US20210099880A1 - Technologies for access control communications - Google Patents
Technologies for access control communications Download PDFInfo
- Publication number
- US20210099880A1 US20210099880A1 US16/587,725 US201916587725A US2021099880A1 US 20210099880 A1 US20210099880 A1 US 20210099880A1 US 201916587725 A US201916587725 A US 201916587725A US 2021099880 A1 US2021099880 A1 US 2021099880A1
- Authority
- US
- United States
- Prior art keywords
- credential
- access control
- gateway
- server
- control device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H04W12/0804—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H04W12/0608—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H04W12/0802—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/082—Access security using revocation of authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/16—Gateway arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Definitions
- Access control systems typically involve the use of credentials to manage the operation of an access control device (e.g., a lock device).
- credentials may be assigned to a particular user or device and are often physical in nature, forming at least a portion of, for example, a smartcard, proximity card, key fob, token device, or mobile device.
- a reader device e.g., on or secured to the access control device
- the reader device may read the credential and determine whether access should be granted.
- Access control permissions and other access control data are updated for various users/credentials over time and, therefore, those updates are often transmitted to access control devices that make access control decisions locally based on user-presented credentials.
- the number of users and credentials can be staggering.
- the limited data storage available on many access control devices introduces technical difficulties in ensuring that those access control devices maintain complete and accurate access control data.
- One embodiment is directed to a unique system, components, and methods for access control communications.
- Other embodiments are directed to apparatus, systems, devices, hardware, methods, and combinations thereof for access control communications.
- FIG. 1 is a simplified block diagram of an access control system
- FIG. 2 is a simplified block diagram of at least one embodiment of a computing system
- FIG. 3 is a simplified flow diagram of at least one embodiment of a method of communicating access control information by leveraging serial communication between a gateway device and a server;
- FIG. 4 is a simplified flow diagram of at least one embodiment of a method of communicating access control information by configuring the gateway device to act as a web server to a server;
- FIG. 5 is a simplified flow diagram of at least one embodiment of a method of communicating access control information by configuring the gateway device to act as a client to a server;
- FIG. 6 is a simplified flow diagram of at least one other embodiment of a method of communicating access control information by configuring the gateway device to act as a client to a server;
- FIG. 7 is a simplified flow diagram of at least one embodiment of a method of making access control decisions.
- references in the specification to “one embodiment,” “an embodiment,” “an illustrative embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may or may not necessarily include that particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. It should further be appreciated that although reference to a “preferred” component or feature may indicate the desirability of a particular component or feature with respect to an embodiment, the disclosure is not so limiting with respect to other embodiments, which may omit such a component or feature.
- the disclosed embodiments may, in some cases, be implemented in hardware, firmware, software, or a combination thereof.
- the disclosed embodiments may also be implemented as instructions carried by or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which may be read and executed by one or more processors.
- a machine-readable storage medium may be embodied as any storage device, mechanism, or other physical structure for storing or transmitting information in a form readable by a machine (e.g., a volatile or non-volatile memory, a media disc, or other media device).
- an access control system 100 includes one or more access control devices 102 , a management system 104 , and a credential device 106 .
- the management system 104 may include a management server 108 , a gateway device, 110 , an access control panel 112 , and/or a mobile device 114 .
- the access control system 100 allows for a true real-time solution of access control that provides the IP host (e.g., the management server 108 ) with relevant information regarding credentials that are presented to an access control device 102 .
- the access control system 100 may allow for a true real-time access control solution while providing the host device (e.g., the management server 108 ) with information regarding credentials presented to the access control device 102 , and providing such data to an extent that may not be otherwise feasible due to memory constraints in various access control devices 102 .
- the host e.g., the management server 108
- the host e.g., the management server 108
- the host e.g., the management server 108
- information regarding credentials that are presented to the access control device 102 regardless of whether or not the credential information associated with those credentials are already included in a local access control database of the access control device 102 (i.e., for making access control decisions locally at the access control device 102 ).
- the host e.g., the management server 108
- it may be unrealistic to store and/or provide a large amount of credential information (e.g., in a large enterprise or commercial environment) to the access control device 102 ; yet, such limitations are often not imposed on gateway devices 110 .
- the gateway device 110 includes a gateway credential list stored thereon, which may include substantially more credential information than the local access control database of the access control device 102 and/or may be leveraged to make access control decisions as described in greater detail herein.
- each of the access control devices 102 may be embodied as any type of device capable of controlling and/or facilitating access through a passageway (e.g., at least in part).
- the access control device 102 may be embodied as an electronic lock (e.g., a mortise lock, a cylindrical lock, or a tubular lock), an exit device (e.g., a pushbar or pushpad exit device), a door closer, an auto-operator, a motorized latch/bolt (e.g., for a sliding door), barrier control device (e.g., battery-powered), or a peripheral controller of a passageway.
- the access control device 102 may include a credential reader or be electrically/communicatively coupled to a credential reader configured to communicative with credentials 106 .
- the access control device 102 may have a local access control database stored thereon for locally performing access control decisions associated with user access.
- the access control database may store credential data, biometric data, historical information, PINs, passcodes, and/or other relevant authentication data associated with users.
- data or a portion thereof may additionally or alternatively be stored in a centralized access control database (e.g., hosted by and/or accessible to the management server 108 ).
- one or more of the credentials 106 may be embodied as a passive credential device having a credential identifier or value (e.g., a unique ID) stored therein and is “passive” in the sense that the credential device is configured to be powered by radio frequency (RF) signals received from a credential reader.
- RF radio frequency
- one or more of the passive credentials may be embodied as a proximity card, which is configured to communicate over a low frequency carrier of nominally 125 kHz, and/or a smartcard, which is configured to communicate over a high frequency carrier frequency of nominally 13.56 MHz.
- each of the credentials 106 may be embodied as any type of passive or active credential device capable of performing the functions described herein.
- one or more of the credentials 106 may be embodied as a virtual credential stored on the mobile device 114 and/or other computing device of a particular user.
- the management system 104 may be configured to manage credentials of the access control system 100 .
- the management system 104 may be responsible for ensuring that the access control devices 102 have updated local access control databases, authorized credentials, whitelists, blacklists, device parameters, and/or other suitable data.
- the management system 104 may receive security data, audit data, raw sensor data, and/or other suitable data from the access control devices 102 for management of the access control system 100 .
- one or more of the devices of the management system 104 may be embodied as an online server or a cloud-based server.
- the management system 104 may communicate with multiple access control devices 102 at a single site (e.g., a particular building) and/or across multiple sites. That is, in such embodiments, the management system 104 may be configured to receive data from access control devices 102 distributed across a single building, multiple buildings on a single campus, or across multiple locations.
- a single site e.g., a particular building
- the management system 104 may be configured to receive data from access control devices 102 distributed across a single building, multiple buildings on a single campus, or across multiple locations.
- the management system 104 may include one or more devices depending on the particular embodiment of the access control system 100 .
- the management system 104 may include a management server 108 , a gateway device 110 , an access control panel 112 , and/or a mobile device 114 depending on the particular embodiment.
- the functions of the management system 104 described herein may be performed by one or more of those devices in various embodiments.
- the management server 108 may perform all of the functions of the management system 104 described herein.
- the gateway device 110 may be communicatively coupled to the access control devices 102 such that the other devices of the management system 104 (e.g., the management server 108 , the access control panel 112 , and/or the mobile device 114 ) may communicate with the access control devices 102 via the gateway device 110 .
- the other devices of the management system 104 e.g., the management server 108 , the access control panel 112 , and/or the mobile device 114
- the gateway device 110 may be communicatively coupled to the access control devices 102 such that the other devices of the management system 104 (e.g., the management server 108 , the access control panel 112 , and/or the mobile device 114 ) may communicate with the access control devices 102 via the gateway device 110 .
- the access control devices 102 may communicate with the management server 108 over a Wi-Fi connection and/or with the mobile device 114 over a Bluetooth connection. Additionally, the access control devices 102 may communicate with the management server 108 and/or the access control panel 112 via the gateway device 110 . As such, in the illustrative embodiment, the access control device 102 may communicate with the gateway device 110 over a Wi-Fi connection and/or a Bluetooth connection, and the gateway device 110 may, in turn, forward the communicated data to the relevant management server 108 and/or access control panel 112 .
- the gateway device 110 may communicate with the access control panel 112 over a serial communication link (e.g., using RS-485 standard communication), and the gateway device 110 may communicate with the management server 108 over a Wi-Fi connection, an Ethernet connection, and/or another wired/wireless communication connection.
- each of the access control devices 102 may communicate with the management server 108 via an online mode with a persistent real-time communication connection or via an offline mode (e.g., periodically or in response to an appropriate condition) depending on the particular embodiment (e.g., depending on whether the particular access control device 102 is offline).
- an offline mode e.g., periodically or in response to an appropriate condition
- various technologies for implementing such access control communications are described in greater detail herein.
- the access control devices 102 may communicate with the devices of the management system 104 via one or more other suitable communication protocols.
- the gateway device 110 may be embodied as any one or more devices that, individually or collectively, serve as an intermediary device allowing the access control devices 102 to communicate with the management server 108 and/or other remote devices via the Internet and/or a wired/wireless network.
- the gateway device 110 may be embodied as a wireless access point that is communicatively coupled to a router.
- the gateway device 110 may form an integral component of or otherwise form a portion of the router itself.
- each of the access control devices 102 , the management system 104 , the management server 108 , the gateway device 110 , the access control panel 112 , and/or the mobile device 114 may be embodied as one or more computing devices similar to the computing device 200 described below in reference to FIG. 2 .
- one or more of the access control devices 102 , the management system 104 , the management server 108 , the gateway device 110 , the access control panel 112 , and the mobile device 114 may include a processing device 202 and a memory 206 having stored thereon operating logic 208 for execution by the processing device 202 for operation of the corresponding device.
- management system 104 and the management server 108 are described herein as one or more computing devices outside of a cloud computing environment, in other embodiments, the system 104 and/or server 108 may be embodied as a cloud-based device or collection of devices. Further, in cloud-based embodiments, the system 104 and/or server 108 may be embodied as a “serverless” or server-ambiguous computing solution, for example, that executes a plurality of instructions on-demand, contains logic to execute instructions only when prompted by a particular activity/trigger, and does not consume computing resources when not in use.
- system 104 and/or server 108 may be embodied as a virtual computing environment residing “on” a computing system (e.g., a distributed network of devices) in which various virtual functions (e.g., Lambda functions, Azure functions, Google cloud functions, and/or other suitable virtual functions) may be executed corresponding with the functions of the system 104 and/or server 108 described herein.
- virtual functions e.g., Lambda functions, Azure functions, Google cloud functions, and/or other suitable virtual functions
- the virtual computing environment may be communicated with (e.g., via a request to an API of the virtual computing environment), whereby the API may route the request to the correct virtual function (e.g., a particular server-ambiguous computing resource) based on a set of rules.
- the appropriate virtual function(s) may be executed to perform the actions before eliminating the instance of the virtual function(s).
- the system 100 may include multiple management systems 104 , credentials 106 , management servers 108 , gateway devices 110 , access control panels 112 , and/or mobile devices 114 in other embodiments.
- the server 108 may be embodied as multiple servers in a cloud computing environment in some embodiments.
- each user may be associated with one or more separate credentials 106 in some embodiments.
- FIG. 2 a simplified block diagram of at least one embodiment of a computing device 200 is shown.
- the illustrative computing device 200 depicts at least one embodiment of an access control device 102 , management system 104 , credential 106 (e.g., an active credential), management server 108 , gateway device 110 , access control panel 112 , and/or mobile device 114 illustrated in FIG. 1 .
- credential 106 e.g., an active credential
- management server 108 e.g., an active credential
- gateway device 110 e.g., an active credential
- access control panel 112 e.g., a mobile device
- computing device 200 may be embodied as an access control device, reader device, server, desktop computer, laptop computer, tablet computer, notebook, netbook, UltrabookTM, mobile computing device, cellular phone, smartphone, wearable computing device, personal digital assistant, Internet of Things (IoT) device, control panel, processing system, router, gateway, and/or any other computing, processing, and/or communication device capable of performing the functions described herein.
- IoT Internet of Things
- the computing device 200 includes a processing device 202 that executes algorithms and/or processes data in accordance with operating logic 208 , an input/output device 204 that enables communication between the computing device 200 and one or more external devices 210 , and memory 206 which stores, for example, data received from the external device 210 via the input/output device 204 .
- the input/output device 204 allows the computing device 200 to communicate with the external device 210 .
- the input/output device 204 may include a transceiver, a network adapter, a network card, an interface, one or more communication ports (e.g., a USB port, serial port, parallel port, an analog port, a digital port, VGA, DVI, HDMI, FireWire, CAT 5, or any other type of communication port or interface), and/or other communication circuitry.
- Communication circuitry of the computing device 200 may be configured to use any one or more communication technologies (e.g., wireless or wired communications) and associated protocols (e.g., Ethernet, Bluetooth (including Bluetooth Low Energy (BLE), Wi-Fi, Near Field Communication (NFC), WiMAX, ZigBee, Z-wave, IEEE 802.15, etc.) to effect such communication depending on the particular computing device 200 .
