EP1702306B1 - Access control system and method for operating said system - Google Patents

Abstract

The invention relates to an access control system and to a method for operating said system. The system uses a standard access control system ( 24, 8 ), which controls a plurality of access points ( 1 ) by means of respective individual physical closing mechanisms ( 8 ). According to the invention, at least one reader ( 2 ) and a controller ( 3 ), which is connected to the latter in order to control the closing mechanism ( 8 ), is provided at each access point ( 1 ) and the system is equipped with at least one access control server ( 4 ), which carries out the centralised management of access data and is connected to the respective controllers ( 3 ), in addition to at least one mobile telephone server ( 5 ), which is connected to the access control server ( 4 ), said mobile telephone server being at least indirectly capable of transmitting data to mobile radio telephone subscribers ( 7 ) via a mobile radio telephone network and of receiving data from said subscribers. The mobile radio telephone server ( 5 ) can also be an integral component of the access control server ( 4 ). The aim of the invention is to provide an access control system that uses mobile telephones, which can be easily retrofitted and is especially user-friendly and at the same time reliable. To achieve this, at least one access point ( 1 ) is equipped with a short-range transmitter ( 9 ), which transmits identification information that is specific to the access point in such a way that it is only received by a mobile telephone ( 7 ) located in the direct vicinity of the access point ( 1 ) and is used at least indirectly by said telephone to control the access verification process. The use of Bluetooth or WLAN transmitters ( 9 ) is particularly advantageous in this context as modern mobile telephones ( 7 ) are already equipped with interfaces of this type and Bluetooth transmitters ( 9 ) are cost-effective and readily available.

Description

TECHNICAL AREA

The present invention relates to an access control system, and a method for its operation. The access control system is based on a standard access control system, via which a plurality of access points can be controlled via individual physical locking mechanisms, wherein at each access point at least one reader and an associated controller for controlling the closing mechanism 'is provided. Furthermore, at least one access control server is present, which performs a central administration of the access data, and which is in communication with the respective controllers, as well as at least one mobile telephony server in connection with the access control server, which is at least indirectly capable of Sending or receiving data via a mobile phone network to mobile subscribers.

STATE OF THE ART

Access control systems are essentially electronically controlled centralized Systems that monitor, control and manage a large number of access points (passages) in their accessibility. Modern access control systems are often based on non-contact technology, ie the access point is no longer a physical key used, but electronically readable media, which are activated by appropriate, provided at the access points reader and read from them. These electronically readable media are typically the term RFID (Radio Frequency Identification) known and high-technologies are successfully and reliably, for example in the Applicant under the trade name LEGIC ^® has long been in use.

When using an RFID medium, the normal procedure under such an access control system is as follows:

A person stands in front of the reader of the passage (access point) for which they want to gain access. She presents her medium (RFID tag) and the system checks whether the medium is known, if a profile is available and if it allows access at this time. If OK, this is indicated on the reader and the door is released once by the controller.

This technology is particularly suitable for permanent employees, which can be equipped with such an electronic medium, which then allows both access control, possibly also time recording or other applications.

Increasingly, however, it is necessary in the present time to grant access authorizations to service personnel or the like at short notice, possibly also in emergency situations on a very short time scale, which makes it virtually impossible to deliver corresponding physical media (for example RFID tags) , In addition, each delivery of appropriate media involves the risk of loss and thus of security vulnerabilities.

• Eine Person gibt die Durchgangsnummer (d. h. eine Kennung des spezifischen Zutrittspunkts), für welchen sie Zutritt erlangen möchte, in einem Handy Dialog ein. Sie bestätigt die Eingabe gegebenenfalls mit ihrem persönlichen PIN Code. Diese Daten werden über das Mobiltelefon-Netz an den Zutrittssystem Server (Access Control-Server) gesendet. Dort wird geprüft, ob die Handynummer bekannt ist, der PIN Code korrekt ist, ein Profil vorhanden ist (ist diese Handynummer mit diesem PIN Code zu diesem spezifischen Zeitpunkt an diesem spezifischen Zutrittspunkt autorisiert) und dieses den Zutritt zu diesem Zeitpunkt zulässt. Wenn OK, wird das am Leser signalisiert und die Tür einmalig durch den Controller freigegeben (hier ausgelöst durch den Server).

