Camio User Guide for OnGuard: Tailgating detection and real-time video search

This Camio User Guide covers:

  1. Overview of Camio with OnGuard
  2. Mapping cameras to OnGuard readers
  3. OnGuard License and OAAP Interface
  4. Camio Setup for OnGuard

Overview of Camio with OnGuard

Fast visual verification and tailgating detection

Camio enables fast search and alerts on events like tailgating, entry ajar, forced open, entry unlocked.  Read more at https://camio.com/tailgating.

Camio counts the number of people that pass through the door to compare that number to the actual number of OnGuard access granted events. If those counts don't match, then the video is annotated with "tailgating" unauthorized access. This video illustrates tailgating detection as the floor plane tiles turn red when the second person enters after only one access granted event:

Works with existing cameras

Setup takes less than 15 minutes. Each camera is mapped to the OnGuard reader so that events from those readers annotate the video from that camera. You configure the on-premise Camio Gateway with the credentials required to subscribe to OnGuard access control events.

Mapping cameras to OnGuard readers

The first step is to associate your OnGuard readers with any cameras that can see the doors controlled by those readers.

  1. Generate your Camio Authorization token to be used by the Camio Gateway to annotate video with incoming access control events.
    1. Sign-in as the Camio account manager and press the Generate button at https://camio.com/settings/integrations/onguard
    2. Copy the token immediately after you generate it, since you will not be able to retrieve it again later.
    3. Paste the token into your Camio Gateway camio_config.yaml as camio_onguard_auth_token value. 

  2. Select the OnGuard Reader from the dropdown list next to each camera that has a view of the people entering the door associated with that reader and press Save.

Screen_Shot_2021-02-10_at_10.21.31_AM.png

OnGuard License and OAAP Interface

Please obtain an OnGuard License for Camio by contacting your Lenel sales representative and asking for the Camio part number IPC-096-CAMI01-B. The Camio Gateway uses the OAAP interface described OpenAccess Alliance Program Factory Certified Product (FCP) Interface Document

 

Camio Setup for OnGuard

The Camio Gateway subscribes to OnGuard access control events in order to annotate the video associated with each event.

Camio Gateway Installation

The Camio Gateway runs as Docker containers on any host machine that can access the OnGuard server. If your firewall restricts the sites contacted, then please see firewall rules.

Camio Gateway Configuration Files (yaml files)

The Camio Gateway's configuration is determined by yaml files. Upon first startup of the Camio Gateway, these yaml files are encrypted and deleted so that secret credentials are never stored in the clear. To supply new option values, you must stop the containers, add the yaml files to the res directory, and restart the Docker Containers so that they read and encrypt the yaml files once again. See Updating Configuration Files.

Filename Description
camio_config.yaml

This contains your secret Camio Authorization token obtained from https://camio.com/settings/integrations/onguard used to annotate video. Example:

CAMIO_CONFIG: 
stats_report_time_interval: 60
camio_onguard_endpoint: "https://camio.com/api/integrations/onguard/webhooks"
camio_onguard_endpoint_stats: "https://camio.com/api/integrations/onguard/stats"
camio_onguard_endpoint_logs: "https://camio.com/api/integrations/onguard/logs"
camio_onguard_auth_token: "INSERT YOUR CAMIO AUTH TOKEN HERE"
camio_onguard_events_per_post: 10
camio_onguard_max_retries: 100
onguard_config.yaml

This contains the non-secret information required to connect to your OnGuard server. Example:

ONGUARD_CONFIG:
  server_name: "onguard_server.yourdomain.com"
  # "false" = disable SSL cert verification
  # "self" = use certificate chain bundle specified in "ca_bundle" below
  # {any other string, e.g. "true"} = SSL certificate was generated from a well-known CA such as Verisign, Thawte, or GoDaddy
  ssl_enabled: "self"
  ca_bundle: "internally_created_CA_certificate.crt" # only needed if ssl_enabled = "self"
onguard_user.yaml

This contains your secret OnGuard username and password required to access the OnGuard server. Example:

ONGUARD_USER:
  directory_id: "your OnGuard user directory here (e.g. id-1)"
  user_name: "your OnGuard username here"
  password: "your OnGuard password here"
advanced_config.yaml

These default values should be sufficient, but override any desired. Retain the query_filter, so that only recognized OnGuard Events are sent to Camio. Example:

ONGUARD_ADVANCED_CONFIG:
  query_filter: '(event_type="0" or (event_type="2" and event_subtype="4") or (event_type="4" and (event_subtype="8" or event_subtype="10" or event_subtype="210" or event_subtype="211" or event_subtype="212" or event_subtype="213")))'
  # Uncomment any settings where default values shown need to be modified
  #   (default values should work for most deployments, except where the OpenAccess port number was changed)
  # server_port: "8080"
  # api_version: "1.0"
  # pagination_page_size: 100
  # poll_interval: 8
  # max_error_messages: 3
  # auth_timeout_buffer: 600
  # max_backlog_window: 3600
  # max_event_time_per_poll: 60
  # requests_timeout: 30
get_device_interval: 7200