- the input/output device 204 may include hardware, software, and/or firmware suitable for performing the techniques described herein.
- the external device 210 may be any type of device that allows data to be inputted or outputted from the computing device 200 .
- the external device 210 may be embodied as the access control device 102 , the management system 104 , the credential 106 , the management server 108 , the gateway device 110 , the access control panel 112 , and/or the mobile device 114 .
- the external device 210 may be embodied as another computing device, switch, diagnostic tool, controller, printer, display, alarm, peripheral device (e.g., keyboard, mouse, touch screen display, etc.), and/or any other computing, processing, and/or communication device capable of performing the functions described herein.
- the external device 210 may be integrated into the computing device 200 .
- the processing device 202 may be embodied as any type of processor(s) capable of performing the functions described herein.
- the processing device 202 may be embodied as one or more single or multi-core processors, microcontrollers, or other processor or processing/controlling circuits.
- the processing device 202 may include or be embodied as an arithmetic logic unit (ALU), central processing unit (CPU), digital signal processor (DSP), and/or another suitable processor(s).
- ALU arithmetic logic unit
- CPU central processing unit
- DSP digital signal processor
- the processing device 202 may be a programmable type, a dedicated hardwired state machine, or a combination thereof. Processing devices 202 with multiple processing units may utilize distributed, pipelined, and/or parallel processing in various embodiments.
- processing device 202 may be dedicated to performance of just the operations described herein, or may be utilized in one or more additional applications.
- the processing device 202 is programmable and executes algorithms and/or processes data in accordance with operating logic 208 as defined by programming instructions (such as software or firmware) stored in memory 206 .
- the operating logic 208 for processing device 202 may be at least partially defined by hardwired logic or other hardware.
- the processing device 202 may include one or more components of any type suitable to process the signals received from input/output device 204 or from other components or devices and to provide desired output signals. Such components may include digital circuitry, analog circuitry, or a combination thereof.
- the memory 206 may be of one or more types of non-transitory computer-readable media, such as a solid-state memory, electromagnetic memory, optical memory, or a combination thereof. Furthermore, the memory 206 may be volatile and/or nonvolatile and, in some embodiments, some or all of the memory 206 may be of a portable type, such as a disk, tape, memory stick, cartridge, and/or other suitable portable memory. In operation, the memory 206 may store various data and software used during operation of the computing device 200 such as operating systems, applications, programs, libraries, and drivers.
- the memory 206 may store data that is manipulated by the operating logic 208 of processing device 202 , such as, for example, data representative of signals received from and/or sent to the input/output device 204 in addition to or in lieu of storing programming instructions defining operating logic 208 .
- the memory 206 may be included with the processing device 202 and/or coupled to the processing device 202 depending on the particular embodiment.
- the processing device 202 , the memory 206 , and/or other components of the computing device 200 may form a portion of a system-on-a-chip (SoC) and be incorporated on a single integrated circuit chip.
- SoC system-on-a-chip
- various components of the computing device 200 may be communicatively coupled via an input/output subsystem, which may be embodied as circuitry and/or components to facilitate input/output operations with the processing device 202 , the memory 206 , and other components of the computing device 200 .
- the input/output subsystem may be embodied as, or otherwise include, memory controller hubs, input/output control hubs, firmware devices, communication links (i.e., point-to-point links, bus links, wires, cables, light guides, printed circuit board traces, etc.) and/or other components and subsystems to facilitate the input/output operations.
- the computing device 200 may include other or additional components, such as those commonly found in a typical computing device (e.g., various input/output devices and/or other components), in other embodiments. It should be further appreciated that one or more of the components of the computing device 200 described herein may be distributed across multiple computing devices. In other words, the techniques described herein may be employed by a computing system that includes one or more computing devices. Additionally, although only a single processing device 202 , I/O device 204 , and memory 206 are illustratively shown in FIG. 2 , it should be appreciated that a particular computing device 200 may include multiple processing devices 202 , I/O devices 204 , and/or memories 206 in other embodiments. Further, in some embodiments, more than one external device 210 may be in communication with the computing device 200 .
- the access control system 100 may utilize one or more different modes of operation in order to transmit data among the various devices in the access control system 100 and, more specifically, between the access control device 102 and the server 108 .
- the access control system 100 may utilize an “offline mode,” an “offline with Wi-Fi mode,” a “gateway as server mode,” a “gateway as client mode,” a “serial communication mode,” or a “modified gateway as client mode.”
- the access control system 100 may leverage “no tour” functionality to transmit data to offline access control devices 102 , whereby access control data updates (e.g., access permissions, database updates, configurations, etc.) are transmitted to the offline access control devices 102 via the mobile device 114 and/or credential 106 .
- access control data updates e.g., access permissions, database updates, configurations, etc.
- offline mode “offline with Wi-Fi mode,” “gateway as server mode,” “gateway as client mode,” “serial communication mode,” “modified gateway as client mode,” and “no tour” are used herein for reference purposes only and not intended to be limiting.
- the access control system 100 may utilize an “offline mode” in which the access control device 102 functions as a standalone device with “decision at door” capabilities such that the access control device 102 authenticates credential data and/or makes access control decisions locally at the access control device 102 (e.g., based on a local access control database or door file). Accordingly, the system 100 may rely on the access rights for authorized credentials and/or device configurations having been pre-loaded onto the local access control database and/or other memory of the access control device 102 .
- the access control data may be transmitted to the local access control database of the access control device 102 via the mobile device 114 (e.g., using a mobile application and wireless communication protocol such as BLE) or using the no tour techniques described herein.
- the access control device 102 can transmit audits, device configurations, status indications, and/or other relevant data to the server 108 via the mobile device 114 and/or using no tour techniques having feedback mechanisms.
- the “offline mode” involves a user physically visiting the access control device 102 in order to perform the data transfers described above.
- the access control system 100 may utilize an “offline with Wi-Fi mode” in which the access control device 102 generally functions similarly to the “offline mode.” However, in the “offline with Wi-Fi mode,” the access control device 102 includes Wi-Fi and/or other wireless communication circuitry capable of communicating with the server 108 (e.g., via a router) to communicate access control data therebetween. Depending on the particular embodiment, the access control device 102 may establish the Wi-Fi connection with the server 108 in order to transmit and receive relevant access control data periodically, asynchronously, according to a predetermined or dynamic schedule, and/or in response to some condition while also maintaining the “decision at door” functionality of the “offline mode” described above.
- the access control device 102 may establish a Wi-Fi connection and communicate with the server 108 one or more times daily (e.g., at times of historically low use of the access control device 102 ). Additionally or alternatively, in some embodiments, the access control device 102 may establish the Wi-Fi connection to communicate with the server 108 in response to one or more predefined (or dynamically determined) asynchronous events including, for example, a forced door alert, tamper alert, low battery notification, critical battery notification, magnetic tamper alert, corrupt file notification (e.g., access control database or door file), reader tamper alert, and/or other events.
- a forced door alert e.g., tamper alert, low battery notification, critical battery notification, magnetic tamper alert, corrupt file notification (e.g., access control database or door file), reader tamper alert, and/or other events.
- the access control system 100 may utilize a “serial communication mode” in which the access control system 100 has “decision at host” capabilities such that the server 108 or the access control panel 112 authenticates credential data and/or makes access control decisions remotely relative to the access control device 102 (e.g., based on a centralized access control database of the management system 104 ).
- the access control panel 112 may be communicatively coupled to the gateway device 110 via a serial communication link and corresponding communication protocol (e.g., RS-485 communication protocol), and the gateway device 110 may wirelessly communicate (e.g., via Bluetooth) with the access control device 102 .
- a serial communication link and corresponding communication protocol e.g., RS-485 communication protocol
- the gateway device 110 may be configured to “consume” and reply to relevant messages at the next available poll response (e.g., under the RS-485 communication protocol). Accordingly, the access control device 102 may transmit credential data associated with a presented credential to the gateway device 110 , and the gateway device 110 may transmit the encrypted credential data to the access control panel 112 (and/or server 108 ) at the next available poll response. Further, the access control panel 112 (and/or server 108 ) may authenticate the credential data and make an access control decision (e.g., grant/deny access), which may be transmitted to the gateway device 110 for subsequent transmittal to the access control device 102 (e.g., in the form of an “unlock” command).
- an access control decision e.g., grant/deny access
- status changes of the access control device 102 may be automatically transmitted to the gateway device 110 , which may be forwarded to the access control panel 112 (and/or server 108 ) at the next available poll response.
- the “serial communication mode” may allow the access control panel 112 (and/or server 108 ) to “see” all credential data presented to the access control device 102 . At least one embodiment of the “serial communication mode” is described below in reference to the method 300 of FIG. 3 .
- the access control system 100 may utilize an IP-based solution that leverages the gateway device 110 for communication between the access control device 102 and the server 108 .
- the server 108 may communicate with the gateway device 110 via IP communications (e.g., and Ethernet), and the gateway device 110 in turn may process any messages related to the gateway device 110 itself and/or forward any messages (e.g., via Bluetooth) intended for the access control device 102 .
- IP communications e.g., and Ethernet
- the access control device 102 may transmit status change information, audit data, and/or other relevant information to the gateway device 110 (e.g., automatically) for subsequent delivery by the gateway device 110 to the server 108 .
- the server 108 may transmit access control data (e.g., access permissions, configuration data, etc.) to the gateway device 110 for subsequent delivery by the gateway device 110 to the access control device 102 .
- the access control device 102 may authenticate (e.g., making a grant/deny decision) the credential data locally based on the local access control database of the access control device 102 , which may be loaded/updated based on access control data communications received from the server 108 via the gateway device 110 .
- the access control system 100 may utilize the “gateway as server mode,” “gateway as client mode,” or “modified gateway as client mode” described below.
- the access control system 100 may utilize a “gateway as server mode” in which the server 108 acts as a client device and the gateway device 110 acts as a server (e.g., web server) in a server/client IP communication arrangement.
- the server 108 (acting as a client device) may communicate with the gateway device 110 via a RESTful API or other suitable API hosted by the gateway device 110 (acting as the server).
- Audit data, status changes, and other information received by the gateway device 110 from the access control device 102 may be stored at the gateway device 110 until the server 108 (as client) as requested the updated information from the gateway device 110 (as server).
- the gateway device 110 relies on receipt of a communication from the server 108 in order to transmit relevant access control data updates.
- At least one embodiment of the “gateway as server mode” is described below in reference to the method 400 of FIG. 4 .
- the access control system 100 may utilize a “gateway as client mode” as indicated above in which the server 108 acts as a server (e.g., web server) and the gateway device 110 acts as a client device in a server/client IP communication arrangement.
- the gateway device 110 (as client) may attempt to reach the server 108 (as server) and authenticate the server 108 (e.g., to ensure a secure connection therebetween).
- the gateway device 110 may request to open a Web Socket connection between the gateway device 110 and the server 108 , which allows for full duplex communication between the gateway device (as client) and the server 108 (as server).
- the server 108 may make requests of the gateway device 110 by transforming RESTful API (or other suitable API) requests (e.g., as utilized in the “gateway as server mode” described above) into a WebSocket communication sub-protocol.
- RESTful API or other suitable API
- the “gateway as a client mode” allows for the gateway device 110 to be situated “behind” a firewall and still communicate with the server 108 without additional overhead of port forwarding or network mapping, which may be required if the server 108 and the gateway device 110 are on different subnets (e.g., as in some embodiments of “gateway as server mode”).
- the gateway device 110 need not wait until a request is made of it in order to provide information to the server 108 . That is, in the “gateway as client mode,” the gateway device 110 may provide information to the server 108 in real time without waiting for the server 108 to request such information, which may permit the server 108 to “subscribe” to information associated with particular events and allow the gateway device 110 to notify the server 108 in real time if any such “subscribed” event occurs.
- the gateway device 110 may provide information to the server 108 in real time without waiting for the server 108 to request such information, which may permit the server 108 to “subscribe” to information associated with particular events and allow the gateway device 110 to notify the server 108 in real time if any such “subscribed” event occurs.
- At least one embodiment of the “gateway as client mode” is described below in reference to the method 500 of FIG. 5 .
- the access control system 100 may utilize a “modified gateway as client mode” as indicated above, which may allow for a true real-time solution of access control that provides the IP host (e.g., the server 108 ) with relevant information of credentials that are presented to the access control device 102 .
- the “modified gateway as client mode” addresses a technical need in some access control systems for the server 108 to be provided with information regarding credentials that are presented to the access control device 102 regardless of whether or not the credential data associated with that particular credential 106 is already included in the local access control database (or door file) of the access control device 102 for “decision at door” operation.
- the gateway device 110 may store therein a gateway credential list (GCL) with a significant amount of credential data (e.g., more data than capable of being stored in the memory of the access control device 102 ).
- GCL gateway credential list
- the gateway credential list may include/identify a set of credentials (e.g., as credential data, encrypted credential data, or otherwise) and a unique credential index associated with each such credential identified in the list.
