper alarm/level to an appropriate value. Tamper Alarm Level 0-2 app/tamper alarm/level 0 No Alarm. 1 Send Alarm (No Sound Alarm). 2 Send Alarm and Activates Buzzer (Sound Alarm) The key app/failure ID/alarm ID defines the value of the alarm ID to send in Wiegand or Dataclock. This ID permits to distinguish between an user ID and a error ID.
MAN MACHINE INTERFACE Convention Intermittent “Pulse”: led is 1 second OFF, 0.05 second ON. For example: Intermittent blue “Pulse” Fast “Pulse”: led flashes quickly. The rhythm is the same than when a hard drive works. Fast orange “Pulse” Slow intermittent “Pulse”. led is 1 second OFF, 1 second ON. For example: Slow intermittent red “Pulse”.
Fusion - waiting for a finger or a badge Sensor ON Led Intermittent blue “Pulse” Control OK Sensor ON Led Green 1 second Buzzer ON 0.1 second - Highpitched Control failed Sensor ON Led Red 1second Buzzer ON 0.7 second - Lowpitched No database or empty database 40 Sensor OFF Led Slow intermittent orange “Pulse”. SAGEM Défense Sécurité document.
Biometric acquisition, bad placement Sensor ON Led Fast intermittent orange “Pulse”. USB key can be removed Sensor - Led Fast intermittent blue “Pulse”. Buzzer ON 0.7 second - Lowpitched - Sensor failed Sensor OFF Led Slow intermittent red “Pulse”. SAGEM Défense Sécurité document.
NETWORK PARAMETERS These parameters can be changed using the Configuration Tool or by implementing ILV commands. Network parameters are stored in a file named “net.cfg”. A change is applied after rebooting the terminal. Section [boot proto] DHCP activated 0 NO 1 YES Section [parameters] host name “MA-1234567890” network address “134.1.32.214” by default, static address. network mask “255.255.240.0“by default. default gateway “134.1.6.20“ by default. 42 SAGEM Défense Sécurité document.
TERMINAL INFORMATION These parameters can be changed using the Configuration Tool or by implementing ILV commands. The “app.cfg” file contains information about your terminal configuration. Section [info] (read only) Type 120: MorphoAccess™ with local database and MifareTM contactless reader 110: MorphoAccess™ with local database and ICLASSTM contactless reader 100: MorphoAccess™ with local database. Minor Software revision (minor) Major Software revision (major) Release Release version.
ADMINISTRATION PARAMETERS The “app.cfg” file contains advanced parameter to modify the host port and the connection mode. This parameter must not be changed. Section [remote management TCP] Inactivity timeout Must be set to 0. Port 11010 by default, defines the socket server port. Section [terminal] Group Must be set to 255. 44 SAGEM Défense Sécurité document.
Authent PK contactless Authent ID contactless Bypass authentication Operation Authent card mode ANNEX: CONTACTLESS MODES TABLE 0 0 1 0 0 1 0 0 1 0 0 0 0 0 1 1 0 1 0 1 1 0 0 1 Authentication with templates in database Read ID on contactless card. Retrieve corresponding templates in database. Biometric authentication using these templates. Send ID if authentication is successfull. Authentication with templates on card Read ID and templates on contactless card.
ANNEX: REQUIRED TAGS ON CONTACTLESS CARD CARD MODE PK1 PK2 PIN BIOPIN Authentication with templates Yes in database No No No No No Authentication with templates Yes on card No Yes Yes No No Card mode (ID_ONLY) authentication Yes Yes No No No No Card mode (PKS) authentication Yes Yes Yes Yes No No Authentication with templates Yes in database – biometric control disabled No No No No No Authentication with templates Yes on card – biometric control disabled No No No No
FAQ Terminal IP address is unknown or terminal is not reachable Use USB Network Configuration Tool to set a valid network address in your terminal. See section Configuring a standalone MorphoAccess. Sensor is off Verify that the base contents at least one record. Check that identification is enabled. Terminal returns erratic answers to ping requests Check the subnet mask. Ask to your administrator the right value. SAGEM Défense Sécurité document.
BIBLIOGRAPHY MA100 Series Installation Guide This document describes terminal electrical interfaces and connection procedures. MA100 Series Standard Host Interface Specification A complete description of remote management commands. MA100 Series Remote Messages Specification A description of the MA1XX communication interfaces. MA100 Series Contactless Card Specification This document describes the MA12X Contactless card feature.
Siège social : Le Ponant de Paris 27, rue Leblanc - 75512 PARIS CEDEX 15 - FRANCE
