Allegion Developer Portal

ENGAGE_WiFI_Technical_Requirements_App_Note

ENGAGE - WiFi Technical Requirements App Note

REVISION CONTROL RECORD   
VERDATEDESCRIPTION OF CHANGEAUTHOR
SES20180226-A2/28/2018Initial releaseDCX
SES20180226-B4/17/2018Edits and section 9 on DNS addedDCX
SES20180423-C4/23/2018LE, CTE, RU and RM don’t have a Mandatory rate restrictionDCX
SES20180503-D5/3/2018Adding notes to add MT20WA. Canzonieri
SES20181015-E10/15/2018Changed ‘sever’ to ‘Server’ and ‘Wi-Fi’ to ‘WiFi’ throughout in preparation for conversion to Markdown for HTML web portal.A. Clark

WiFi Network Requirements for Devices and MT20W

When discussing how ENGAGE devices use WiFi, provide this technical information to customer site IT departments. This note should answer IT department questions when scoping ENGAGE product feasibility on their network.

OVERVIEW:

ENGAGE devices use the local WiFi network to automatically enable update functions for the property administrator. When WiFi is enabled, the Devices will automatically call in to the local wireless network at a time predetermined by ENGAGE (typically between midnight and 4am). The Devices obtain updates and provide maintenance information to the ENGAGE Server. The use of WiFi by an ENGAGE device is an operational convenience, and not an access control necessity. ENGAGE devices can also operate with WiFi disabled in a standalone mode; but this makes some updates and audit collection less convenient.

Product Application:

ENGAGE devices with WiFi nightly call in capability are limited to the following: NDE, LE and CTE. With WiFi enabled this group will connect once per night to the local WiFi network. When the ENGAGE system feature “WiFi Alerts” is enabled the Devices will also connect briefly to report forced door or propped door when the alert occurs.

NOTE:

  • The MT20W enrollment reader requires a local Wi-Fi network connection to enroll and program user credentials and does not call in nightly.

  • When ENGAGE Devices are LINKED to an ENGAGE Gateway, the WiFi network is not used. Device management communication is with Bluetooth (BLE) through the Gateway. Device WiFi is disabled when linked to an ENGAGE Gateway.

  • Schlage Control™ smart Devices, FE410 and BE467, are not WiFi enabled.

Wireless Information:

All WiFi enabled ENGAGE devices and MT20W have the following requirements and applications when connecting with the WiFi network:

NOTE: Consult with your IT professional when working with WiFi network connectivity.

  1. 2.4 GHz 802.11 b/g is required for NDE and MT20W.

    • Newer ENGAGE devices LE, and CTE, support 802.11 b/g/n, only on the 2.4GHz band.

  2. Connect Data Rate: Each WiFi network access point supporting NDE and MT20W devices requires the Mandatory Connect Data Rate setting to 24Mbps or lower, to connect with NDE and MT20W.

    • The local IT professional should check this router setting if/when devices fail to associate with the local WiFi network.

    • An Automatic Mandatory Connect Data Rate is a typical router setting. IT professionals use this setting to force a minimum data rate for each device to associate with the WiFi access point. The Connect Data Rate setting is intended to increase WiFi network performance and not allow weak signal or slow data rate devices to connect.

    • ENGAGE devices require the WiFi Mandatory Connection Data Rate to be set no higher than 24Mbps or they fail to associate with the wireless AP.

    • Newer ENGAGE devices like LE, CTE, RU and RM do not have this Mandatory Connect Data Rate restriction.

  3. WiFi network security types supported:

    • WPA2 (PEAP)
      • WiFi SSID - Must be EXACT (case sensitive)
      • USERNAME
      • PASSWORD*
    • WPA2
      • WiFi SSID - Must be EXACT (case sensitive)
      • PASSWORD*
    • WEP (not recommended)
      • WiFi SSID - Must be EXACT (case sensitive)
      • PASSWORD*
    • OPEN (not recommended)
      • No WiFi security

    *Maximum 64 Character length. English alpha-numeric characters only.

  4. If the building WiFi employs MAC address listing, and the device MAC address is needed each ENGAGE device has its MAC address printed on the production labels in human readable form and in QR form. The MAC address is also human readable with the ENGAGE mobile application when connected to the device.

  5. ENGAGE Devices use both standard HTTP and HTTPS connections for communication. Encryption is provided through the TLS connection made over the HTTPS connection to the servers, as well as each credential is individually encrypted with a site-specific scheme automatically generated by the system.

    • ENGAGE Devices browse to allegionengage.com; or a Software Alliance Member (SAM) server when managed by a SAM Access Control Software System.
      • portal.allegionengage.com – is used by ENGAGE system admins inside the firewall when logged into the Engage WEB Application
      • api.allegionengage.com – is accessed by the ENGAGE DEVICE for firmware and database updates, as well as reporting audits and alerts
      • Contact your Access Control Software provider for their Server address if your devices are managed by an ENGAGE Software Alliance Member
      • The ENGAGE devices are dependent on your DNS Server for DNS look up.

  6. The network can assign either static IP address or DHCP IP address to ENGAGE devices, however the device cannot be internally configured for a static IP address. 

  7. ENGAGE WiFi devices use only two ports 80 and 443

    • Port 80 (http) is used for encrypted firmware downloads and updating the root certificate loaded in the Device.
    • Port 443 (https) is used by the device for providing all maintenance information, updates on the activity of the Device and providing credential access updates to the Device.

  8. WiFi enabled ENGAGE devices will connect to the WiFi network with three individual events per night. Connections are once-per-day for ENGAGE, and session-based (established, utilized, and released). The ENGAGE device reports its configuration in the first event, obtains access control updates in the second event, and reports audit data in the last event.

    • Total daily network bandwidth consumption would be approximately \~ 64 kb per Device (Assuming the Device has 100 user changes, and 15 valid card presentations per day)

    • WiFi session events estimates for nightly call,

      • PUT Configuration (from Device): \~40 kb
      • GET database (from Server): \~20 kb / 100 users (changes)
      • POST Audits (from Device): \~4 kb (Assuming 15 valid card presentations per day)

    • During this update the ENGAGE Server schedules the next nightly call in with the device.

    The nightly WiFi call in only takes a few seconds per device.

  9. The ENGAGE devices are reliant on the primary DNS server configured in your network. The ENGAGE Device is not capable of utilizing a secondary DNS server or complex DNS redirection the way laptops on the network redirect. DNS errors are displayed in the audit reports along with host connection failure. In this case we recommend that ENGAGE WiFi customers are use a publicly available DNS such as google (8.8.8.8 or 8.8.4.4) or ensure that the internal DNS table has a valid entry for api.allegionengage.com.

  10. ENGAGE devices enabled with WiFi can also update firmware by connecting to the ENGAGE Server. The firmware update can be enabled with the ENGAGE WEB application for an automatic update during the nightly call in, or it can be implemented manually by connecting to the device with the ENGAGE mobile application and selecting “Update Firmware.” New ENGAGE firmware releases only occur a few times a year. A device firmware update could take only tens of seconds on WiFi but up to four minutes to complete the file loading and re-boot of the device.

  11. When an ENGAGE device is using WiFi an AMBER (RED/GREEN mixed) LED will be displayed and the Device will briefly ignore card presentations.