- the credential indexes may be generated as strictly increasing (or strictly decreasing) indexes.
- the unique credential indexes may be generated randomly, pseudo-randomly, cryptographically uniquely, and/or otherwise generated in a manner that ensures that no (or minimal) collisions occur.
- the gateway credential list is described herein as a list, it should be appreciated that the gateway credential list may be formatted according to any suitable data structure.
- the access control device 102 transmits the credential data to the gateway device 110 (e.g., in encrypted or unencrypted form depending on the particular embodiment). If the credential (e.g., in the form of credential data) already exists in the gateway credential list of the gateway device 110 , the gateway device 110 may transmit the respective credential index associated with that credential to the server 108 (e.g., via a Web Socket connection).
- the gateway device 110 may transmit the respective credential index associated with that credential to the server 108 (e.g., via a Web Socket connection).
- the gateway device 110 may notify the server 108 (e.g., via the Web Socket connection) that a credential has been presented to the access control device 102 that does not exist in the gateway credential list.
- the server 108 may request (e.g., via the Web Socket connection) that the gateway device 110 enter an enrollment mode in which the credential data (e.g., in encrypted or unencrypted form) is transmitted to the server 108 .
- the access control device 102 may resort to “decision at door” functionality in which the access control device 102 may locally make the access control decision 102 based on the current data in the local access control database of the access control device 102 .
- an access control command e.g., allow/deny access
- the access control device 102 may resort to “decision at door” functionality in which the access control device 102 may locally make the access control decision 102 based on the current data in the local access control database of the access control device 102 .
- At least one embodiment of the “modified gateway as client mode” is described below in reference to the method 600 of FIG. 6 and the method 700 of FIG. 7 .
- the access control system 100 may execute a method 300 for communicating access control information by leveraging serial communication between the gateway device 110 and the server 108 .
- a method 300 for communicating access control information by leveraging serial communication between the gateway device 110 and the server 108 .
- the particular flows of the method 300 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary.
- the method 300 may be executed in conjunction with one or more of the features described above in reference to the “serial communication mode” of the access control system 100 .
- the illustrative method 300 begins with flow 302 in which the server 108 transmits a poll request to the gateway device 110 .
- the gateway device 110 evaluates the poll request and transmits a poll response. For example, the gateway device 110 may determine that no changes have occurred at the access control device 102 and transmit a poll response accordingly.
- a credential 106 may be presented to the access control device 102 .
- the access control device 102 transmits credential information/data associated with the credential 106 to the gateway device 110 (e.g., read from and/or received from the credential 106 ).
- the server 108 transmits another poll request to the gateway device 110 .
- the gateway device 110 again evaluates the poll request and transmits a poll response. For example, in the illustrative embodiment, the gateway device 110 may transmit the credential information received from the access control device 102 since the last poll request/response interaction.
- the server 108 authenticates the credential information, for example, to determine access permissions associated with the credential and makes an access control decision/command (e.g., grant/deny access).
- the server 108 transmits the access control decision to the gateway device 110 , which in turn transmits the access control decision to the access control device 102 in flow 316 .
- the access control device 102 executes the access control decision.
- the access control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway.
- the access control device 102 may transmit a status of the access control device 102 to the gateway device 110 .
- the status may indicate the lock status (locked/unlocked) and/or other conditions of the access control device 102 .
- the server 108 transmits another poll request to the gateway device 110 .
- the gateway device 110 again evaluates the poll request and transmits a poll response. For example, in the illustrative embodiment, the gateway device 110 may transmit the status information received from the access control device 102 since the last post request/response interaction.
- the access control system 100 may execute a method 400 for communicating access control information by configuring the gateway device 110 to act as a web server to the server 108 .
- the particular flows of the method 400 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary.
- the method 400 may be executed in conjunction with one or more of the features described above in reference to the “gateway as server mode” of the access control system 100 .
- the illustrative method 400 begins with flow 402 in which the server 108 transmits an audit request to the gateway device 110 .
- the gateway device 110 evaluates the audit request and transmits an audit response. For example, the gateway device 110 may determine that no audits have been received from the access control device 102 and transmit an audit response accordingly.
- a credential 106 may be presented to the access control device 102 .
- the access control device 102 authenticates the credential information based on a local access control database of the access control device 102 , for example, to determine access permissions associated with the credential and makes an access control decision/command (e.g., grant/deny access).
- the access control device 102 executes the access control decision.
- the access control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway.
- an access control mechanism e.g., a lock mechanism, a motor, and/or other components
- the access control device 102 transmits audit information/data associated with the credential 106 to the gateway device 110 (e.g., a user identifier, credential identifier, information associated with the access control decision, and/or other access control data).
- the gateway device 110 at an appropriate time (e.g., periodically or asynchronously), the server 108 transmits another audit request to the gateway device 110 .
- the gateway device 110 again evaluates the audit request and transmits an audit response. For example, in the illustrative embodiment, the gateway device 110 may transmit the audit information received from the access control device 102 since the last audit request/response interaction.
- the access control system 100 may execute a method 500 for communicating access control information by configuring the gateway device 110 to act as a client to the server 108 .
- a method 500 for communicating access control information by configuring the gateway device 110 to act as a client to the server 108 .
- the particular flows of the method 500 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary.
- the method 500 may be executed in conjunction with one or more of the features described above in reference to the “gateway as client mode” of the access control system 100 .
- the illustrative method 500 begins with flow 502 in which a credential 106 may be presented to the access control device 102 .
- the access control device 102 authenticates the credential information based on a local access control database of the access control device 102 , for example, to determine access permissions associated with the credential and makes an access control decision/command (e.g., grant/deny access).
- the access control device 102 executes the access control decision.
- the access control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway.
- an access control mechanism e.g., a lock mechanism, a motor, and/or other components
- the access control device 102 transmits audit information/data associated with the credential 106 to the gateway device 110 (e.g., a user identifier, credential identifier, information associated with the access control decision, and/or other access control data), and the gateway device 110 in turn transmits/forwards the audit information/data to the server 108 in flow 510 .
- the access control device 102 may transmit a status of the access control device 102 to the gateway device 110 , and the gateway device 110 in turn may transmit/forward the audit information/data to the server 108 in flow 514 .
- the status may indicate the lock status (locked/unlocked) and/or other conditions of the access control device 101 .
- the access control system 100 may execute a method 600 for communicating access control information by configuring the gateway device 110 to act as a client to the server 108 .
- the particular flows of the method 600 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary.
- the method 500 may be executed in conjunction with one or more of the features described above in reference to the “modified gateway as client mode” of the access control system 100 .
- the illustrative method 600 begins with flow 602 in which a credential 106 may be presented to the access control device 102 .
- the access control device 102 transmits credential information/data associated with the credential 106 to the gateway device 110 (e.g., read from and/or received from the credential 106 ), and the gateway device 110 in turn transmits credential information/data (e.g., the same data or a credential index) to the server 108 in flow 606 .
- the server 108 authenticates the credential information, for example, to determine access permissions associated with the credential and makes an access control decision/command (e.g., grant/deny access).
- the server 108 transmits the access control decision to the gateway device 110 , which in turn transmits the access control decision to the access control device 102 in flow 612 .
- the access control device 102 executes the access control decision.
- the access control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway.
- an access control mechanism e.g., a lock mechanism, a motor, and/or other components
- the access control device 102 may transmit a status of the access control device 102 to the gateway device 110 , which the gateway device 110 in turn may transmit/forward to the server 108 in flow 618 .
- the status may indicate the lock status (locked/unlocked) and/or other conditions of the access control device 102 .
- the access control device 102 may be unable to establish a connection with the gateway device 110 , the gateway device 110 may be unable to establish a connection with the server 108 , and/or the access control device 102 may not receive an access control decision from the server 108 (e.g., within a predefined period of time). After the predefined period of time has lapsed (e.g., subsequent to presentation of the credential to the access control device 102 ), as described above, the access control device 102 may authenticate the credential 106 and make the access control decision locally at the access control device 102 based on the current data of the local access control database in some embodiments. Upon successful reconnection, the access control device 102 may transmit the appropriate audit data to the gateway device 110 for transmittal to the server 108 .
- the access control system 100 may execute a method 700 for making access control decisions. It should be appreciated that the particular flows of the method 700 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary. In some embodiments, it should be appreciated that the method 700 may be executed in conjunction with one or more of the features described above in reference to the “modified gateway as client mode” of the access control system 100 .
- the illustrative method 700 begins with block 702 in which a credential 106 may be presented to the access control device 102 .
- the access control device 102 transmits credential information/data associated with the credential 106 to the gateway device 110 (e.g., read from and/or received from the credential 106 ).
- the gateway device 110 compares the credential information/data to a gateway credential list of the gateway device 110 .
- the gateway credential list may include/identify a set of credentials (e.g., as credential data, encrypted credential data, or otherwise) and a unique credential index associated with each such credential identified in the list.
- the credential indexes may be generated as strictly increasing (or strictly decreasing) indexes.
- the gateway device 110 compares the credential information/data to the gateway credential list to determine whether the credential information/data matches any of the entries of the list. In other words, the gateway device 110 determines whether the credential data is included in the gateway credential list. If so, the gateway device 110 identifies the unique credential index corresponding with the credential data.
- the method 700 advances to block 710 in which the gateway device 110 transmits the corresponding credential index to the server 108 .
- the server 108 authenticates the credential presented to the access control device 102 based on the credential index received from the gateway device 110 , for example, to determine access permissions associated with the credential and make an access control decision/command (e.g., grant/deny access).
- the server 108 may likewise include a credential list including a plurality of credentials (e.g., credential data) and corresponding credential indexes.
- the server's credential list may be a superset of the gateway device 110 .
- the server's credential list may include the credential data and corresponding credential indexes for each of the credentials involved in and/or associated with the access control system 100 .
- the server 108 may compare the received credential index to its credential list to identify the matching credential data and authenticate that credential data (e.g., based on the particular access control device 102 to which access is requested) accordingly.
- the server 108 may transmit the access control decision to the gateway device 110 , which in turn may transmit the access control decision to the access control device 102 .
- the access control system 100 may perform a suitable error handling procedure in response to determining that the credential index does not match an index of the server's credential list.
- the method 700 advances to block 714 in which the gateway device 110 transmits a message to the server 108 indicating that the credential data of the credential presented to the access control device 102 does not match any credential identified in the gateway credential list.
- the server 108 may determine whether to enroll the presented credential into the access control system 100 , for example, and assign suitable access rights to the credential. If so, the method 700 advances to block 718 in which the gateway device 110 transmits the credential data to the server 108 for enrollment.
- the access control device 102 determines whether an access control decision/command has been received from the server 108 (e.g., via the gateway device 110 ). If so, the method 700 advances to block 722 in which the access control device 102 executes the access control decision.
- the access control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway.
- the method 700 advances to block 724 in which the access control device 102 may authenticate the credential and make the access control decision locally at the access control device 102 based on the current data of the local access control database as described above.
- a method may include receiving, by a gateway device and from an access control device, credential data received by the access control device from a mobile device in response to presentation of the mobile device to the access control device, comparing, by the gateway device, the credential data to a gateway credential list stored in a memory of the gateway device, wherein the gateway credential list identifies a plurality of credentials associated with the gateway device, and wherein each credential of the plurality of credentials is associated with a unique credential index, transmitting, by the gateway device and to a server, the unique credential index associated with the credential data in response to determining that the credential data matches a corresponding credential in the gateway credential list, and receiving, by the gateway device and from the server, an access control decision associated with the credential data in response to transmitting the unique credential index.
- the gateway credential list may include the plurality of credentials and a corresponding set of strictly increasing unique credential indexes.
- the method may further include transmitting, by the gateway device, a message to the server indicating that the credential data does not match any credential identified in the gateway credential list.
- the method may further include enrolling, by the server, the credential data as an authorized credential of the mobile device in response to receiving the message from the gateway device.
- the method may further include authenticating, by the access control device, the credential data based on a local access control database stored in a memory of the access control device in response to a determination that the access control device has not received the access control decision from the server within a predefined period of time since transmittal of the credential data to the gateway device.
- the method may further include receiving, by the access control device, the access control decision from the gateway device, and executing, by the access control device, the access control decision to unlock a lock mechanism associated with the access control device.
- receiving the access control decision may include receiving the access control decision over a Bluetooth communication connection between the gateway device and the access control device.
- transmitting the unique credential index to the server may include transmitting the unique credential index to the server via a Web Socket communication connection between the gateway device and the server.
- the memory of the gateway device may have a greater amount of data storage than a memory of the access control device.
- a system may include a server, an access control device configured to receive credential data from a mobile device presented to the access control device, and a gateway device communicatively coupled to the server and to the access control device, wherein the gateway device includes a memory having a gateway credential list stored thereon that identifies a plurality of credentials associated with the gateway device, each credential of the plurality of credentials being associated with a unique credential index, and wherein the gateway device is configured to receive the credential data from the access control device, compare the credential data to the gateway credential list, transmit the unique credential index associated with the credential data to the server in response to a determination that the credential data matches a corresponding credential in the gateway credential list, and receive an access control decision associated with the credential data from the server in response to transmittal of the unique credential index.