OnGuard Event Filter

The query_filter above in advanced_config.yaml correlates to these OnGuard Event SubType Descriptions:

  • Access Granted
    • Access Granted on Facility Code
    • Access Granted No Entry Made
    • Access Granted on Facility Code, No Entry Made
    • Access Granted
    • Access Granted: Reader Unlocked
    • Egress Granted
    • Open Door Command Issued - Door Used
    • Open Door Command Issued - Door Not Used
    • Granted Access, Common Pin
    • Grant Last User (Override)
    • Granted-Escort
    • Granted-Exit-Escort
    • Granted-Master
    • Granted-Exit-Master
    • Granted-Dual Custody
    • Granted-Exit-Dual Custody
    • Granted-Pending Entry
    • Access Granted Entry Made
    • Access Granted to Destination Floor
    • Granted Double Card
    • Access Granted: Pin
    • Access Granted: Lift
    • Access Granted: Soft Passback
    • Access Granted: Time and Attendance In
    • Access Granted: Time and Attendance Out
    • Granted-Escort Pending
  • Duress
    • Access Granted Under Duress
      Access Denied Under Duress
      Access Granted Under Duress - No Entry Made
  • System
    • Door Forced Open
    • Door Held Open
    • Door Forced Open Masked
    • Door Forced Open Unmasked
    • Door Held Open Masked
    • Door Held Open Unmasked

Installing on Linux

  1. Download and install Docker by following the steps for your Linux distribution from: https://docs.docker.com/engine/install/
  2. Download and install docker-compose by following the steps from: https://docs.docker.com/engine/install/
  3. Download the Camio Gateway run package from: https://storage.googleapis.com/camio-test-integrations/camio_onguard.zip
  4. Unzip the package
    • unzip camio_onguard.zip
      cd camio_onguard
      cd res
      ls -l
  5. Update the configuration files with Camio and OnGuard information
  6. Once the config files have been updated, run the Camio container
    • docker-compose up -d
      docker ps | grep camio_onguard
    • If you want to run the container in foreground, then remove `-d`
    • docker-compose up
  7. The Camio Gateway containers are now running. You can use Docker commands to watch stats and logs whenever required.

Installing on Windows

  1. Download and install Docker Desktop (which also contains docker-compose) by following the steps from: https://docs.docker.com/docker-for-windows/install/
  2. Download the Camio Gateway run package from: https://storage.googleapis.com/camio-test-integrations/camio_onguard.zip
  3. Unzip the package, and enter into the camio_onguard directory
  4. Update the configuration files with Camio and OnGuard information
  5. Once the config files have been updated, run the Camio container
    • docker-compose up -d
      docker ps | grep camio_onguard
    • If you want to run the container in foreground, then remove `-d`
    • docker-compose up
  6. The Camio Gateway containers are now running. You can use Docker commands to watch stats and logs whenever required.

Updating configuration files

  1. When you need to update the configuration files, you first need to stop the containers by running
    • cd camio_onguard
      docker-compose down
  2. Wait for the containers to stop, and then add the new configuration files in the res directory.
    • Note that due to encryption and security, all of the existing configuration files in clear text will not be present in the res directory, so you will need to add fresh new configuration files in the res directory.
  3. After adding the new configuration files, restart the containers by running:
    • cd camio_onguard
      docker-compose up -d
      docker ps | grep camio_onguard
  4. The Camio Gateway containers are now running with the updated configuration files. You can use Docker commands to watch stats and logs whenever required.

Camio Gateway Host Hardware Requirements

The CPU and RAM required of the host machine that runs the Camio Gateway Docker containers varies with the maximum throughput of access control events. This guide covers common volumes:

Max Event Rate CPU Cores RAM
100 events/second 1 300 MiB
1,000 events/second 2 400 MiB
10,000 events/second 2 400 MiB

 

Firewall Rules

During the initial docker setup (docker-compose up -d) will need access to these domains:

  • gcr.io
  • storage.googleapis.com
  • dockerhub.com

During operation the proxy will need access to the specified camio endpoints:

as well as the OnGuard server, check your network setting for your OnGuard system.

OnGuard Setup

OnGuard System Permissions

The Camio Gateway needs to authenticate with OnGuard’s API (OpenAccess) and needs a user account with sufficient permission. Using the default Admin level of permissions when creating this account is simplest. But if using Admin access violates security policies, the basic permissions required (outside of Field/Page Permissions being “View/Edit All Fields”) are highlighted in the System Permission Groups screenshot below:

lenel-onguard-system-admin-permissions.png

 

See also OpenAccess Alliance Program Factory Certified Product (FCP) Interface Document.

 

Have more questions? Submit a request

Comments