Recently, the tendency and the need has arisen, if necessary, to use mobile phones as a replacement or at least supplement for these electronic media. In this case, the procedure is typically as follows:

• A person enters the transit number (ie, a specific access point identifier) for which they wish to gain access in a mobile phone dialogue. If necessary, it confirms the entry with her personal PIN code. These data are sent via the mobile phone network to the access system server (access control server). There it is checked if the mobile number is known, if the PIN code is correct, if there is a profile (this mobile number is authorized with this PIN code at this specific point in time at this specific access point) and this allows access at this time. If OK, this is signaled on the reader and the door is released once by the controller (triggered here by the server).

From the EP 1 336 937 An access control system is known. It comprises several access control devices, in each of which an access code is stored. Specific access codes and access rights for a plurality of access control devices are transmitted from an access control center via a mobile radio network to the mobile communication terminal, for example a mobile telephone of a user. From an access control device to be passed, an access control device identification is transmitted to the mobile communication terminal. In the mobile communication terminal, the access code and the access rights for the access control device to be passed are determined on the basis of the received identification and transmitted to the access control device.

The access checking device enables access for the user if the received access rights are sufficient and the received access code matches the stored access code.

From the WO 02/31778 A1 a similar access control system is known in which a mobile telephone or a PDA can also be used as the terminal. In this case, for example, the use of the wireless bluetooth technology is proposed as a means of communication between the mobile phone and the access control device and a central office. Again, the communication between the terminal and the local transmitter at the access control device is used to authenticate and initiate the opening of the access.

PRESENTATION OF THE INVENTION

The invention is therefore based on the object to propose an improved in this context access control system, and a method for its operation. The access control system is based on a standard access control system, via which a plurality of access points can be controlled via individual physical locking mechanisms, wherein at each access point at least one reader and an associated controller for controlling the closing mechanism 'is provided. Furthermore, at least one access control server is present, which performs a central administration of the access data, and which is in communication with the respective controllers, as well as at least one mobile telephony server in connection with the access control server, which is at least indirectly capable of Sending or receiving data via a mobile phone network to mobile subscribers.

The solution to this problem is achieved in that a short-range transmitter is provided at a specified location, which is formed as an independent unit without direct connection to the standard access control system, and which access point-specific identification information sends out so that they are only one near the reception received by the transmitter mobile phone and is used by this at least indirectly for controlling the access control of a specific assigned access point.

The core of the invention thus consists on the one hand only to allow mobile phones the opening at the access point, which are actually in the immediate vicinity of this transmitter and thus in the immediate vicinity of a specific location. Otherwise, it would be possible to initiate a corresponding procedure with a mobile phone without being physically present or at a specified location. This is a security hole. In the present case, this is now prevented by only a corresponding opening request can be placed by the mobile phone when it over a corresponding interface, the identification information of Sender receives.

On the one hand, the specific location may be the immediate vicinity of the assigned access point, in which case the positioning of the transmitter is preferably carried out so that the mobile phone can only receive this transmitter if it is located immediately before the access point.

On the other hand, it is also possible to deliberately arrange the transmitter upstream of the access point, for example in the case of a driveway in such a way that a truck driver can open an access without getting out with his mobile phone. A fundamentally different alternative is to release a specific area to authorize a specific access. For example, a transmitter may be placed in a surveillance room or other work space so that personnel, when in that interception room, can open one or more access points via a mobile telephone. In particular, in this case, it is also possible to assign a transmitter several access points. In this case, however, after authorization via the Access Control server, it must be specified which of the access points assigned to the same identification should be opened.

Receiving the identification information of the sender, on the other hand, also involves an additional simplification and an increase in security in other respects. Without a corresponding local identifier, the user of the mobile phone, unless he is authorized to access only a single access point, must at a certain moment enter an identifier of the specific access point on his mobile telephone. This process is on the one hand tedious and on the other hand prone to error as well as manipulatable. Basically, the cell information of the mobile phone in question for such a localization, it turns out in practice, however, that on the one hand, the cell information is usually local for individual access points too little accurate (different passages in the same cell), and that of a specific Users just used cell may also be different depending on the mobile phone operator and also would have to be updated with changing cells in the access control system always.

Another significant advantage of the proposed method is that actually not the mobile phone is used as a so-called "trusted device", but that only a mobile phone associated phone number, as received by Access Control server respectively from the associated mobile telephony server, for authentication, if necessary in combination with a PIN code is used. In other words, no specific data is stored on the mobile phone, and it may be possible to use another mobile phone for the same access authorizations, for example, as long as the same SIM card is used.