- the gateway credential list may include the plurality of credentials and a corresponding set of strictly increasing unique credential indexes.
- the gateway device may be further configured to transmit a message to the server indicating that the credential data does not match any credential identified in the gateway credential list, and the server may be configured to enroll the credential data as an authorized credential of the mobile device in response to receipt of the message from the gateway device.
- the access control device may include a local access control database and may be further configured to authenticate the credential data based on the local access control database in response to a determination that the access control device has not received the access control decision from the server within a predefined period of time since transmittal of the credential data to the gateway device.
- the access control device may be further configured to receive the access control decision from the gateway device and execute the access control decision to unlock a lock mechanism associated with the access control device.
- transmittal of the unique credential index to the server may include transmittal of the unique credential index to the server via a Web Socket communication connection between the gateway device and the server.
- a gateway device may include a processor and a memory comprising a gateway credential list and a plurality of instructions stored thereon, wherein the gateway credential list identifies a plurality of credentials associated with the gateway device, wherein each credential of the plurality of credentials is associated with a unique credential index, and wherein execution of the plurality of instructions by the processor causes the gateway device to receive, from an access control device, credential data received by the access control device from a mobile device in response to presentation of the mobile device to the access control device, compare the credential data to the gateway credential list, transmit, to a server, the unique credential index associated with the credential data in response to determining that the credential data matches a corresponding credential in the gateway credential list, and receive, from the server, an access control decision associated with the credential data in response to transmitting the unique credential index.
- the gateway credential list may include the plurality of credentials and a corresponding set of strictly increasing unique credential indexes.
- the plurality of instructions may further cause the gateway device to transmit a message to the server indicating that the credential data does not match any credential identified in the gateway credential list.
- receipt of the access control decision may involve receipt of the access control decision over a Bluetooth communication connection between the gateway device and the access control device.
- transmittal of the unique credential index to the server may include transmittal of the unique credential index to the server via a Web Socket communication connection between the gateway device and the server.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
A method according to one embodiment includes receiving, by a gateway device and from an access control device, credential data received by the access control device from a mobile device in response to presentation of the mobile device to the access control device, comparing the credential data to a gateway credential list stored in a memory of the gateway device, the gateway credential list identifying a plurality of credentials associated with the gateway device, and each credential of the plurality of credentials associated with a unique credential index, transmitting, to a server, the unique credential index associated with the credential data in response to determining that the credential data matches a corresponding credential in the gateway credential list, and receiving, from the server, an access control decision associated with the credential data in response to transmitting the unique credential index.
Description
- Access control systems typically involve the use of credentials to manage the operation of an access control device (e.g., a lock device). Such credentials may be assigned to a particular user or device and are often physical in nature, forming at least a portion of, for example, a smartcard, proximity card, key fob, token device, or mobile device. Thus, current credential systems generally require an interaction between the credential and a reader device (e.g., on or secured to the access control device) such that the reader device may read the credential and determine whether access should be granted.
- Access control permissions and other access control data are updated for various users/credentials over time and, therefore, those updates are often transmitted to access control devices that make access control decisions locally based on user-presented credentials. Depending on the particular access control ecosystem, the number of users and credentials can be staggering. As such, the limited data storage available on many access control devices, for example, introduces technical difficulties in ensuring that those access control devices maintain complete and accurate access control data.
- One embodiment is directed to a unique system, components, and methods for access control communications. Other embodiments are directed to apparatus, systems, devices, hardware, methods, and combinations thereof for access control communications. This summary is not intended to identify key or essential features of the claimed subject matter, nor is it intended to be used as an aid in limiting the scope of the claimed subject matter. Further embodiments, forms, features, and aspects of the present application shall become apparent from the description and figures provided herewith.
- The concepts described herein are illustrative by way of example and not by way of limitation in the accompanying figures. For simplicity and clarity of illustration, elements illustrated in the figures are not necessarily drawn to scale. Where considered appropriate, references labels have been repeated among the figures to indicate corresponding or analogous elements.
-
FIG. 1 is a simplified block diagram of an access control system; -
FIG. 2 is a simplified block diagram of at least one embodiment of a computing system; -
FIG. 3 is a simplified flow diagram of at least one embodiment of a method of communicating access control information by leveraging serial communication between a gateway device and a server; -
FIG. 4 is a simplified flow diagram of at least one embodiment of a method of communicating access control information by configuring the gateway device to act as a web server to a server; -
FIG. 5 is a simplified flow diagram of at least one embodiment of a method of communicating access control information by configuring the gateway device to act as a client to a server; -
FIG. 6 is a simplified flow diagram of at least one other embodiment of a method of communicating access control information by configuring the gateway device to act as a client to a server; and -
FIG. 7 is a simplified flow diagram of at least one embodiment of a method of making access control decisions. - Although the concepts of the present disclosure are susceptible to various modifications and alternative forms, specific embodiments have been shown by way of example in the drawings and will be described herein in detail. It should be understood, however, that there is no intent to limit the concepts of the present disclosure to the particular forms disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives consistent with the present disclosure and the appended claims.
- References in the specification to “one embodiment,” “an embodiment,” “an illustrative embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may or may not necessarily include that particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. It should further be appreciated that although reference to a “preferred” component or feature may indicate the desirability of a particular component or feature with respect to an embodiment, the disclosure is not so limiting with respect to other embodiments, which may omit such a component or feature. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to implement such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described. Additionally, it should be appreciated that items included in a list in the form of “at least one of A, B, and C” can mean (A); (B); (C); (A and B); (B and C); (A and C); or (A, B, and C). Similarly, items listed in the form of “at least one of A, B, or C” can mean (A); (B); (C); (A and B); (B and C); (A and C); or (A, B, and C). Further, with respect to the claims, the use of words and phrases such as “a,” “an,” “at least one,” and/or “at least one portion” should not be interpreted so as to be limiting to only one such element unless specifically stated to the contrary, and the use of phrases such as “at least a portion” and/or “a portion” should be interpreted as encompassing both embodiments including only a portion of such element and embodiments including the entirety of such element unless specifically stated to the contrary.
- The disclosed embodiments may, in some cases, be implemented in hardware, firmware, software, or a combination thereof. The disclosed embodiments may also be implemented as instructions carried by or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which may be read and executed by one or more processors. A machine-readable storage medium may be embodied as any storage device, mechanism, or other physical structure for storing or transmitting information in a form readable by a machine (e.g., a volatile or non-volatile memory, a media disc, or other media device).
- In the drawings, some structural or method features may be shown in specific arrangements and/or orderings. However, it should be appreciated that such specific arrangements and/or orderings may not be required. Rather, in some embodiments, such features may be arranged in a different manner and/or order than shown in the illustrative figures unless indicated to the contrary. Additionally, the inclusion of a structural or method feature in a particular figure is not meant to imply that such feature is required in all embodiments and, in some embodiments, may not be included or may be combined with other features.
- Referring now to
FIG. 1 , in the illustrative embodiment, anaccess control system 100 includes one or moreaccess control devices 102, amanagement system 104, and acredential device 106. Further, themanagement system 104 may include amanagement server 108, a gateway device, 110, anaccess control panel 112, and/or amobile device 114. - As described in detail below, in the illustrative embodiment, the
access control system 100 allows for a true real-time solution of access control that provides the IP host (e.g., the management server 108) with relevant information regarding credentials that are presented to anaccess control device 102. Specifically, in some embodiments, theaccess control system 100 may allow for a true real-time access control solution while providing the host device (e.g., the management server 108) with information regarding credentials presented to theaccess control device 102, and providing such data to an extent that may not be otherwise feasible due to memory constraints in variousaccess control devices 102. For example, in some access control solutions, there is a need for the host (e.g., the management server 108) to be provided with information regarding credentials that are presented to theaccess control device 102 regardless of whether or not the credential information associated with those credentials are already included in a local access control database of the access control device 102 (i.e., for making access control decisions locally at the access control device 102). However, often due to limited memory capacity in theaccess control device 102, it may be unrealistic to store and/or provide a large amount of credential information (e.g., in a large enterprise or commercial environment) to theaccess control device 102; yet, such limitations are often not imposed ongateway devices 110. Accordingly, in some embodiments, thegateway device 110 includes a gateway credential list stored thereon, which may include substantially more credential information than the local access control database of theaccess control device 102 and/or may be leveraged to make access control decisions as described in greater detail herein. - It should be appreciated that the access control device(s) 102, the
management system 104, thecredential 106, themanagement server 108, thegateway device 110, theaccess control panel 112, and/or themobile device 114 may be embodied as any type of device or collection of devices suitable for performing the functions described herein. More specifically, in the illustrative embodiment, each of the access control devices 102 (e.g., edge devices) may be embodied as any type of device capable of controlling and/or facilitating access through a passageway (e.g., at least in part). For example, in various embodiments, theaccess control device 102 may be embodied as an electronic lock (e.g., a mortise lock, a cylindrical lock, or a tubular lock), an exit device (e.g., a pushbar or pushpad exit device), a door closer, an auto-operator, a motorized latch/bolt (e.g., for a sliding door), barrier control device (e.g., battery-powered), or a peripheral controller of a passageway. Depending on the particular embodiment, theaccess control device 102 may include a credential reader or be electrically/communicatively coupled to a credential reader configured to communicative withcredentials 106. In some embodiments, theaccess control device 102 may have a local access control database stored thereon for locally performing access control decisions associated with user access. Accordingly, in such embodiments, the access control database may store credential data, biometric data, historical information, PINs, passcodes, and/or other relevant authentication data associated with users. In some embodiments, such data or a portion thereof may additionally or alternatively be stored in a centralized access control database (e.g., hosted by and/or accessible to the management server 108). - In some embodiments, one or more of the
credentials 106 may be embodied as a passive credential device having a credential identifier or value (e.g., a unique ID) stored therein and is “passive” in the sense that the credential device is configured to be powered by radio frequency (RF) signals received from a credential reader. In other words, such passive credentials do not have an independent power source but, instead, rely on power that is induced from RF signals transmitted from other devices in the vicinity of the credential. In particular, in some embodiments, one or more of the passive credentials may be embodied as a proximity card, which is configured to communicate over a low frequency carrier of nominally 125 kHz, and/or a smartcard, which is configured to communicate over a high frequency carrier frequency of nominally 13.56 MHz. However, it should be appreciated that, in other embodiments, each of thecredentials 106 may be embodied as any type of passive or active credential device capable of performing the functions described herein. For example, in some embodiments, one or more of thecredentials 106 may be embodied as a virtual credential stored on themobile device 114 and/or other computing device of a particular user. - As described herein, the
management system 104 may be configured to manage credentials of theaccess control system 100. For example, depending on the particular embodiment, themanagement system 104 may be responsible for ensuring that theaccess control devices 102 have updated local access control databases, authorized credentials, whitelists, blacklists, device parameters, and/or other suitable data. Additionally, in some embodiments, themanagement system 104 may receive security data, audit data, raw sensor data, and/or other suitable data from theaccess control devices 102 for management of theaccess control system 100. In some embodiments, one or more of the devices of themanagement system 104 may be embodied as an online server or a cloud-based server. Further, in some embodiments, themanagement system 104 may communicate with multipleaccess control devices 102 at a single site (e.g., a particular building) and/or across multiple sites. That is, in such embodiments, themanagement system 104 may be configured to receive data fromaccess control devices 102 distributed across a single building, multiple buildings on a single campus, or across multiple locations. - It should be appreciated that the
management system 104 may include one or more devices depending on the particular embodiment of theaccess control system 100. For example, as shown inFIG. 1 , themanagement system 104 may include amanagement server 108, agateway device 110, anaccess control panel 112, and/or amobile device 114 depending on the particular embodiment. The functions of themanagement system 104 described herein may be performed by one or more of those devices in various embodiments. For example, in some embodiments, themanagement server 108 may perform all of the functions of themanagement system 104 described herein. Further, in some embodiments, thegateway device 110 may be communicatively coupled to theaccess control devices 102 such that the other devices of the management system 104 (e.g., themanagement server 108, theaccess control panel 112, and/or the mobile device 114) may communicate with theaccess control devices 102 via thegateway device 110. - In some embodiments, the
