Camio User Guide for OnGuard: Tailgating detection and real-time video search

This Camio User Guide covers:

  1. Overview of Camio with OnGuard
  2. Mapping cameras to OnGuard readers
  3. Enabling Tailgating Notifications
  4. OnGuard License and OAAP Interface
  5. Camio Setup for OnGuard
  6. OnGuard Permissions Setup
  7. Camio Labels

Overview of Camio with OnGuard

Fast visual verification and tailgating detection

Camio enables fast search and alerts on events like tailgating, entry ajar, forced open, entry unlocked.  Read more at Skip to Linux or Windows installation and resource requirements.

Camio counts the number of people that pass through the door to compare that number to the actual number of OnGuard access granted events. If those counts don't match, then the video is annotated with "tailgating" unauthorized access. This video illustrates tailgating detection as the floor plane tiles turn red when the second person enters after only one access granted event:

Works with existing cameras

Setup takes less than 15 minutes. Each camera is mapped to the OnGuard reader so that events from those readers annotate the video from that camera. You configure the on-premise Camio Gateway with the credentials required to subscribe to OnGuard access control events.

Mapping cameras to OnGuard readers

The first step is to associate your OnGuard readers with any cameras that can see the doors controlled by those readers.

  1. Generate your Camio Authorization token to be used by the Camio Gateway to annotate video with incoming access control events.
    1. Sign-in as the Camio account manager and press the Generate button at
      • Either the account owner or a guest with Can Manage permission can generate the token
      • A token created for a user of a registered domain works for all users on that domain (not applicable to public domains like gmail, yahoo, etc.)
    2. Copy the token immediately after you generate it, since you will not be able to retrieve it again later.
    3. Paste the token into your Camio Gateway configuration as "camio_onguard_auth_token" valueScreen_Shot_2022-03-30_at_3.59.39_PM.png
    4. Note: If you see a message "No integration settings found..." that means integration settings have never been saved for this account. Configure the settings and hit save. When you reload the page, the message should be gone.image__1_.png
  2. [Registered Domain Only] It is required to add an OnGuard server name to the integration if the user is a member of a registered domain that has more than one Camio gateway
    • Including an OnGuard server name means this user will only receive device payloads from the Camio gateway(s) with the same OnGuard server name. A Camio gateway is assigned an OnGuard server when the user whose token is provided to the gateway assigns an OnGuard server name on their integrations page.
    • Excluding an OnGuard server name means the user receives all OnGuard readers across all of the registered domain's Camio gateways, which may cause the readers displayed on the integrations page to vary.Screen_Shot_2022-07-08_at_12.35.02_PM.png
  3. Select the OnGuard Reader from the dropdown list next to each camera that has a view of the people entering the door associated with that reader and press SaveScreen_Shot_2022-03-30_at_4.05.31_PM.png

Enabling Tailgating Notifications

Optionally, enable Camio to send notifications via email when a tailgating incident occurs. Set up tailgating alerts in two steps:

  1. Import badge information. In order to notify users when they tailgate, Camio needs to be able to match the incoming OnGuard badge IDs to emails. Import a CSV with the following required columns:
    badge_id email

  2. Set a tailgating email template. You can customize the template or select Use Default to use the default template. Screen_Shot_2022-11-10_at_2.06.02_PM.png

Read more about setting up tailgating alerts here.

OnGuard License and OAAP Interface

Please obtain an OnGuard License for Camio by contacting your Lenel sales representative and asking for the Camio part number IPC-096-CAMI01-B. The Camio Gateway uses the OAAP interface described OpenAccess Alliance Program Factory Certified Product (FCP) Interface Document

Camio Setup for OnGuard

The Camio Gateway subscribes to OnGuard access control events in order to annotate the video associated with each event.

Camio Gateway Installation

The Camio Gateway runs as a Kubernetes deployment installable with Helm, which can run on any host machine (e.g. Linux, Windows) that can access the OnGuard server. If your firewall restricts the sites contacted, then please see firewall rules.

Detailed instructions for installing any of our PACS Gateway deployments through Helm can be found at our Camio User Guide for setup and deployment of Camio PACS Gateways. The following instructions will be a brief overview of setting up with Helm, specific to the Camio OnGuard Gateway.

Quick Install Via Helm

The following instructions will be a brief overview of setting up with Helm, specific to the Camio OnGuard Gateway.

1. Create your values.yaml file. The most basic values.yaml for the gateway should look like:

camio_onguard_auth_token: "INSERT AUTH TOKEN HERE"

The following are all the supported values:

directory_id: "id-1"

# "false" = disable SSL cert verification
# "self" = use certificate chain bundle specified in "ca_bundle" below
# {any other string, e.g. "true"} = SSL certificate was generated from a well-known CA such as Verisign, Thawte, or GoDaddy
ssl_certificate_verification: "false"
# ca_bundle: "NLabsRootCA.crt" # only needed if ssl_enabled = "self"
stats_report_time_interval: 60
camio_onguard_endpoint: ""
camio_onguard_endpoint_stats: ""
camio_onguard_endpoint_log: ""
camio_onguard_endpoint_devices: ""
camio_onguard_auth_token: "INSERT AUTH TOKEN HERE"
camio_onguard_events_per_post: 10
camio_onguard_max_retries: 100
query_filter: '(event_type="0" or (event_type="2" and (event_subtype="0" or event_subtype="1" or event_subtype="2")) or (event_type="4" and (event_subtype="8" or event_subtype="10" or event_subtype="210" or event_subtype="211" or event_subtype="212" or event_subtype="213")))'

# Uncomment any settings where default values shown need to be modified
# (default values should work for most deployments, except where the OpenAccess port number was changed)
# log_level: "INFO"
# server_port: "8080"
# api_version: "1.0"
# pagination_page_size: 100
# poll_interval: 8
# max_error_messages: 3
# auth_timeout_buffer: 600
# max_backlog_window: 3600
# max_event_time_per_poll: 60
# requests_timeout: 30
encrypt_and_remove: "False"
# get_device_interval: 120

The following are descriptions of each section of configurable settings.


