12

We're looking at replacing our campus-wide magnetic swipe card system with something more robust. The "programmer" side of me says there's got to be an open-source, scalable solution that already does this, but all I've been able to find are proprietary vendor-specific solutions.

Ideally, it'd have the following:

  • Based on some open standard that allows us to select from a wide selection of card readers (like IMAP or HTTP)
  • Support different kinds of card access (magnetic strip, RFIDs, etc.)
  • Future-proof (to the extent possible)

The lack of information I'm finding leads me to believe I'm not searching for the right things... or such a solution doesn't exist. Is there not some basic, open-source solution to this (like MySQL for databases, or Moodle for an LMS, or Apache for a web server)?

user9517
  • 114,104
  • 20
  • 206
  • 289
Moduspwnens
  • 747
  • 1
  • 7
  • 17
  • If you're currently using magnetic stripe cards, then do yourself a favour and replace them with RFID or similar (you could just use optical barcodes if you're not bothered about them being copied). – symcbean Sep 12 '12 at 22:01

3 Answers3

9

The only such products that I'm aware of are Avea's line of Ethernet-connected proximity card readers that, when tagged with a card, send an HTTP request to a web server at an IP address that you specify via DHCP option 72. You build your own web services to respond to these HTTP requests with instructions that the card reader can understand, e.g. with instructions to unlock the door or to deny entry. These support only proximity cards and key fobs; they do not have a magnetic stripe option. There is a model that includes a keypad for doors that require 2-factor authentication.

Of course, this means that you can build and maintain your own database of cards and users... or, even better, you could setup your physical security access control system to query your LDAP or AD servers on the back end.

More information is available on the Avea TCP/IP card reader product page. The WEB08S manual includes detailed information on HTTP requests that these devices generate as well as detailed information on the responses that they can accept and understand.

Athough Avea's implementation is completely open, it is not based on an industry-wide open standard. That's too bad, but I still think it is the most promising option out there. I really like the HTTP approach: any programmer worth her salt knows how to use a database (or LDAP) lookup to respond to an HTTP request. On the other hand, most commercial physical security systems use arcane and outdated communication protocols like Wiegand, have absolutely disgusting access control and authentication systems on the back end, and offer no opportunity for integration with your own systems.

Skyhawk
  • 14,149
  • 3
  • 52
  • 95
  • 2
    You're right. Avea's line looks like it'd be the closest, but I'm truly surprised that there's no solid open solution for this problem. Outfitting an institution with RFID cards and readers isn't cheap, so it feels terrible to really hedge your bets on a single proprietary solution. – Moduspwnens Dec 19 '11 at 23:37
3

I think you are just a bit early. There really isn't anything standard and available yet.

I found a project for proxcards: cerberus-prox. Unfortunately, I don't think it will be very scalable.

The ONVIF standard has recently been extended to include physical access control in addition to video surveillance. No conformant products have been released yet, though.

Jeff Strunk
  • 2,107
  • 1
  • 24
  • 29
2

Thanks to the popularity of "Hacker Spaces," co-working facilities and other shared workshops, there is starting to be interest in this finally. Here is an open source hardware/software project that we maintain:

http://code.google.com/p/open-access-control/

It's nothing fancy, but the full design is free, gets the job done and people have added on quite a few things, such as an http interface.

Skyhawk
  • 14,149
  • 3
  • 52
  • 95