access control devices 102 may communicate with themanagement server 108 over a Wi-Fi connection and/or with themobile device 114 over a Bluetooth connection. Additionally, theaccess control devices 102 may communicate with themanagement server 108 and/or theaccess control panel 112 via thegateway device 110. As such, in the illustrative embodiment, theaccess control device 102 may communicate with thegateway device 110 over a Wi-Fi connection and/or a Bluetooth connection, and thegateway device 110 may, in turn, forward the communicated data to therelevant management server 108 and/oraccess control panel 112. For example, in some embodiments, thegateway device 110 may communicate with theaccess control panel 112 over a serial communication link (e.g., using RS-485 standard communication), and thegateway device 110 may communicate with themanagement server 108 over a Wi-Fi connection, an Ethernet connection, and/or another wired/wireless communication connection. As such, it should be appreciated that each of theaccess control devices 102 may communicate with themanagement server 108 via an online mode with a persistent real-time communication connection or via an offline mode (e.g., periodically or in response to an appropriate condition) depending on the particular embodiment (e.g., depending on whether the particularaccess control device 102 is offline). It should be appreciated that various technologies for implementing such access control communications are described in greater detail herein. As indicated above, in other embodiments, it should be appreciated that theaccess control devices 102 may communicate with the devices of themanagement system 104 via one or more other suitable communication protocols. - In some embodiments, the
gateway device 110 may be embodied as any one or more devices that, individually or collectively, serve as an intermediary device allowing theaccess control devices 102 to communicate with themanagement server 108 and/or other remote devices via the Internet and/or a wired/wireless network. For example, in some embodiments, thegateway device 110 may be embodied as a wireless access point that is communicatively coupled to a router. In other embodiments, thegateway device 110 may form an integral component of or otherwise form a portion of the router itself. - It should be appreciated that each of the
access control devices 102, themanagement system 104, themanagement server 108, thegateway device 110, theaccess control panel 112, and/or themobile device 114 may be embodied as one or more computing devices similar to thecomputing device 200 described below in reference toFIG. 2 . For example, one or more of theaccess control devices 102, themanagement system 104, themanagement server 108, thegateway device 110, theaccess control panel 112, and themobile device 114 may include aprocessing device 202 and amemory 206 having stored thereon operatinglogic 208 for execution by theprocessing device 202 for operation of the corresponding device. - It should be further appreciated that, although the
management system 104 and themanagement server 108 are described herein as one or more computing devices outside of a cloud computing environment, in other embodiments, thesystem 104 and/orserver 108 may be embodied as a cloud-based device or collection of devices. Further, in cloud-based embodiments, thesystem 104 and/orserver 108 may be embodied as a “serverless” or server-ambiguous computing solution, for example, that executes a plurality of instructions on-demand, contains logic to execute instructions only when prompted by a particular activity/trigger, and does not consume computing resources when not in use. That is, thesystem 104 and/orserver 108 may be embodied as a virtual computing environment residing “on” a computing system (e.g., a distributed network of devices) in which various virtual functions (e.g., Lambda functions, Azure functions, Google cloud functions, and/or other suitable virtual functions) may be executed corresponding with the functions of thesystem 104 and/orserver 108 described herein. For example, when an event occurs (e.g., data is transferred to thesystem 104 and/orserver 108 for handling), the virtual computing environment may be communicated with (e.g., via a request to an API of the virtual computing environment), whereby the API may route the request to the correct virtual function (e.g., a particular server-ambiguous computing resource) based on a set of rules. As such, when a request for the transmission of updated access control data is made by a user (e.g., via an appropriate user interface to thesystem 104 or server 108), the appropriate virtual function(s) may be executed to perform the actions before eliminating the instance of the virtual function(s). - Although only one
management system 104, onecredential 106, onemanagement server 108, onegateway device 110, oneaccess control panel 112, and onemobile device 114 are shown in the illustrative embodiment ofFIG. 1 , thesystem 100 may includemultiple management systems 104,credentials 106,management servers 108,gateway devices 110,access control panels 112, and/ormobile devices 114 in other embodiments. For example, as indicated above, theserver 108 may be embodied as multiple servers in a cloud computing environment in some embodiments. Further, each user may be associated with one or moreseparate credentials 106 in some embodiments. - Referring now to
FIG. 2 , a simplified block diagram of at least one embodiment of acomputing device 200 is shown. Theillustrative computing device 200 depicts at least one embodiment of anaccess control device 102,management system 104, credential 106 (e.g., an active credential),management server 108,gateway device 110,access control panel 112, and/ormobile device 114 illustrated inFIG. 1 . Depending on the particular embodiment,computing device 200 may be embodied as an access control device, reader device, server, desktop computer, laptop computer, tablet computer, notebook, netbook, Ultrabook™, mobile computing device, cellular phone, smartphone, wearable computing device, personal digital assistant, Internet of Things (IoT) device, control panel, processing system, router, gateway, and/or any other computing, processing, and/or communication device capable of performing the functions described herein. - The
computing device 200 includes aprocessing device 202 that executes algorithms and/or processes data in accordance withoperating logic 208, an input/output device 204 that enables communication between thecomputing device 200 and one or moreexternal devices 210, andmemory 206 which stores, for example, data received from theexternal device 210 via the input/output device 204. - The input/
output device 204 allows thecomputing device 200 to communicate with theexternal device 210. For example, the input/output device 204 may include a transceiver, a network adapter, a network card, an interface, one or more communication ports (e.g., a USB port, serial port, parallel port, an analog port, a digital port, VGA, DVI, HDMI, FireWire, CAT 5, or any other type of communication port or interface), and/or other communication circuitry. Communication circuitry of thecomputing device 200 may be configured to use any one or more communication technologies (e.g., wireless or wired communications) and associated protocols (e.g., Ethernet, Bluetooth (including Bluetooth Low Energy (BLE), Wi-Fi, Near Field Communication (NFC), WiMAX, ZigBee, Z-wave, IEEE 802.15, etc.) to effect such communication depending on theparticular computing device 200. The input/output device 204 may include hardware, software, and/or firmware suitable for performing the techniques described herein. - The
external device 210 may be any type of device that allows data to be inputted or outputted from thecomputing device 200. For example, in various embodiments, theexternal device 210 may be embodied as theaccess control device 102, themanagement system 104, thecredential 106, themanagement server 108, thegateway device 110, theaccess control panel 112, and/or themobile device 114. Further, in some embodiments, theexternal device 210 may be embodied as another computing device, switch, diagnostic tool, controller, printer, display, alarm, peripheral device (e.g., keyboard, mouse, touch screen display, etc.), and/or any other computing, processing, and/or communication device capable of performing the functions described herein. Furthermore, in some embodiments, it should be appreciated that theexternal device 210 may be integrated into thecomputing device 200. - The
processing device 202 may be embodied as any type of processor(s) capable of performing the functions described herein. In particular, theprocessing device 202 may be embodied as one or more single or multi-core processors, microcontrollers, or other processor or processing/controlling circuits. For example, in some embodiments, theprocessing device 202 may include or be embodied as an arithmetic logic unit (ALU), central processing unit (CPU), digital signal processor (DSP), and/or another suitable processor(s). Theprocessing device 202 may be a programmable type, a dedicated hardwired state machine, or a combination thereof.Processing devices 202 with multiple processing units may utilize distributed, pipelined, and/or parallel processing in various embodiments. Further, theprocessing device 202 may be dedicated to performance of just the operations described herein, or may be utilized in one or more additional applications. In the illustrative embodiment, theprocessing device 202 is programmable and executes algorithms and/or processes data in accordance withoperating logic 208 as defined by programming instructions (such as software or firmware) stored inmemory 206. Additionally or alternatively, the operatinglogic 208 forprocessing device 202 may be at least partially defined by hardwired logic or other hardware. Further, theprocessing device 202 may include one or more components of any type suitable to process the signals received from input/output device 204 or from other components or devices and to provide desired output signals. Such components may include digital circuitry, analog circuitry, or a combination thereof. - The
memory 206 may be of one or more types of non-transitory computer-readable media, such as a solid-state memory, electromagnetic memory, optical memory, or a combination thereof. Furthermore, thememory 206 may be volatile and/or nonvolatile and, in some embodiments, some or all of thememory 206 may be of a portable type, such as a disk, tape, memory stick, cartridge, and/or other suitable portable memory. In operation, thememory 206 may store various data and software used during operation of thecomputing device 200 such as operating systems, applications, programs, libraries, and drivers. It should be appreciated that thememory 206 may store data that is manipulated by the operatinglogic 208 ofprocessing device 202, such as, for example, data representative of signals received from and/or sent to the input/output device 204 in addition to or in lieu of storing programming instructions definingoperating logic 208. As shown inFIG. 2 , thememory 206 may be included with theprocessing device 202 and/or coupled to theprocessing device 202 depending on the particular embodiment. For example, in some embodiments, theprocessing device 202, thememory 206, and/or other components of thecomputing device 200 may form a portion of a system-on-a-chip (SoC) and be incorporated on a single integrated circuit chip. - In some embodiments, various components of the computing device 200 (e.g., the
processing device 202 and the memory 206) may be communicatively coupled via an input/output subsystem, which may be embodied as circuitry and/or components to facilitate input/output operations with theprocessing device 202, thememory 206, and other components of thecomputing device 200. For example, the input/output subsystem may be embodied as, or otherwise include, memory controller hubs, input/output control hubs, firmware devices, communication links (i.e., point-to-point links, bus links, wires, cables, light guides, printed circuit board traces, etc.) and/or other components and subsystems to facilitate the input/output operations. - The
computing device 200 may include other or additional components, such as those commonly found in a typical computing device (e.g., various input/output devices and/or other components), in other embodiments. It should be further appreciated that one or more of the components of thecomputing device 200 described herein may be distributed across multiple computing devices. In other words, the techniques described herein may be employed by a computing system that includes one or more computing devices. Additionally, although only asingle processing device 202, I/O device 204, andmemory 206 are illustratively shown inFIG. 2 , it should be appreciated that aparticular computing device 200 may includemultiple processing devices 202, I/O devices 204, and/ormemories 206 in other embodiments. Further, in some embodiments, more than oneexternal device 210 may be in communication with thecomputing device 200. - As described in greater detail below, the
access control system 100 may utilize one or more different modes of operation in order to transmit data among the various devices in theaccess control system 100 and, more specifically, between theaccess control device 102 and theserver 108. For example, in various embodiments, theaccess control system 100 may utilize an “offline mode,” an “offline with Wi-Fi mode,” a “gateway as server mode,” a “gateway as client mode,” a “serial communication mode,” or a “modified gateway as client mode.” Additionally, in some embodiments, theaccess control system 100 may leverage “no tour” functionality to transmit data to offlineaccess control devices 102, whereby access control data updates (e.g., access permissions, database updates, configurations, etc.) are transmitted to the offlineaccess control devices 102 via themobile device 114 and/orcredential 106. It should be appreciated that the terms “offline mode,” “offline with Wi-Fi mode,” “gateway as server mode,” “gateway as client mode,” “serial communication mode,” “modified gateway as client mode,” and “no tour” are used herein for reference purposes only and not intended to be limiting. - In some embodiments, the
access control system 100 may utilize an “offline mode” in which theaccess control device 102 functions as a standalone device with “decision at door” capabilities such that theaccess control device 102 authenticates credential data and/or makes access control decisions locally at the access control device 102 (e.g., based on a local access control database or door file). Accordingly, thesystem 100 may rely on the access rights for authorized credentials and/or device configurations having been pre-loaded onto the local access control database and/or other memory of theaccess control device 102. For example, in some embodiments, the access control data may be transmitted to the local access control database of theaccess control device 102 via the mobile device 114 (e.g., using a mobile application and wireless communication protocol such as BLE) or using the no tour techniques described herein. Similarly, in some embodiments, theaccess control device 102 can transmit audits, device configurations, status indications, and/or other relevant data to theserver 108 via themobile device 114 and/or using no tour techniques having feedback mechanisms. It should be appreciated that the “offline mode” involves a user physically visiting theaccess control device 102 in order to perform the data transfers described above. - In some embodiments, the
access control system 100 may utilize an “offline with Wi-Fi mode” in which theaccess control device 102 generally functions similarly to the “offline mode.” However, in the “offline with Wi-Fi mode,” theaccess control device 102 includes Wi-Fi and/or other wireless communication circuitry capable of communicating with the server 108 (e.g., via a router) to communicate access control data therebetween. Depending on the particular embodiment, theaccess control device 102 may establish the Wi-Fi connection with theserver 108 in order to transmit and receive relevant access control data periodically, asynchronously, according to a predetermined or dynamic schedule, and/or in response to some condition while also maintaining the “decision at door” functionality of the “offline mode” described above. For example, in some embodiments, theaccess control device 102 may establish a Wi-Fi connection and communicate with theserver 108 one or more times daily (e.g., at times of historically low use of the access control device 102). Additionally or alternatively, in some embodiments, theaccess control device 102 may establish the Wi-Fi connection to communicate with theserver 108 in response to one or more predefined (or dynamically determined) asynchronous events including, for example, a forced door alert, tamper alert, low battery notification, critical battery notification, magnetic tamper alert, corrupt file notification (e.g., access control database or door file), reader tamper alert, and/or other events. - In some embodiments, the
access control system 100 may utilize a “serial communication mode” in which theaccess control system 100 has “decision at host” capabilities such that theserver 108 or theaccess control panel 112 authenticates credential data and/or makes access control decisions remotely relative to the access control device 102 (e.g., based on a centralized access control database of the management system 104). For example, in some embodiments, theaccess control panel 112 may be communicatively coupled to thegateway device 110 via a serial communication link and corresponding communication protocol (e.g., RS-485 communication protocol), and thegateway device 110 may wirelessly communicate (e.g., via Bluetooth) with theaccess control device 102. In particular, in some embodiments, thegateway device 110 may be configured to “consume” and reply to relevant messages at the next available poll response (e.g., under the RS-485 communication protocol). Accordingly, theaccess control device 102 may transmit credential data associated with a presented credential to thegateway device 110, and thegateway device 110 may transmit the encrypted credential data to the access control panel 112 (and/or server 108) at the next available poll response. Further, the access control panel 112 (and/or server 108) may authenticate the credential data and make an access control decision (e.g., grant/deny access), which may be transmitted to thegateway device 110 for subsequent transmittal to the access control device 102 (e.g., in the form of an “unlock” command). In some embodiments, status changes of theaccess control device 102 may be automatically transmitted to thegateway device 110, which may be forwarded to the access control panel 112 (and/or server 108) at the next available poll response. It should be appreciated that, in various embodiments, the “serial communication mode” may allow the access control panel 112 (and/or server 108) to “see” all credential data presented to theaccess control device 102. At least one embodiment of the “serial communication mode” is described below in reference to themethod 300 ofFIG. 3 . - In some embodiments, the