(Helm Key)


Camio Config


This contains your secret Camio Authorization token obtained from used to annotate video. 

OnGuard Config


This contains the non-secret information required to connect to your OnGuard server. 

OnGuard User


This contains your secret OnGuard username and password required to access the OnGuard server. See the User Permissions Required

Advanced Config


These default values should be sufficient, but override any desired. Retain the query_filter, so that only recognized OnGuard Events are sent to Camio.

The current version of the Camio OnGuard Gateway does not support self-signed certificates. Please contact for more details if your deployment will need to use self-signed certificates.

2. Create your K8s cluster if does not exist

3. Run the following command, including the proper path to your values.yaml file following the -f flag:

helm install camio-onguard oci:// --version 1.10.3 -f /PATH/TO/values.yaml [-n camio] [--create-namespace]

The namespace ( -n ) argument is optional and will deploy the gateway in the specified namespace. If not included, the gateway will be set up in the default namespace. Use --create-namespace if the namespace you want to use does not currently exist. 

4. Confirm that your helm installation was successful by running:

kubectl get pods [-n camio]

The output should look something like:

onguard-XXXXXXXXX-XXXXX 1/1 Running 0 9s

If the onguard pod shows as 1/1 READY and 0 RESTARTS, it is probably running correctly. If you would like more details, you can retrieve the logs for your pod by running:

kubectl logs onguard-XXXXXXXXX-XXXXX [-n camio]

OnGuard Event Filter

The query_filter above in Advanced Config correlates to these OnGuard Event SubType Descriptions:

  • Access Granted
    • Access Granted on Facility Code
    • Access Granted No Entry Made
    • Access Granted on Facility Code, No Entry Made
    • Access Granted
    • Access Granted: Reader Unlocked
    • Egress Granted
    • Open Door Command Issued - Door Used
    • Open Door Command Issued - Door Not Used
    • Granted Access, Common Pin
    • Grant Last User (Override)
    • Granted-Escort
    • Granted-Exit-Escort
    • Granted-Master
    • Granted-Exit-Master
    • Granted-Dual Custody
    • Granted-Exit-Dual Custody
    • Granted-Pending Entry
    • Access Granted Entry Made
    • Access Granted to Destination Floor
    • Granted Double Card
    • Access Granted: Pin
    • Access Granted: Lift
    • Access Granted: Soft Passback
    • Access Granted: Time and Attendance In
    • Access Granted: Time and Attendance Out
    • Granted-Escort Pending
  • Duress
    • Access Granted Under Duress
      Access Denied Under Duress
      Access Granted Under Duress - No Entry Made
  • System
    • Door Forced Open
    • Door Held Open
    • Door Forced Open Masked
    • Door Forced Open Unmasked
    • Door Held Open Masked
    • Door Held Open Unmasked

Camio Gateway Host Hardware Requirements

The CPU and RAM required of the host machine that runs the Camio Gateway varies with the maximum throughput of access control events. This guide covers common volumes:

Max Event Rate

CPU Cores


100 events/second


300 MiB

1,000 events/second


400 MiB

10,000 events/second


400 MiB

Firewall Rules

During the initial setup and any updates to the deployment, you will need access to these domains:


During operation the proxy will need access to the specified camio endpoints:

as well as the OnGuard server, check your network setting for your OnGuard system.

OnGuard Setup

OnGuard System Permissions

The Camio Gateway needs to authenticate with OnGuard’s API (OpenAccess) and needs a user account with sufficient permission. Using the default Admin level of permissions when creating this account is simplest. But if using Admin access violates security policies, the basic permissions required (outside of Field/Page Permissions being “View/Edit All Fields”) are highlighted in the System Permission Groups screenshot below:


The non-Admin permissions correspond to:

  1. Assign AAM access levels: Read, Add, Modify, Delete
  2. User directory accounts: Read
  3. Link / unlink: Read
  4. Permission groups: Read, Add, Modify, Delete
  5. Directories: Read, Add, Modify, Delete
  6. Logical access: Read, Add, Modify, Delete

If not using the default Admin Level of permissions, then also ensure all cardholder and badge fields are set to visible / editable. By default, those fields are visible / editable, however certain versions of OnGuard may have exceptions on the default permissions on fields that customers add through forms designer (this can be badge or cardholder).

Camio Labels

These are the labels that will be either:

  • applied to video Events when the door reader is mapped to a camera, or
  • relayed to Domain Endpoint callbacks when there is no video Event associated with the reader.

See also OpenAccess Alliance Program Factory Certified Product (FCP) Interface Document.

Removing camera to OnGuard reader mappings

You can update which cameras you have mapped to OnGuard readers on the settings page at To remove the currently mapped reader, click on the reader in the dropdown list:


Alternatively, select a new reader.

If your camera was mapped to an old reader that is no longer in your list of OnGuard readers, the reader dropdown may appear blank:Screen_Shot_2022-10-28_at_4.35.10_PM.png

To remove the old reader, select and then deselect a new reader from the dropdown. This will clear the old reader. The dropdown should then look like this:


Make sure you click save to confirm the changes.

Have more questions? Submit a request