In this context, it must be mentioned that the term mobile telephone basically means devices which on the one hand are able to exchange data with the access control system via a mobile telephone network, for example the GSM network, and which, on the other hand capable of receiving the signals transmitted by the transmitter, d. H. which have an appropriate interface. It does not necessarily have to be a mobile phone in the traditional sense, it can also be a PDA (Personal Digital Assistant) or another computer, as long as he has the above-mentioned possibilities of communication with the transmitter or the access control system.

According to a first preferred embodiment of the present invention, the transmitter is a Bluetooth device, in particular preferably with a range of less than 10 meters. Modern mobile phones usually have Bluetooth interfaces, and accordingly it proves to be particularly simple, since no additional user-side hardware is required to design the respective transmitter at the access point as a Bluetooth device. The Bluetooth standard automatically performs a constant polling and continuous reception of 48-bit addresses specifically assigned to each device. If such a mobile phone thus comes within the range of another Bluetooth device, they automatically exchange each other's ID (48-bit address). This fact is exploited according to the invention for "localization". At the affected passage (access point) simply a Bluetooth device is arranged. The ID of this device is assigned in the system to the reader or the access point. Thus, the identification information is preferably a hardware-specific, unambiguous address of the transmitter, in particular preferably a device-specific 48-bit address of a Bluetooth device.

An alternative or additional option is to use a wireless local area network (WLAN), also known as wi-fi, which means "wireless local area network", which is usually the IEEE 802.11 standard, which specifies several wireless transmission technologies and technologies Medium Access Mode Devices operating on the 802.11b variant transmit data via radio waves in the license-free ISM band at 2.4 GHz with a gross transmission rate of up to 11 Mbps. This solution is advantageous, in particular, because such WLAN devices may already be present in a building, and because, in particular, PDAs increasingly have corresponding interfaces.

If a person now wants to gain access to a mobile phone, this must be within the range of the Bluetooth / WLAN transmitter assigned to the passage. This may be physically the same, but also at a different location compared to the reader (eg truck access or interstitial space). This also eliminates the need to enter the pass number (automatically known via Bluetooth ID or Wi-Fi ID, when installing the Bluetooth / WLAN device at the access point, the system only needs to specify the corresponding correlation between Bluetooth / WLAN ID and access point once). If necessary with a PIN or another authentication, this ID is now sent to the access control server. In contrast to already known systems of access control using Bluetooth technology, in the present case, however, an effective connection between the mobile phone and the Bluetooth device at the access point is not established, but only the ID of the Bluetooth device is read out at the access point by the mobile phone to then use this information to locate the mobile phone. The actually possible transmission functions of the Bluetooth resp. WLAN interface will be with others Words not used. This among other things, since the sole use of the Bluetooth interface requires complete integration of the Bluetooth device at the appropriate access point and makes retrofitting consuming. In the present case, an essential point is that a standard access control system can be retrofitted in a particularly simple way.

In the present case, the transmitter can be designed as an independent unit, also equipped with an individual power supply, since to a certain extent it serves only to generate the localization information on the mobile telephone. The transmitter, as mentioned preferably a Bluetooth or a WLAN device, thus has no direct connection with the standard access control system and / or preferably the mobile telephony server. In addition, the transmission of an ID can be done on a very short time scale of less than a few seconds, while typically building an effective Bluetooth connection takes about 10 seconds. This is usually a too long period of time in practice. Thus, only a very specific aspect of the Bluetooth technology is used, which to a certain extent takes advantage of access control advantages without having to accept the disadvantages such as slow connection setup.

Preferably, it is an access control system that mainly manages access control using standard technology. The standard access control system thus allows, for example, the access control using means without mobile telephony, in particular on the basis of RFID technology in the main.

For emergency situations, it may be advantageous to design the transmitter such that the transmitter additionally has a connection to the controller, so that in the event of a failure of the connection between the controller and the access control server transmits user-specific identification information from the mobile phone to the transmitter and This can be passed to the controller for controlling the closing mechanism. While in other words during normal operation the transmitter acts exclusively as a transmitter, and thus Information is only transmitted from the sender to the mobile phone, the reverse route can also be released in emergency situations, ie it is possible to transfer information from the mobile phone to the transmitter, which then acts as a receiver.