access control system 100 may utilize an IP-based solution that leverages thegateway device 110 for communication between theaccess control device 102 and theserver 108. For example, in some embodiments, theserver 108 may communicate with thegateway device 110 via IP communications (e.g., and Ethernet), and thegateway device 110 in turn may process any messages related to thegateway device 110 itself and/or forward any messages (e.g., via Bluetooth) intended for theaccess control device 102. It should be appreciated that such techniques permit the access control device to have “decision at door” functionality as described above; however, in such embodiments, theaccess control device 102 may transmit status change information, audit data, and/or other relevant information to the gateway device 110 (e.g., automatically) for subsequent delivery by thegateway device 110 to theserver 108. Similarly, theserver 108 may transmit access control data (e.g., access permissions, configuration data, etc.) to thegateway device 110 for subsequent delivery by thegateway device 110 to theaccess control device 102. As such, when a credential device is presented to theaccess control device 102, theaccess control device 102 may authenticate (e.g., making a grant/deny decision) the credential data locally based on the local access control database of theaccess control device 102, which may be loaded/updated based on access control data communications received from theserver 108 via thegateway device 110. Specifically, in various embodiments, theaccess control system 100 may utilize the “gateway as server mode,” “gateway as client mode,” or “modified gateway as client mode” described below. - As indicated above, in some embodiments, the
access control system 100 may utilize a “gateway as server mode” in which theserver 108 acts as a client device and thegateway device 110 acts as a server (e.g., web server) in a server/client IP communication arrangement. For example, in some embodiments, the server 108 (acting as a client device) may communicate with thegateway device 110 via a RESTful API or other suitable API hosted by the gateway device 110 (acting as the server). Audit data, status changes, and other information received by thegateway device 110 from theaccess control device 102 may be stored at thegateway device 110 until the server 108 (as client) as requested the updated information from the gateway device 110 (as server). Accordingly, in such embodiments, it should be appreciated that that thegateway device 110 relies on receipt of a communication from theserver 108 in order to transmit relevant access control data updates. At least one embodiment of the “gateway as server mode” is described below in reference to themethod 400 ofFIG. 4 . - In some embodiments, the
access control system 100 may utilize a “gateway as client mode” as indicated above in which theserver 108 acts as a server (e.g., web server) and thegateway device 110 acts as a client device in a server/client IP communication arrangement. In such embodiments, the gateway device 110 (as client) may attempt to reach the server 108 (as server) and authenticate the server 108 (e.g., to ensure a secure connection therebetween). Subsequent to establishing the secure connection, thegateway device 110 may request to open a Web Socket connection between thegateway device 110 and theserver 108, which allows for full duplex communication between the gateway device (as client) and the server 108 (as server). Accordingly, in some embodiments, theserver 108 may make requests of thegateway device 110 by transforming RESTful API (or other suitable API) requests (e.g., as utilized in the “gateway as server mode” described above) into a WebSocket communication sub-protocol. It should be appreciated that the “gateway as a client mode” allows for thegateway device 110 to be situated “behind” a firewall and still communicate with theserver 108 without additional overhead of port forwarding or network mapping, which may be required if theserver 108 and thegateway device 110 are on different subnets (e.g., as in some embodiments of “gateway as server mode”). Further, once the WebSocket connection has been established, thegateway device 110 need not wait until a request is made of it in order to provide information to theserver 108. That is, in the “gateway as client mode,” thegateway device 110 may provide information to theserver 108 in real time without waiting for theserver 108 to request such information, which may permit theserver 108 to “subscribe” to information associated with particular events and allow thegateway device 110 to notify theserver 108 in real time if any such “subscribed” event occurs. At least one embodiment of the “gateway as client mode” is described below in reference to themethod 500 ofFIG. 5 . - In some embodiments, the
access control system 100 may utilize a “modified gateway as client mode” as indicated above, which may allow for a true real-time solution of access control that provides the IP host (e.g., the server 108) with relevant information of credentials that are presented to theaccess control device 102. In particular, in some embodiments, the “modified gateway as client mode” addresses a technical need in some access control systems for theserver 108 to be provided with information regarding credentials that are presented to theaccess control device 102 regardless of whether or not the credential data associated with thatparticular credential 106 is already included in the local access control database (or door file) of theaccess control device 102 for “decision at door” operation. More specifically, although it may be unrealistic or impossible (e.g., in very large enterprise environments) to provide a very large amount of credential data to theaccess control device 102 for notification purposes due to memory constraints of theaccess control device 102, the memory constraints of thegateway device 110 are often less limiting. As such, in some embodiments, thegateway device 110 may store therein a gateway credential list (GCL) with a significant amount of credential data (e.g., more data than capable of being stored in the memory of the access control device 102). In particular, in some embodiments, the gateway credential list may include/identify a set of credentials (e.g., as credential data, encrypted credential data, or otherwise) and a unique credential index associated with each such credential identified in the list. For example, in some embodiments, the credential indexes may be generated as strictly increasing (or strictly decreasing) indexes. In other embodiments, it should be appreciated that the unique credential indexes may be generated randomly, pseudo-randomly, cryptographically uniquely, and/or otherwise generated in a manner that ensures that no (or minimal) collisions occur. Although the gateway credential list is described herein as a list, it should be appreciated that the gateway credential list may be formatted according to any suitable data structure. - In some embodiments, when the credential is presented to the
access control device 102, theaccess control device 102 transmits the credential data to the gateway device 110 (e.g., in encrypted or unencrypted form depending on the particular embodiment). If the credential (e.g., in the form of credential data) already exists in the gateway credential list of thegateway device 110, thegateway device 110 may transmit the respective credential index associated with that credential to the server 108 (e.g., via a Web Socket connection). However, if the credential is not included in the gateway credential list, thegateway device 110 may notify the server 108 (e.g., via the Web Socket connection) that a credential has been presented to theaccess control device 102 that does not exist in the gateway credential list. As such, in some embodiments, theserver 108 may request (e.g., via the Web Socket connection) that thegateway device 110 enter an enrollment mode in which the credential data (e.g., in encrypted or unencrypted form) is transmitted to theserver 108. In some embodiments, if theserver 108 does not provide theaccess control device 102 with an access control command (e.g., allow/deny access) within a predefined period of time after presentation of the credential, theaccess control device 102 may resort to “decision at door” functionality in which theaccess control device 102 may locally make theaccess control decision 102 based on the current data in the local access control database of theaccess control device 102. At least one embodiment of the “modified gateway as client mode” is described below in reference to themethod 600 ofFIG. 6 and themethod 700 ofFIG. 7 . - Referring now to
FIG. 3 , in use, theaccess control system 100 may execute amethod 300 for communicating access control information by leveraging serial communication between thegateway device 110 and theserver 108. It should be appreciated that the particular flows of themethod 300 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary. As described above, in some embodiments, themethod 300 may be executed in conjunction with one or more of the features described above in reference to the “serial communication mode” of theaccess control system 100. - The
illustrative method 300 begins withflow 302 in which theserver 108 transmits a poll request to thegateway device 110. Inflow 304, thegateway device 110 evaluates the poll request and transmits a poll response. For example, thegateway device 110 may determine that no changes have occurred at theaccess control device 102 and transmit a poll response accordingly. At some time (e.g., a later time), acredential 106 may be presented to theaccess control device 102. Inflow 306, theaccess control device 102 transmits credential information/data associated with thecredential 106 to the gateway device 110 (e.g., read from and/or received from the credential 106). Inflow 308, at an appropriate time (e.g., periodically or asynchronously), theserver 108 transmits another poll request to thegateway device 110. Inflow 310, thegateway device 110 again evaluates the poll request and transmits a poll response. For example, in the illustrative embodiment, thegateway device 110 may transmit the credential information received from theaccess control device 102 since the last poll request/response interaction. - In
flow 312, theserver 108 authenticates the credential information, for example, to determine access permissions associated with the credential and makes an access control decision/command (e.g., grant/deny access). Inflow 314, theserver 108 transmits the access control decision to thegateway device 110, which in turn transmits the access control decision to theaccess control device 102 inflow 316. Inflow 318, theaccess control device 102 executes the access control decision. For example, in some embodiments, theaccess control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway. - In
flow 320, theaccess control device 102 may transmit a status of theaccess control device 102 to thegateway device 110. For example, in some embodiments, the status may indicate the lock status (locked/unlocked) and/or other conditions of theaccess control device 102. Inflow 322, at an appropriate time (e.g., periodically or asynchronously), theserver 108 transmits another poll request to thegateway device 110. Inflow 324, thegateway device 110 again evaluates the poll request and transmits a poll response. For example, in the illustrative embodiment, thegateway device 110 may transmit the status information received from theaccess control device 102 since the last post request/response interaction. - Although the flows 302-324 are described in a relatively serial manner, it should be appreciated that various flows of the
method 300 may be performed in parallel in some embodiments. - Referring now to
FIG. 4 , in use, theaccess control system 100 may execute amethod 400 for communicating access control information by configuring thegateway device 110 to act as a web server to theserver 108. It should be appreciated that the particular flows of themethod 400 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary. As described above, in some embodiments, themethod 400 may be executed in conjunction with one or more of the features described above in reference to the “gateway as server mode” of theaccess control system 100. - The
illustrative method 400 begins withflow 402 in which theserver 108 transmits an audit request to thegateway device 110. Inflow 404, thegateway device 110 evaluates the audit request and transmits an audit response. For example, thegateway device 110 may determine that no audits have been received from theaccess control device 102 and transmit an audit response accordingly. At some time (e.g., a later time), inflow 406, acredential 106 may be presented to theaccess control device 102. Inflow 408, theaccess control device 102 authenticates the credential information based on a local access control database of theaccess control device 102, for example, to determine access permissions associated with the credential and makes an access control decision/command (e.g., grant/deny access). Inflow 410, theaccess control device 102 executes the access control decision. For example, in some embodiments, theaccess control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway. - In
flow 412, theaccess control device 102 transmits audit information/data associated with thecredential 106 to the gateway device 110 (e.g., a user identifier, credential identifier, information associated with the access control decision, and/or other access control data). Inflow 414, at an appropriate time (e.g., periodically or asynchronously), theserver 108 transmits another audit request to thegateway device 110. Inflow 416, thegateway device 110 again evaluates the audit request and transmits an audit response. For example, in the illustrative embodiment, thegateway device 110 may transmit the audit information received from theaccess control device 102 since the last audit request/response interaction. - Although the flows 402-416 are described in a relatively serial manner, it should be appreciated that various flows of the
method 400 may be performed in parallel in some embodiments. - Referring now to
FIG. 5 , in use, theaccess control system 100 may execute amethod 500 for communicating access control information by configuring thegateway device 110 to act as a client to theserver 108. It should be appreciated that the particular flows of themethod 500 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary. As described above, in some embodiments, themethod 500 may be executed in conjunction with one or more of the features described above in reference to the “gateway as client mode” of theaccess control system 100. - The
illustrative method 500 begins withflow 502 in which acredential 106 may be presented to theaccess control device 102. Inflow 504, theaccess control device 102 authenticates the credential information based on a local access control database of theaccess control device 102, for example, to determine access permissions associated with the credential and makes an access control decision/command (e.g., grant/deny access). Inflow 506, theaccess control device 102 executes the access control decision. For example, in some embodiments, theaccess control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway. - In
flow 508, theaccess control device 102 transmits audit information/data associated with thecredential 106 to the gateway device 110 (e.g., a user identifier, credential identifier, information associated with the access control decision, and/or other access control data), and thegateway device 110 in turn transmits/forwards the audit information/data to theserver 108 inflow 510. Inflow 512, theaccess control device 102 may transmit a status of theaccess control device 102 to thegateway device 110, and thegateway device 110 in turn may transmit/forward the audit information/data to theserver 108 inflow 514. For example, in some embodiments, the status may indicate the lock status (locked/unlocked) and/or other conditions of the access control device 101. - Although the flows 502-514 are described in a relatively serial manner, it should be appreciated that various flows of the
method 500 may be performed in parallel in some embodiments. - Referring now to
FIG. 6 , in use, theaccess control system 100 may execute amethod 600 for communicating access control information by configuring thegateway device 110 to act as a client to theserver 108. It should be appreciated that the particular flows of themethod 600 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary. As described above, in some embodiments, themethod 500 may be executed in conjunction with one or more of the features described above in reference to the “modified gateway as client mode” of theaccess control system 100. - The