Furthermore, the present invention relates to a method for access control, particularly preferably using an access control system, as described above. In this case, a standard access control system is provided, via which a plurality of access points can be controlled via individual physical locking mechanisms, wherein at each access point preferably at least one reader and a related controller for controlling the closing mechanism 'is provided. In addition, at least one access control server is present, which performs a central administration of the access data, and which is in communication with the respective controllers. Furthermore, at least one mobile telephony server is present in connection with the access control server, which is at least indirectly able to send data via a mobile telephone network to mobile telephone subscribers or to receive from these, whereby this mobile telephony server is also an integral part of the Access Control server. In addition, at least one access point or more generally a short-range transmitter is placed at a specific location.

According to the invention, the procedure is now such that a mobile telephone is authorized to access certain access points in a certain period of time via the access control server or via the mobile telephony server via the mobile telephone network. This process can be triggered by appropriate personnel. The transmitter at the corresponding access point or more generally at the specific location transmits access point-specific identification information continuously or in sections such that it can be received by a mobile telephone located only in the immediate vicinity of the access point (if the transmitter is located in the vicinity thereof) or of the transmitter ( Control of the physical presence at the access point or at the transmitter). One in the immediate vicinity of the access point resp. the sender located mobile phone now detects the identifier of this access point on this identification information, and then automatically via mobile phone, mobile phone network, mobile telephony server, access control server, respectively controller causes the opening of the corresponding access point under direct or indirect use of this identification information. The transmission of data is done by the mobile phone preferably via the mobile phone network either as a telephone transmission or as an email or SMS (Short Message Service, short message service, CEPT standard for short text messages, ie up to 160 alphanumeric characters) Mobile phones in the GSM network, which are displayed on the mobile phone display).

According to a first preferred embodiment, after the identification information has been acquired, the mobile telephone additionally requires the input of an authentication such as, in particular, a PIN code, password, biometric information, and this user-specific information is then sent via the mobile telephone network to the user along with the identifier of the access point to be processed Handing over the mobile telephony server and the access control server. Then, with the appropriate authorization, the associated controller is activated or the closing mechanism is triggered.

As already mentioned above, the transmitter is preferably a Bluetooth or a WLAN device, which transmits its unique 48-bit address as an identification information. This 48-bit address is used to identify the corresponding access point. The mobile phone has a Bluetooth interface, whereby the mobile phone automatically enters into an appropriate dialogue with the mobile phone user upon receiving specific authorized 48-bit addresses that correspond to, ie, are recognized by the authorized access points entry. If necessary, an authentication of the user is subsequently requested (eg PIN code). In any case, an opening request of the specific access point will then be transmitted via the mobile telephone network to the mobile telephony server or the access control server. After the authorization has been checked, the access control server will then trigger the controller, if the authorization has been granted.

The security can be further improved if, according to a further preferred embodiment of the inventive method, the Bluetooth resp. WLAN device is arranged in the area of the access point, that the reception of the identification information by a mobile phone only at a distance of less than 1m, preferably less than 0.5m outside and before the access point is possible.

Further preferred embodiments of the access control system or the access control method are described in the dependent claims.

Further disclosed is a time recording system, which is also based on the identical idea of using a transmitter, in particular a Bluetooth device exclusively to control the physical presence of a mobile phone to open data transfer. The time recording system has a standard time recording system, which comprises at least one time recording server, which performs a central administration of the time data; it also has at least one mobile telephony server in connection with the time registration server, which is at least indirectly able to send and receive data via a mobile telephone network to mobile subscribers, and this mobile telephony server also integral part of the time recording server. According to the invention, the time recording system is characterized in that at least one authorized area has a short-range transmitter which transmits area-specific identification information in such a way that it is received only by a mobile telephone located in the immediate vicinity of the authorized area and at least indirectly manipulated by the latter Time data is used. In this way it can be ensured that when using mobile phones for time recording corresponding requests or inputs are only possible in specific areas. For example, individual floors or only entrance areas etc. can be authorized, which prevents misuse.

Further disclosed is a method for time acquisition, more preferably using a time acquisition system as described above. The method comprises a standard time recording system, with at least one time recording server, which performs a central administration of the time data; Furthermore, at least one mobile telephony server is present in connection with the time registration server, which is at least indirectly able to send and receive data via a mobile telephone network to mobile telephone subscribers, whereby this mobile telephony server is also an integral part the time tracking server can be In addition, at least one authorized area has a short range transmitter.

The method is now characterized in particular by the fact that a mobile telephone for entering time data in certain authorized areas is authorized in at least one specific time period via the time recording server or via the mobile telephony server via the mobile telephone network that the transmitter is area-specific identification information such that it can only be received by a mobile telephone located in the immediate vicinity of the authorized area, that a mobile telephone located in the immediate vicinity of the area detects the identification of this area via this identification information, and that subsequently via mobile telephone, mobile telephone network , Mobile telephony server time data to the time attendance server be transmitted or queried by the latter.

Last but not least, the present invention also relates to a specific data processing program (software) which is capable of running on a mobile telephone and which allows implementation of an access control method as described above. The data processing program is capable of automatically transmitting the identification information received from the sender, if appropriate in combination with another identification such as PIN code or the like, to the access control. Furthermore, the present invention relates to a mobile phone or in principle another device on which such a data processing program is loaded, or from which such a data processing program can be downloaded.

BRIEF EXPLANATION OF THE FIGURE

The invention will be explained in more detail with reference to embodiments in conjunction with the drawings. Fig. 1 shows a schematic representation of an access control system.

WAYS FOR CARRYING OUT THE INVENTION

Fig. 1 shows a schematic representation of an access control system. From this illustration, the invention will be explained, without thereby limiting the breadth of the protection, as formulated in the claims.

The access control system comprises an access control server 4, on which the access authorizations are defined and managed. In addition to access control, the access control server 4 can also simultaneously take over time control, ie store and manage the corresponding time data in a person-specific manner. The Access Control server 4 is on the one hand connected to a plurality of access points, ie passages 1 and 1 'respectively. He manages the access, ie the possible opening and / or closing of these access points. For this purpose, a controller 3 is initially arranged at the individual access points 1, which, inter alia, serves as an interface to the access control server 4, and on which certain information of the access control server is mirrored, depending on the design of the system. On the one hand, the controllers 3 assume the task of processing the data received by a reader 3, and to use these either directly or only after appropriate consultation of the access authorizations on the access control server 4. Use here means that the controller 3 physically activates corresponding closing mechanisms 8, ie, for example, by returning bars or the like, so that the access point, ie the passage 1, can be opened by the user.

The access control system described up to this point is an access control system according to the prior art. Such access control systems can be used in combination with electronic, mechatronic and / or mechanical components there, and, for example, by the applicant under the trade name Kaba exos ^® in combination with RFID technology under the name LEGIC ^® available.

It should now be assumed that such an access control system using RFID technology already exists, ie the readers 2 are designed to read corresponding RFID tags. Such a system is now to be retrofitted for specific situations in a simple manner, so that people who are not normally authorized in such managed buildings, ie which do not already have a corresponding RFID device, especially in the short or medium term to be authorized to access. First, a possibility is provided for this purpose to enable the access authorizations via mobile phones 7. For this purpose, the access control system must first be connected to the mobile phone network. For this purpose, a GSM server 5 (Global System for Mobile Communication) is connected to the access control server 4. This GSM server 5 is at least indirectly connected to an antenna 6, which allows, with Mobile phones 7, typically via relay stations, etc. to communicate.

Furthermore, at each access point 1 is a Bluetooth or alternatively resp. additionally wireless LAN (WLAN) device 9 arranged. This device 9 is provided in the area of the access point 1 such that a corresponding receiver, such as a mobile phone 7 with a Bluetooth or WLAN interface, this device 9 only receives when the mobile phone 7 is disposed substantially immediately before the passage 1 ,

Bluetooth is basically a protocol for wireless (wireless) data transmission. The standard is used for data transmission by shortwave radio in the globally license-free ISM network (2.45 GHz, as in IEEE 802.11b) with a maximum range of 10 m, by amplification up to a maximum of 100m (usually not provided in this case). The transmission speed reaches 1Mbps. The connection type is one-to-one. Apart from a data channel, voice channels are also available. This system is intended especially for so-called PANs (Personal Area Network), d. H. for very local personal wireless networks, which are as automatic as possible, d. H. without specific influence of the user to be built. This refers to the close range of a maximum of ten meters around one person.

Due to the Bluetooth method, the wired data transfer should be superfluous. This can be used to install wireless local area networks, for example, or to enable data transfer between mobile and stationary devices. The data exchange can also take place automatically as soon as the range is undershot. Another area of application is networking in the private sector.

To be Bluetooth enabled, the devices must be equipped with a Bluetooth chip for send and receive control. The Bluetooth standard was specified by the Bluetooth Special Interest Group, Bluetooth 1.0 in July 1999. The standard is open. Each device has a unique 48-bit address, which is constantly communicated to the outside. If two Bluetooth-enabled devices come in close enough contact, they swap according to. Log automatically the corresponding ID addresses.

Wireless LAN (WLAN) is another open standard (IEEE 802.11) for wireless data transmission and, in contrast to Bluetooth, will be used more often, especially with larger data volumes and distances. Here too, wireless data transmission and a respectively unique identifier are used and the WLAN is therefore also suitable for the proposed method. This is especially true as increasingly mobile-enabled devices are equipped with WLAN interfaces (e.g., mobile-phone-capable PDAs). Are no mobile phones with Bluetooth available, or must a longer range be possible, or is e.g. If such a WLAN equipment already exists in a building, alternatively or in parallel, this technology can also be used in the proposed method. Basically, the Bluetooth or the WLAN standard thus offers a very wide range of communication options. In the present case, the Bluetooth / WLAN device 9 but only used to serve as a transmitter, d. H. it is only exploited the property that such a device 9 constantly sends out its unique address. This, as already mentioned, to ensure the physical presence of the mobile phone in the area of the access point 1 and to convey the identity of the access point.

Retrofitting the conventional access control system with such Bluetooth or WLAN devices 9 is extremely simple. Essentially, it consists in such a device 9 to be attached to each optionally be released input such that a reception by a mobile phone 7 is only possible directly in front of the entrance 1. Typically, reception of the specific ID of the device 9 by a mobile telephone 7 should only be possible if the mobile telephone 7 is closer than one meter in front of the entrance 1.

It is particularly advantageous with the present invention that the device 9 does not have to be physically integrated into the access control system in any way, ie it is not necessary to connect the device 9 to the controller 3, for example, and to coordinate with it. The device 9 is arranged only in the region of the passage 1 and, for example, can also be supplied via a separate power supply. The only step that is required afterwards is one Assigning the unique address of a specific device 9 to a specific passage 1. For this purpose, it is sufficient to read this ID once, and then allocate this ID to the specific input 1 in the access control server 4. So to a certain extent a virtual access point is created.

• Im Rahmen von Unterhaltsarbeiten in einem Gebäude, welches mit einer Zutrittskontrolle verwaltet wird, soll einer Person ausnahmsweise für einen Nachmittag die Berechtigung vergeben werden, jeweils den Haupteingang eines Gebäudekomplexes zum Zugang benutzen zu können.

In the following, an exemplary method will be described in which a temporary access control is assigned:

• In the context of maintenance work in a building, which is managed with an access control, a person should exceptionally be assigned for one afternoon the right to use the main entrance of a building complex for access.

An administrator of the access control system is then directly or indirectly on the Access Control server 4 instead of or in addition to the RFID medium, the mobile number. the person e.g. at an operator station 10, and assigns this mobile phone no. In the specific case, the authorization is granted to use the main entrance of the building complex during the given afternoon.

Subsequently, the unique addresses assigned to the main entrances of the building complex of the Bluetooth / WLAN devices 9 arranged at these main entrances are either transmitted directly to the person's mobile telephone, normally together with a software executable on the mobile telephone (eg Java) and deposited thereon; Alternatively, and this solution is preferred insofar as no data is stored on the mobile phone and thus possibly the mobile phone can be changed as long as the same mobile phone number is assigned, this software is not assigned addresses of the allowed devices 9 only on the Access control system provided such that at a first contact of the mobile phone of the person (for example, if this is located in front of the door and a corresponding mobile phone number for the first time) with the access control server or its GSM server 5, the associated software automatically the mobile phone is handed over.

Now comes the person at the right time, d. H. In the afternoon, near a specific main entrance of the building complex, the person's Bluetooth-enabled mobile phone automatically receives the unique address of the device of that specific main entrance. If the corresponding software has already been stored on the mobile phone, the mobile phone now recognizes such a sender. It is now, if necessary, automatically triggered the associated software on the mobile phone 7, and, if necessary, the person, for example, for security reasons additionally queried the input of a PIN code. If this has entered the PIN code, the PIN code is transmitted automatically from the mobile phone to the access control system together with the unique address of the specific Bluetooth / WLAN device 9 of the specific main entrance. This is done via the GSM network, either in the form of an SMS or a telephone data overflow, it is also possible an email or other transmission according to a specific protocol. In the access control system, the access control server 4 now checks whether this mobile telephone 7 or this mobile telephone number is bound because the identifier is not bound to the device but to the number assigned to the mobile telephone at this point in time (due to the unique address, respectively) a corresponding information generated from this address) is authorized, and whether the entered PIN code is correct. If all conditions are met, the access control server 4 will control the associated controller 3 in such a way that the closing mechanism 8 of the passage 1 is influenced in such a way that the person can enter.

Another advantage of the method is that the person can change their personal mobile phone 7 at any time without losing their privileges. It is only important that the SIM card and thus the phone number of the used mobile phone remains the same. Especially with the use of two or more mobile phones 7 with a mobile phone number has the advantage to wear. This flexibility is possible because on the mobile phone 7 no data of the access control system, at most the software mentioned, but which is automatically re-downloaded whenever necessary, are stored and the transmitter 9 does not need to know the unique Bluetooth / WLAN address of the mobile phone 7 , In pure Bluetooth based Access control systems, this problem is very expensive solvable.

In addition to the secure identification on site, the method also allows identification at any distance to the passage 1, as long as the mobile phone is in sufficient proximity to a Bluetooth / WLAN transmitter, ie as long as the mobile phone is in a specific and defined area. Thus, a wide-area solution without limits can be realized, which is still localized. This variant is possible in particular because the transmitter 9 does not have to be connected to the controller 3 and, in addition, if necessary, several transmitters 9 are possible per access point. Factory accesses to suppliers are such an example or remote opening of a passageway 1 by a system operator who does not have access to his operator station 10 but is within the reach of the transmitter 1 associated with this passageway 1 among others. For example, in this context solutions are conceivable in which personnel in a certain work area, for example a room with video cameras, which monitor specific accesses and in which room a Bluetooth / WLAN transmitter is located, are authorized with a mobile telephone to have a transit point one of the video cameras is monitored, open.

LIST OF REFERENCE NUMBERS

1

passage

2

reader

3

controller

4

Access Control server

5

GSM Server

6

Antenna (schematic)

7

mobile phone

8th

physical closing mechanism (lock)

9

Bluetooth transmitter 10 operating station

Claims (17)

1. An access control system having

   - a standard access control system (2-4, 8), via which a large number of access points (1) can each be controlled via individual physical locking mechanisms (8), with at least one reader (2) as well as a controller (3), which is connected to it, for controlling the locking mechanism (8) being provided at each access point (1), and with at least one access control server (4) being provided, which carries out central management of the access data;

   - at least one mobile telephony server (5) connected to the access control server (4), which is at least indirectly able to send data via a mobile telephone network to mobile telephone subscribers (7), and to receive data from them, in which case this mobile telephony server (5) may also be an integral component of the access control server (4);
   characterized in that
   the access control server (4) is connected to the respective controllers (3)
   that a short-range transmitter (9), in the form of an independent unit, which has no direct connection to the standard access control system (2-4, 8), is provided at one specified location and transmits access-point-specific identification information in such a manner that this is received by a mobile telephone (7) which is located in the reception area of the transmitter (9), and is used at least indirectly by this to control the access control at a specific associated access point (1).
2. The access control system as claimed in claim 1, characterized in that the specified location is a location in the area of the associated access point (1), such that the identification information from the transmitter (9) can be received by the mobile telephone (7) only in the immediate vicinity of the access point (1).
3. The access control system as claimed in claim 1, characterized in that the specified location is a location in front of the associated access point (1), or is a specific working area.
4. The access control system as claimed in one of the preceding claims, characterized in that the transmitter (9) is a Bluetooth appliance, particularly preferably with a range of less than 10 meters, and in that the authorized mobile telephone (7) has a Bluetooth interface.
5. The access control system as claimed in one of the preceding claims, characterized in that the transmitter (9) is a WLAN station, and in that the authorized mobile telephone (7) has a WLAN interface.
6. The access control system as claimed in one of the preceding claims, characterized in that the identification information is a hardware-specific, unique address of the transmitter (9), particularly preferably an appliance-specific 48-bit address of a Bluetooth appliance (9), or an address which is specific to a corresponding appliance for a WLAN appliance or a WLAN network.
7. The access control system as claimed in one of the preceding claims, characterized in that the transmitter (9) is in the form of an independent unit, which has no direct connection to the mobile telephony server (5).
8. The access control system as claimed in one of the preceding claims, characterized in that the standard access control system (2-4, 8) also allows access control using means without mobile telephony (7), in particular based on RFID technology.
9. A method for access control, particularly preferably using an access control system as claimed in one of the preceding claims, with
   a standard access control system (2-4, 8) being provided, via which a large number of access points (1) can each be controlled via individual physical locking mechanisms (8), with at least one reader (2) as well as a controller (3), which is connected to it, preferably being provided in order to control the locking mechanism (8) for each access point (1), and with at least one access control server (4) being provided, which carries out central management of the access data;
   and with at least one mobile telephony server (5) being provided, connected to the access control server (4), which is at least indirectly able to send data via a mobile telephone network to mobile telephone subscribers (7), and to receive data from them, in which case this mobile telephony server (5) may also be an integral component of the access control server (4) ;
   characterized in that
   the access control server (4) is connected to the respective controllers (3)
   a short-range transmitter (9) is provided with a specified location, preferably at at least one access point (1), in that a mobile telephone (7) is authorized for access at specific access points (1) in a specific time period via the access control server (4), and/or via the mobile telephony server (5) via the mobile telephone network,
   in that the transmitter (9) transmits access-point-specific identification information continuously or at times, in such a manner that it can be received by only a mobile telephone (7) which is located in the reception area of the transmitter,
   in that a mobile telephone (7) which is located in the reception area of the transmitter (9) detects the identification of this transmitter (9) via this identification information,
   and in that the access point (1) associated with the transmitter (9) is then opened, with direct or indirect use of this identification information, via the mobile telephone (7), the mobile telephone network, the mobile telephony server (5), the access control server (4) and the controller (3).
10. The method as claimed in claim 9, characterized in that the transmitter (9) is arranged in the vicinity of the access point (1) in such a manner that the mobile telephone (7) can receive its identification information only in the immediate vicinity of the access point (1).
11. The method as claimed in one of claims 9 or 10, characterized in that, after detection of the identification information, the mobile telephone (7) additionally demands the input of an authentication in particular such as a PIN code, password or biometric information (7), and this user-specific information is transmitted together with the identification of the access point (1) to be processed via the mobile telephone network to the mobile telephony server (5) and to the access control server (4), which then activates the associated controller (3).
12. The method as claimed in one of claims 9-11, characterized in that the mobile telephone (7) transmits the identification information and if appropriate the PIN code via the GSM network in the form of a telephonic data transmission or in the form of an SMS to the access control server (4).
13. The method as claimed in one of claims 9-12, characterized in that the transmitter (9) is a Bluetooth appliance or a WLAN appliance (9), which transmits its unique address as identification information, and this address is used to identify the associated access point (1), and in that the mobile telephone (7) has a Bluetooth interface or a WLAN interface, in which case the mobile telephone (7) automatically starts an appropriate dialogue with the mobile telephone user on reception of specific addresses of this type which are transmitted in the course of the authorization process and correspond to the authorized access points (1), possibly requests authentication of the user, and in any case then transmits a request to open the specific access point (1) via the mobile telephone network to the mobile telephony server (5) and to the access control server (4).
14. The method as claimed in one of claims 9-13, characterized in that the transmitter (9) is a Bluetooth appliance or a WLAN appliance (9), which is arranged in the area of the gateway (1) in such a way that the identification information can be received by a mobile telephone (7) only within a distance of less than 1 m, particularly preferably less than 0.5 m outside and in front of the gateway (1).
15. The method as claimed in one of claims 9-14, characterized in that the transmitter (9) is a Bluetooth appliance or a WLAN appliance (9), which is arranged in a specific area in front of the associated access point (1), or in a working area associated with the access point.
16. A data processing program, which can run on a mobile telephone (7), for carrying out a method as claimed in one of claims 9-15, which is designed to transmit identification information, received via a Bluetooth or WLAN interface, from a transmitter (9), possibly together with additional information requested in a request, such as a PIN code, a password or biometric information, automatically via the GSM network to an access control server (4).
17. A mobile telephone (7) having a data processing program as claimed in claim 16.

Images