illustrative method 600 begins withflow 602 in which acredential 106 may be presented to theaccess control device 102. Inflow 604, theaccess control device 102 transmits credential information/data associated with thecredential 106 to the gateway device 110 (e.g., read from and/or received from the credential 106), and thegateway device 110 in turn transmits credential information/data (e.g., the same data or a credential index) to theserver 108 inflow 606. Inflow 608, theserver 108 authenticates the credential information, for example, to determine access permissions associated with the credential and makes an access control decision/command (e.g., grant/deny access). Inflow 610, theserver 108 transmits the access control decision to thegateway device 110, which in turn transmits the access control decision to theaccess control device 102 inflow 612. Inflow 614, theaccess control device 102 executes the access control decision. For example, in some embodiments, theaccess control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway. - In
flow 616, theaccess control device 102 may transmit a status of theaccess control device 102 to thegateway device 110, which thegateway device 110 in turn may transmit/forward to theserver 108 inflow 618. For example, in some embodiments, the status may indicate the lock status (locked/unlocked) and/or other conditions of theaccess control device 102. - Returning to flows 602-612, it should be appreciated that the
access control device 102 may be unable to establish a connection with thegateway device 110, thegateway device 110 may be unable to establish a connection with theserver 108, and/or theaccess control device 102 may not receive an access control decision from the server 108 (e.g., within a predefined period of time). After the predefined period of time has lapsed (e.g., subsequent to presentation of the credential to the access control device 102), as described above, theaccess control device 102 may authenticate thecredential 106 and make the access control decision locally at theaccess control device 102 based on the current data of the local access control database in some embodiments. Upon successful reconnection, theaccess control device 102 may transmit the appropriate audit data to thegateway device 110 for transmittal to theserver 108. - Although the flows 602-618 are described in a relatively serial manner, it should be appreciated that various flows of the
method 600 may be performed in parallel in some embodiments. - Referring now to
FIG. 7 , in use, theaccess control system 100 may execute amethod 700 for making access control decisions. It should be appreciated that the particular flows of themethod 700 are illustrated by way of example, and such flows may be combined or divided, added or removed, and/or reordered in whole or in part depending on the particular embodiment, unless stated to the contrary. In some embodiments, it should be appreciated that themethod 700 may be executed in conjunction with one or more of the features described above in reference to the “modified gateway as client mode” of theaccess control system 100. - The
illustrative method 700 begins withblock 702 in which acredential 106 may be presented to theaccess control device 102. Inblock 704, theaccess control device 102 transmits credential information/data associated with thecredential 106 to the gateway device 110 (e.g., read from and/or received from the credential 106). Inblock 706, thegateway device 110 compares the credential information/data to a gateway credential list of thegateway device 110. For example, as indicated above, the gateway credential list may include/identify a set of credentials (e.g., as credential data, encrypted credential data, or otherwise) and a unique credential index associated with each such credential identified in the list. For example, in some embodiments, the credential indexes may be generated as strictly increasing (or strictly decreasing) indexes. As such, in the illustrative embodiment, thegateway device 110 compares the credential information/data to the gateway credential list to determine whether the credential information/data matches any of the entries of the list. In other words, thegateway device 110 determines whether the credential data is included in the gateway credential list. If so, thegateway device 110 identifies the unique credential index corresponding with the credential data. - If the
gateway device 110 determines, inblock 708, that the credential data is included in the gateway credential list, themethod 700 advances to block 710 in which thegateway device 110 transmits the corresponding credential index to theserver 108. Inblock 712, theserver 108 authenticates the credential presented to theaccess control device 102 based on the credential index received from thegateway device 110, for example, to determine access permissions associated with the credential and make an access control decision/command (e.g., grant/deny access). In the illustrative embodiment, theserver 108 may likewise include a credential list including a plurality of credentials (e.g., credential data) and corresponding credential indexes. For example, in some embodiments, the server's credential list may be a superset of thegateway device 110. In particular, the server's credential list, in some embodiments, may include the credential data and corresponding credential indexes for each of the credentials involved in and/or associated with theaccess control system 100. As such, theserver 108 may compare the received credential index to its credential list to identify the matching credential data and authenticate that credential data (e.g., based on the particularaccess control device 102 to which access is requested) accordingly. It should be appreciated that theserver 108 may transmit the access control decision to thegateway device 110, which in turn may transmit the access control decision to theaccess control device 102. It should be appreciated that theaccess control system 100 may perform a suitable error handling procedure in response to determining that the credential index does not match an index of the server's credential list. - Returning to block 708, if the
gateway device 110 determines that the credential data is not included in the gateway credential list, themethod 700 advances to block 714 in which thegateway device 110 transmits a message to theserver 108 indicating that the credential data of the credential presented to theaccess control device 102 does not match any credential identified in the gateway credential list. Inblock 716, theserver 108 may determine whether to enroll the presented credential into theaccess control system 100, for example, and assign suitable access rights to the credential. If so, themethod 700 advances to block 718 in which thegateway device 110 transmits the credential data to theserver 108 for enrollment. - In
block 720, theaccess control device 102 determines whether an access control decision/command has been received from the server 108 (e.g., via the gateway device 110). If so, themethod 700 advances to block 722 in which theaccess control device 102 executes the access control decision. For example, in some embodiments, theaccess control device 102 may control an access control mechanism (e.g., a lock mechanism, a motor, and/or other components) to grant/deny access through a passageway. However, if theaccess control decision 102 has not received an access control decision/command (e.g., after a predefined period of time has lapsed), themethod 700 advances to block 724 in which theaccess control device 102 may authenticate the credential and make the access control decision locally at theaccess control device 102 based on the current data of the local access control database as described above. - Although the blocks 702-724 are described in a relatively serial manner, it should be appreciated that various blocks of the
method 700 may be performed in parallel in some embodiments. - It should be appreciated that the methods 300-700 of
FIGS. 3-7 are generally described agnostically with respect to the particular cryptographic and other security features employed in the communications between the various devices of theaccess control system 100 for simplicity and brevity of the disclosure. However, it should be appreciated that the various communications may utilize any suitable cryptographic and/or security features consistent with the description. - According to an embodiments, a method may include receiving, by a gateway device and from an access control device, credential data received by the access control device from a mobile device in response to presentation of the mobile device to the access control device, comparing, by the gateway device, the credential data to a gateway credential list stored in a memory of the gateway device, wherein the gateway credential list identifies a plurality of credentials associated with the gateway device, and wherein each credential of the plurality of credentials is associated with a unique credential index, transmitting, by the gateway device and to a server, the unique credential index associated with the credential data in response to determining that the credential data matches a corresponding credential in the gateway credential list, and receiving, by the gateway device and from the server, an access control decision associated with the credential data in response to transmitting the unique credential index.
- In some embodiments, the gateway credential list may include the plurality of credentials and a corresponding set of strictly increasing unique credential indexes.
- In some embodiments, the method may further include transmitting, by the gateway device, a message to the server indicating that the credential data does not match any credential identified in the gateway credential list.
- In some embodiments, the method may further include enrolling, by the server, the credential data as an authorized credential of the mobile device in response to receiving the message from the gateway device.
- In some embodiments, the method may further include authenticating, by the access control device, the credential data based on a local access control database stored in a memory of the access control device in response to a determination that the access control device has not received the access control decision from the server within a predefined period of time since transmittal of the credential data to the gateway device.
- In some embodiments, the method may further include receiving, by the access control device, the access control decision from the gateway device, and executing, by the access control device, the access control decision to unlock a lock mechanism associated with the access control device.
- In some embodiments, receiving the access control decision may include receiving the access control decision over a Bluetooth communication connection between the gateway device and the access control device.
- In some embodiments, transmitting the unique credential index to the server may include transmitting the unique credential index to the server via a Web Socket communication connection between the gateway device and the server.
- In some embodiments, the memory of the gateway device may have a greater amount of data storage than a memory of the access control device.
- According to another embodiment, a system may include a server, an access control device configured to receive credential data from a mobile device presented to the access control device, and a gateway device communicatively coupled to the server and to the access control device, wherein the gateway device includes a memory having a gateway credential list stored thereon that identifies a plurality of credentials associated with the gateway device, each credential of the plurality of credentials being associated with a unique credential index, and wherein the gateway device is configured to receive the credential data from the access control device, compare the credential data to the gateway credential list, transmit the unique credential index associated with the credential data to the server in response to a determination that the credential data matches a corresponding credential in the gateway credential list, and receive an access control decision associated with the credential data from the server in response to transmittal of the unique credential index.
- In some embodiments, the gateway credential list may include the plurality of credentials and a corresponding set of strictly increasing unique credential indexes.
- In some embodiments, the gateway device may be further configured to transmit a message to the server indicating that the credential data does not match any credential identified in the gateway credential list, and the server may be configured to enroll the credential data as an authorized credential of the mobile device in response to receipt of the message from the gateway device.
- In some embodiments, the access control device may include a local access control database and may be further configured to authenticate the credential data based on the local access control database in response to a determination that the access control device has not received the access control decision from the server within a predefined period of time since transmittal of the credential data to the gateway device.
- In some embodiments, the access control device may be further configured to receive the access control decision from the gateway device and execute the access control decision to unlock a lock mechanism associated with the access control device.
- In some embodiments, transmittal of the unique credential index to the server may include transmittal of the unique credential index to the server via a Web Socket communication connection between the gateway device and the server.
- According to yet another embodiment, a gateway device may include a processor and a memory comprising a gateway credential list and a plurality of instructions stored thereon, wherein the gateway credential list identifies a plurality of credentials associated with the gateway device, wherein each credential of the plurality of credentials is associated with a unique credential index, and wherein execution of the plurality of instructions by the processor causes the gateway device to receive, from an access control device, credential data received by the access control device from a mobile device in response to presentation of the mobile device to the access control device, compare the credential data to the gateway credential list, transmit, to a server, the unique credential index associated with the credential data in response to determining that the credential data matches a corresponding credential in the gateway credential list, and receive, from the server, an access control decision associated with the credential data in response to transmitting the unique credential index.
- In some embodiments, the gateway credential list may include the plurality of credentials and a corresponding set of strictly increasing unique credential indexes.
- In some embodiments, the plurality of instructions may further cause the gateway device to transmit a message to the server indicating that the credential data does not match any credential identified in the gateway credential list.
- In some embodiments, receipt of the access control decision may involve receipt of the access control decision over a Bluetooth communication connection between the gateway device and the access control device.
- In some embodiments, transmittal of the unique credential index to the server may include transmittal of the unique credential index to the server via a Web Socket communication connection between the gateway device and the server.
Claims (21)
1. A method, comprising:
receiving, by a gateway device and from an access control device, credential data received by the access control device from a mobile device in response to presentation of the mobile device to the access control device;
comparing, by the gateway device, the credential data to a gateway credential list stored in a memory of the gateway device, wherein the gateway credential list identifies a plurality of credentials, and wherein each credential of the plurality of credentials is associated with a unique credential index;
transmitting, by the gateway device and to a server, the unique credential index associated with the credential data in response to determining that the credential data matches a corresponding credential in the gateway credential list; and
receiving, by the gateway device and from the server, an access control decision associated with the credential data in response to transmitting the unique credential index.
2. The method of claim 1 , wherein the gateway credential list includes the plurality of credentials and a corresponding set of strictly increasing unique credential indexes.
3. The method of claim 1 , further comprising:
transmitting, by the gateway device, a message to the server indicating that the credential data does not match any credential identified in the gateway credential list; and
enrolling, by the server, the credential data as an authorized credential of the mobile device in response to receiving the message from the gateway device.
4. (canceled)
5. The method of claim 1 , further comprising authenticating, by the access control device, the credential data based on a local access control database stored in memory of the access control device in response to a determination that the access control device has not received the access control decision from the server within a predefined period of time since transmittal of the credential data to the gateway device.
6. The method of claim 1 , further comprising:
receiving, by the access control device, the access control decision from the gateway device; and
executing, by the access control device, the access control decision to unlock a lock mechanism associated with the access control device.
7. The method of claim 1 , wherein receiving the access control decision comprises receiving the access control decision over a Bluetooth communication connection between the gateway device and the access control device.
8. The method of claim 1 , wherein transmitting the unique credential index to the server comprises transmitting the unique credential index to the server via a Web Socket communication connection between the gateway device and the server.
9. The method of claim 1 , wherein the memory of the gateway device has a greater amount of data storage than memory of the access control device.
10. A system, comprising:
a server;
an access control device configured to receive credential data from a mobile device presented to the access control device; and
a gateway device communicatively coupled to the server and to the access control device, wherein the gateway device includes a memory having a gateway credential list stored thereon that identifies a plurality of credentials, each credential of the plurality of credentials being associated with a unique credential index, and wherein the gateway device is configured to:
receive the credential data from the access control device;
compare the credential data to the gateway credential list;
transmit the unique credential index associated with the credential data to the server in response to a determination that the credential data matches a corresponding credential in the gateway credential list; and
receive an access control decision associated with the credential data from the server in response to transmittal of the unique credential index.
11. The system of claim 10 , wherein the gateway credential list includes the plurality of credentials and a corresponding set of strictly increasing unique credential indexes.
12. The system of claim 10 , wherein the gateway device is further configured to transmit a message to the server indicating that the credential data does not match any credential identified in the gateway credential list; and
wherein the server is configured to enroll the credential data as an authorized credential of the mobile device in response to receipt of the message from the gateway device.
13. The system of claim 10 , wherein the access control device includes a local access control database and is further configured to authenticate the credential data based on the local access control database in response to a determination that the access control device has not received the access control decision from the server within a predefined period of time since transmittal of the credential data to the gateway device.
14. The system of claim 10 , wherein the access control device is further configured to:
receive the access control decision from the gateway device; and
execute the access control decision to unlock a lock mechanism associated with the access control device.
15. The system of claim 10 , wherein to transmit the unique credential index to the server comprises to transmit the unique credential index to the server via a Web Socket communication connection between the gateway device and the server.
16. A gateway device, comprising:
a processor; and
a memory comprising a gateway credential list and a plurality of instructions stored thereon, wherein the gateway credential list identifies a plurality of, wherein each credential of the plurality of credentials is associated with a unique credential index, and wherein execution of the plurality of instructions by the processor causes the gateway device to:
receive, from an access control device, credential data received by the access control device from a mobile device in response to presentation of the mobile device to the access control device;
compare the credential data to the gateway credential list;
transmit, to a server, the unique credential index associated with the credential data in response to determining that the credential data matches a corresponding credential in the gateway credential list; and
receive, from the server, an access control decision associated with the credential data in response to transmitting the unique credential index.
17. The gateway device of claim 16 , wherein the gateway credential list includes the plurality of credentials and a corresponding set of strictly increasing unique credential indexes.
18. The gateway device of claim 16 , wherein the plurality of instructions further causes the gateway device to transmit a message to the server indicating that the credential data does not match any credential identified in the gateway credential list.
19. The gateway device of claim 16 , wherein to receive the access control decision comprises to receive the access control decision over a Bluetooth communication connection between the gateway device and the access control device.
20. The gateway device of claim 16 , wherein to transmit the unique credential index to the server comprises to transmit the unique credential index to the server via a Web Socket communication connection between the gateway device and the server.
21. The method of claim 1 , wherein the gateway credential list includes the plurality of credentials and a corresponding set of strictly decreasing unique credential indexes.
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/587,725 US10952077B1 (en) | 2019-09-30 | 2019-09-30 | Technologies for access control communications |
EP20872627.3A EP4038929A4 (en) | 2019-09-30 | 2020-09-30 | Technologies for access control communications |
PCT/US2020/053541 WO2021067434A1 (en) | 2019-09-30 | 2020-09-30 | Technologies for access control communications |
US17/203,202 US11800359B2 (en) | 2019-09-30 | 2021-03-16 | Technologies for access control communications |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/587,725 US10952077B1 (en) | 2019-09-30 | 2019-09-30 | Technologies for access control communications |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/203,202 Continuation US11800359B2 (en) | 2019-09-30 | 2021-03-16 | Technologies for access control communications |
Publications (2)
Publication Number | Publication Date |
---|---|
US10952077B1 US10952077B1 (en) | 2021-03-16 |
US20210099880A1 true US20210099880A1 (en) | 2021-04-01 |
Family
ID=74870442
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/587,725 Active US10952077B1 (en) | 2019-09-30 | 2019-09-30 | Technologies for access control communications |
US17/203,202 Active US11800359B2 (en) | 2019-09-30 | 2021-03-16 | Technologies for access control communications |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/203,202 Active US11800359B2 (en) | 2019-09-30 | 2021-03-16 | Technologies for access control communications |
Country Status (3)
Country | Link |
---|---|
US (2) | US10952077B1 (en) |
EP (1) | EP4038929A4 (en) |
WO (1) | WO2021067434A1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020251929A1 (en) * | 2019-06-10 | 2020-12-17 | Alan Gous | Remote authorization of gateway device |
US10952077B1 (en) * | 2019-09-30 | 2021-03-16 | Schlage Lock Company Llc | Technologies for access control communications |
US11995929B2 (en) * | 2021-04-27 | 2024-05-28 | Apple Inc. | Scheduled access control for an electronic lock |
Family Cites Families (45)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1702306B1 (en) * | 2004-01-06 | 2010-08-11 | Kaba AG | Access control system and method for operating said system |
US7437755B2 (en) * | 2005-10-26 | 2008-10-14 | Cisco Technology, Inc. | Unified network and physical premises access control server |
US8234704B2 (en) * | 2006-08-14 | 2012-07-31 | Quantum Security, Inc. | Physical access control and security monitoring system utilizing a normalized data format |
US9153083B2 (en) | 2010-07-09 | 2015-10-06 | Isonas, Inc. | System and method for integrating and adapting security control systems |
US7775429B2 (en) | 2006-08-16 | 2010-08-17 | Isonas Security Systems | Method and system for controlling access to an enclosed area |
US9589400B2 (en) | 2006-08-16 | 2017-03-07 | Isonas, Inc. | Security control and access system |
US20090132813A1 (en) * | 2007-11-08 | 2009-05-21 | Suridx, Inc. | Apparatus and Methods for Providing Scalable, Dynamic, Individualized Credential Services Using Mobile Telephones |
US20100263022A1 (en) * | 2008-10-13 | 2010-10-14 | Devicescape Software, Inc. | Systems and Methods for Enhanced Smartclient Support |
FR2945137B1 (en) | 2009-04-30 | 2011-06-24 | Pascal Metivier | PROGRAMMING SYSTEM FOR A LOCK COMPRISING NFC-CONTACTLESS CONTACT COMMUNICATION MEANS |
US8334765B2 (en) | 2010-05-24 | 2012-12-18 | Keylockit Ltd. | Wireless network apparatus and method for lock indication |
US20120119877A1 (en) | 2010-11-11 | 2012-05-17 | Kwan Yuen Abraham Ng | Programmable electronic lockbox system |
US20140002236A1 (en) | 2010-12-02 | 2014-01-02 | Viscount Security Systems Inc. | Door Lock, System and Method for Remotely Controlled Access |
WO2012151290A1 (en) | 2011-05-02 | 2012-11-08 | Apigy Inc. | Systems and methods for controlling a locking mechanism using a portable electronic device |
US8621584B2 (en) * | 2011-08-31 | 2013-12-31 | Mcafee, Inc. | Credential provider that encapsulates other credential providers |
US8689294B1 (en) | 2011-11-11 | 2014-04-01 | Symantec Corporation | Systems and methods for managing offline authentication |
US20130297075A1 (en) | 2012-05-07 | 2013-11-07 | Trane International, Inc. | Control system |
US9330514B2 (en) | 2012-07-25 | 2016-05-03 | Utc Fire & Security Corporation | Systems and methods for locking device management |
CA2889008C (en) | 2012-10-23 | 2021-01-19 | Spectrum Brands, Inc. | Electronic lock having software based automatic multi-wireless profile detection and setting |
BR112015009450A2 (en) | 2012-10-26 | 2017-07-04 | Spectrum Brands Inc | electronic lock having a mobile user interface |
US8787902B2 (en) | 2012-10-31 | 2014-07-22 | Irevo, Inc. | Method for mobile-key service |
US8881252B2 (en) * | 2013-03-14 | 2014-11-04 | Brivo Systems, Inc. | System and method for physical access control |
US9148416B2 (en) * | 2013-03-15 | 2015-09-29 | Airwatch Llc | Controlling physical access to secure areas via client devices in a networked environment |
EP2804153B1 (en) | 2013-05-15 | 2018-11-21 | Nxp B.V. | Electronic lock, locking system and method of operating an electronic lock |
US20150254917A1 (en) * | 2014-03-04 | 2015-09-10 | Brian Rockermann | Facility access system |
CA2954763C (en) * | 2014-06-02 | 2019-05-07 | Schlage Lock Company Llc | Systems and methods for a credential including multiple access privileges |
EP3073774A1 (en) * | 2015-03-23 | 2016-09-28 | Thomson Licensing | Automatic configuration of a wireless residential access network |
US9691205B2 (en) * | 2015-05-08 | 2017-06-27 | Shane Wesley Robinson | Cloud controlled common access entry point locking system and method |
US9747735B1 (en) * | 2015-06-05 | 2017-08-29 | Brivo Systems Llc | Pattern analytics and physical access control system method of operation |
AU2016280664B2 (en) * | 2015-06-15 | 2020-07-23 | Assa Abloy Ab | Credential cache |
US9792747B2 (en) | 2015-06-22 | 2017-10-17 | Allegion, Inc. | Multifunctional access control device |
EP3176761A1 (en) * | 2015-09-03 | 2017-06-07 | Axis AB | Method and apparatus for increasing reliability in monitoring systems |
US20170093700A1 (en) * | 2015-09-30 | 2017-03-30 | WoT. io, Inc. | Device platform integrating disparate data sources |
US20190035190A1 (en) * | 2016-02-25 | 2019-01-31 | John Szczygiel | Smart Audiovideo Visitor/Vendor Entry System |
US10740995B2 (en) * | 2016-04-22 | 2020-08-11 | e-Smart Systems Pvt. Ltd | Access control and location tracking system |
US10484389B2 (en) * | 2016-08-30 | 2019-11-19 | Dwelo, Inc. | Connected device rights management administration |
US10255732B2 (en) * | 2016-09-08 | 2019-04-09 | Honeywell International Inc. | Door access control via a mobile device |
US10169937B1 (en) * | 2016-10-20 | 2019-01-01 | Jpmorgan Chase Bank, N.A. | Systems and methods for multifactor physical authentication |
US10089801B1 (en) * | 2017-05-15 | 2018-10-02 | Amazon Technologies, Inc. | Universal access control device |
CN107730669B (en) * | 2017-09-12 | 2019-02-05 | 深圳市微开互联科技有限公司 | Access control method, system and computer readable storage medium |
US10498538B2 (en) * | 2017-09-25 | 2019-12-03 | Amazon Technologies, Inc. | Time-bound secure access |
US10783338B2 (en) * | 2018-03-08 | 2020-09-22 | Amazon Technologies, Inc. | Integrated access control system |
US10708261B2 (en) * | 2018-05-07 | 2020-07-07 | Vmware, Inc. | Secure gateway onboarding via mobile devices for internet of things device management |
EP3899882A4 (en) * | 2018-12-20 | 2023-01-18 | Schlage Lock Company LLC | Audio-based access control |
US11217051B2 (en) * | 2019-04-22 | 2022-01-04 | Soloinsight, Inc. | System and method for providing credential activation layered security |
US10952077B1 (en) * | 2019-09-30 | 2021-03-16 | Schlage Lock Company Llc | Technologies for access control communications |
-
2019
- 2019-09-30 US US16/587,725 patent/US10952077B1/en active Active
-
2020
- 2020-09-30 WO PCT/US2020/053541 patent/WO2021067434A1/en unknown
- 2020-09-30 EP EP20872627.3A patent/EP4038929A4/en active Pending
-
2021
- 2021-03-16 US US17/203,202 patent/US11800359B2/en active Active
Also Published As
Publication number | Publication date |
---|---|
EP4038929A1 (en) | 2022-08-10 |
US10952077B1 (en) | 2021-03-16 |
EP4038929A4 (en) | 2023-11-08 |
US20220007190A1 (en) | 2022-01-06 |
WO2021067434A1 (en) | 2021-04-08 |
US11800359B2 (en) | 2023-10-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11800359B2 (en) | Technologies for access control communications | |
AU2018304715B2 (en) | Leveraging flexible distributed tokens in an access control system | |
EP3567558B1 (en) | Utilizing caveats for wireless credential access | |
US10990122B2 (en) | Secure real-time clock update in an access control system | |
US10789797B2 (en) | Peripheral controller in an access control system | |
US10755510B2 (en) | Credential updates in an offline system | |
US11995931B2 (en) | Universal credential | |
CN112585602A (en) | Temporary password based firmware access | |
US20230162551A1 (en) | Technologies for using nfc or qr code to commission a device to the cloud | |
US11962594B2 (en) | Blockchain for access control | |
US11664989B2 (en) | Commissioning an access control device with a programmable card | |
US20230006861A1 (en) | Access control embedded into network gear |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: SCHLAGE LOCK COMPANY LLC, INDIANA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HOLT, FREDERICK;ANFIELD, DENNIS TROY;THOMAS, NATHANAEL L.;AND OTHERS;SIGNING DATES FROM 20190930 TO 20191021;REEL/FRAME:052386/0518 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |