Kofax Multi-card User manual

Kofax Ethernet Card Reader

User Guide

September 23, 2020

Version 1.0

 
 
2 | P a g e 
 
Contents 
Introduction...................................................................................................................................................................4 
Purpose......................................................................................................................................................................4 
Kofax Ethernet Card Reader ......................................................................................................................................4 
Hardware versions.....................................................................................................................................................5 
Default configurations ...............................................................................................................................................6 
Included items ...........................................................................................................................................................7 
Compatibility .............................................................................................................................................................7 
Installation.....................................................................................................................................................................8 
Mounting ...................................................................................................................................................................8 
Connecting to the network........................................................................................................................................9 
Connecting in Maintenance Mode ..........................................................................................................................10 
Network communications ...........................................................................................................................................11 
IP address.................................................................................................................................................................11 
Discovery .................................................................................................................................................................11 
Communication .......................................................................................................................................................12 
High availability........................................................................................................................................................12 
Encryption................................................................................................................................................................13 
Factory Reset ...........................................................................................................................................................13 
Usage ...........................................................................................................................................................................14 
Presenting cards ......................................................................................................................................................14 
Beeper .....................................................................................................................................................................14 
LED indicator............................................................................................................................................................15 
Offline indications................................................................................................................................................15 
Online indications................................................................................................................................................16 
Maintenance and configuration ..................................................................................................................................17 
Factory resetting in Maintenance Mode .................................................................................................................18 

 
 
3 | P a g e 
 
Configuring network settings ..................................................................................................................................19 
Setting the operating mode.....................................................................................................................................20 
Restricting operation to certain card types.............................................................................................................21 
Loading a custom configuration file ........................................................................................................................22 
Updating reader firmware.......................................................................................................................................23 
Card Testing.................................................................................................................................................................24 
Reading card numbers.............................................................................................................................................24 
Reading card types ..................................................................................................................................................25 
Troubleshooting ..........................................................................................................................................................26 
Reader not responding, LED off ......................................................................................................................26 
Configuration fails after discovery and import........................................................................................................26 
Reader remains locked after Factory Reset.............................................................................................................26 
Reader stops functioning after server is moved or changed...................................................................................27 
Card not detected by reader ...................................................................................................................................28 
Technical Reference ....................................................................................................................................................29 
Low frequency (125/134 kHz) card support ............................................................................................................29 
High frequency (13.56 MHz) card support ..............................................................................................................30 
Specifications...........................................................................................................................................................31 
 
 

4 | P a g e

Introduction

Purpose

This user guide provides information on the Kofax Ethernet Card Reader and is intended for

imaging professionals involved in the deployment of Kofax’ControlSuite, Copitrak, Equitrac,

Output Manager, and SafeCom products.

Kofax Ethernet Card Reader

The Kofax Ethernet Card Reader is a network connected RFID reader that allows users to

authenticate themselves to Kofax products using their contactless ID card, badge, tag, or key

fob.

Ethernet reader features include:

•10/100 Mbps operation with auto-MDI/MDIX

•internal switch connecting to both the network and a downstream print device

•Power-over-Ethernet (PoE) capable

•AC mains adapter for use without PoE

5 | P a g e

Hardware versions

The Kofax Ethernet Card Reader comes in three versions:

•Multi-Card

Built with an NXP chipset, the Multi-Card reader supports a wide variety of 125 kHz RFID and

13.56 MHz contactless smartcard technologies based on ISO14443 and ISO15693 standards.

•iClass and Legic

Built with a LEGIC chipset, the iClass and Legic reader supports a wide variety of 13.56 MHz

contactless smartcard technologies based on ISO14443 and ISO15693 standards. It can retrieve

encrypted data from iCLASS (not including iCLASS SE or Seos), LEGIC Prime, and

LEGIC Advant secure credentials.

•iClass Seos + Multi-Card

Built with an NXP chipset, the iClass Seos + Multi-Card reader supports a wide variety of 125 kHz

RFID and 13.56 MHz contactless smartcard technologies based on ISO14443 and ISO15693

standards. It contains an iCLASS SE Processor to decrypt the Physical Access Card System

(PACS) data from iCLASS, iCLASS SE, and iCLASS Seos secure credentials.

Each version is identified by a unique hardware part number:

Version

Reader Part Number

Boxed Part Number

Multi-Card

Y591-EMUL-402

Y10B-EMUL-402

iClass and Legic

Y591-ELGI-402

Y10B-ELGI-402

iClass Seos + Multi-Card

Y591-EMSI-402

Y10B-EMSI-402

6 | P a g e

Default configurations

Each version of Kofax Ethernet Card Reader has a unique configuration:

Version

Beeper

Returns

Multi-Card

Enabled

Unique ID (UID) or Card Serial Number (CSN) from all

hardware supported card types

iClass and Legic

Enabled

Card Number from the Physical Access Control System

(PACS) data in iCLASS cards formatted as:

•26-bit Wiegand / H10301

•37-bit H10302

•Corporate 1000 35-bit

•Corporate 1000 48-bit

Unique ID (UID) from LEGIC Prime and Advant cards

Other card types and formats ignored

iClass Seos + Multi-Card

Enabled

Card Number from the Physical Access Control System

(PACS) data in iCLASS, iCLASS SE, or iCLASS Seos

cards formatted as:

•26-bit Wiegand / H10301

•37-bit H10302

•Corporate 1000 35-bit

•Corporate 1000 48-bit

Other card types and formats ignored

Readers can be configured to disable the beeper, accept only certain card types, or modify the

output format. Consult the “Maintenance and configuration” section for details.

7 | P a g e

Included items

Each Kofax Ethernet Card Reader ships with the following:

•global AC power adapter

•adapter blades for Australia, China, European Union, United Kingdom, and US/Canada

•two self-adhesive Velcro fasteners

•three cable ties and tie mounts

Compatibility

The Kofax Ethernet Card Reader is compatible with the following products:

Product

Requirements

Kofax ControlSuite

Combined with Kofax Equitrac or Kofax Output Manager

Kofax Copitrak

Copitrak CSS 700 R2 SP2.17 or higher

Kofax Equitrac

Equitrac 5.6 or higher

Kofax Output Manager

Output Manager 4 SP2 or higher

Kofax SafeCom

SafeCom G4 Server S82 070.520*10 or higher

SafeCom Device Server S82 090.090*10 or higher

8 | P a g e

Installation

Mounting

Mount the Kofax Ethernet Card Reader to the outside of a printer with the included

self-adhesive Velcro fasteners. Use the cable ties and tie mounts to route and secure all

associated cabling:

Important: Ensure the reader and cabling does not block any vents, trays, or access covers.

9 | P a g e

Connecting to the network

The two ports on a Kofax Ethernet Card Reader connect to an internal switch, allowing the

reader and an associated print device to be serviced by a single network drop:

Note: The Network port supports Power over Ethernet (PoE). The AC adapter should not be

used when PoE is available on the network.

Ethernet Reader

AC Adapter

(use if PoE unavailable)

Printer

Network

10 | P a g e

Connecting in Maintenance Mode

Maintenance Mode allows point-to-point connections for testing or Factory Reset of a

misconfigured reader. Physically reconfigure the reader so that only its Power and Printer port

connections are used:

When in Maintenance Mode the reader LED blinks red-green-off, and the reader operates with

the following temporary settings:

•DHCP addressing is enabled

•Link Local addressing (Auto IP) is enabled

•configured Static IP address is disabled

•configured Server IP and Port settings ignored

•Factory Reset by the Reader Maintainer software is always possible (lock ignored)

Ethernet Reader

AC Adapter

To local network

or configuration PC

Do not connect

11 | P a g e

Network communications

The Kofax Ethernet Card Reader uses the TCP protocol on IPv4, with each reader having a

unique IPv4 address.

IP address

The Ethernet reader uses DHCP to obtain an IP address on the network. Copitrak, Equitrac,

Output Manager, and SafeCom maintain the reader-to-printer association by serial number, so it

does not matter if the IP address assigned to a reader changes over time.

Note: Readers can be configured with a Static IP address if required, see the section

“Configuring network settings” for details.

Discovery

Ethernet reader discovery takes place several different ways:

1. Readers listen on TCP port 2939 for incoming connections. The Copitrak, Equitrac, and

Output Manager products support importing from a range of IP addresses. They attempt

to open TCP port 2939 on each IP address in the range, sending a generic reader

command if successful. As correct responses are received, each reader in the range is

identified for import and configuration.

Note: With SafeCom each reader’s exact IP address must be entered. These are

determined by logging into the DHCP server and looking up the MAC address printed on

each reader’s label. The Select Reader function in the Kofax Reader Maintainer software

also provides a list of discovered reader IP addresses.

2. Right-click a print device in Equitrac and select “Discover card reader” to send a ‘magic’

UDP packet to port 2939 of the printer. An unconfigured reader listens for this packet to

pass through its switch, opening the server IP and port found in the packet (typically TCP

5420) to call back for import.

3. The Select Reader function in the Reader Maintainer software sends a Service Location

Protocol (SLP) broadcast to the local subnet. The Ethernet reader acts as a passive SLP

service agent (speaking only when spoken to), replying to the broadcast to identify itself.

Note: SLP cannot bridge subnets without specific IT supports in place, so readers

should be on the same subnet as the computer running the Reader Maintainer to ensure

they appear in the Select Reader dialog.

12 | P a g e

Communication

When configured by a Copitrak, Equitrac, Output Manager, or SafeCom system, the Kofax

Ethernet Card Reader is programmed with a server IP and TCP port (typically 5420) used for

communication.

In normal operation the reader contacts the server to report events, rather than a server

maintaining connections to every reader. Reported events are:

•reader power up

•link change (network cabling change or printer sleep/wakeup)

•IP detection (the reader has determined the IP address of the device on its Printer port)

•UDP discovery (a ‘magic’ UDP packet was sent to the device on the Printer port)

•card presentation (a card was detected and successfully read)

•session key expired (authentication must take place to re-establish encryption)

•reset (the reader was commanded to reset by its host system)

The server responds by sending the appropriate commands to handle the event (request card

data, flash the LED, and so on) then closes the connection. Readers also close connections

themselves after 60 seconds without a command.

Important: Ethernet readers support only one connection at a time. This is enough for normal

operation but may cause problems when a reader is moved to another system: As the reader

attempts to connect to its old server(s) to report a power up or link change event while the new

system is attempting discovery, that discovery will fail.

Best practice is to always Factory Reset an Ethernet reader on the old system before moving it

to a new one.

High availability

High availability systems configure Ethernet readers with both primary and secondary server IP

and port settings.

On the first event following a reboot or power cycle, the reader attempts to connect to the

primary server. If that fails, then the secondary server is contacted. Two attempts are made to

each server (four in total, alternating servers) before the reader displays Host Connect Failed (3

red blinks) on its LED. Alternating attempts to connect to each server continue until

reconnection is achieved.

Note: To provide the fastest response to new events, the reader always connects to the last

server with which it communicated successfully, regardless of the server’s primary or secondary

designation in the reader configuration.

13 | P a g e

Encryption

All configuration and data access commands sent to a Kofax Ethernet Card Reader must use

an encrypted connection. A Public Key Infrastructure (PKI) system with certificates-based

mutual authentication establishes a unique session key to encrypt the connection.

Factory certificates are used during the initial configuration of a reader. Every Copitrak,

Equitrac, Output Manager, and SafeCom installation has its own system-specific root certificate.

When adding an Ethernet reader to the system, the reader creates a unique private certificate

signed by the root, locking the reader to prevent access by all other systems and tools.

It takes 20 seconds to authenticate with a reader and establish the session key, so the key is

cached by both reader and server for fast reconnection in response to events. During

authentication, the server sets a timeout for the reader to expire the session key at 2:00 a.m.

local time, applying random variations to prevent all readers from re-authenticating at once.

Readers store their session key in volatile memory only, so when powered up or reset a reader

contacts its configured server to reauthenticate and establish a new key.

Note: While the Transport Layer Security (TLS) protocol typically used to encrypt TCP

connections works on the same principles, TLS supports multiple certificate schemes,

authentication methods, and encryption algorithms; with high processor and storage overheads

unsuitable to the Ethernet reader’s embedded CPU. Instead, the reader uses a proprietary

protocol based on established public algorithms: X.509 certificates (PKIX) are authenticated by

the Elliptic Curve Digital Signature Algorithm (ECDSA), with Elliptic Curve Diffie-Hellman

(ECDH) establishing an Advanced Encryption Standard (AES) session key.

All Kofax systems use the OpenSSL library for Ethernet reader authentication and encryption.

Factory Reset

An Ethernet reader must be Factory Reset before moving it to a new system. This process:

•erases all network settings

•unlocks the reader by erasing the system-specific private certificate

•restores the reader settings and configuration to the originals written at the factory

Note: The firmware on a reader is unaffected by a Factory Reset: A reader with upgraded

firmware remains upgraded after performing the reset.

The Factory Reset command must be sent to an Ethernet reader by the system which locked it,

or by placing the reader in Maintenance Mode when the locking system’s root certificate is lost

or inaccessible. The reader’s cabling must be physically reconfigured to place it into

Maintenance Mode, refer to the section “Connecting in Maintenance Mode”.

14 | P a g e

Usage

Presenting cards

Cards should be placed and held within approximately 1/4 inch (6 mm) of the Kofax Ethernet

Card Reader until a successful read is indicated by the LED or beeper.

Moving or ‘swiping’ the card across the reader like a traditional magnetic stripe card can disrupt

the RFID link and should be avoided.

Beeper

An Ethernet reader which has successfully authenticated and established a session key with its

host system beeps each time a card is read. The beeper is disabled by configuring the reader in

Silent mode, but its volume is not adjustable. Refer to the section “Setting the operating mode”

for details.

Note: The beeper always sounds when an Ethernet reader is powered up or reset, to draw

attention to any tampering.

15 | P a g e

LED indicator

The LED in the Kofax Ethernet Card Reader is active whenever the reader has power. Offline

indications are displayed automatically by the reader itself, while Online indications are

commanded by its host system.

Offline indications

An Ethernet reader is Offline when communications with its host system have failed or the

reader has yet to be configured. Offline status is communicated with brief flashes (blinks) of the

LED, followed by 2 seconds with the LED off before the blinks repeat:

Indication

Status

Description

1 green blink

Network linked

The Network port has an Ethernet link, but the reader has

not yet obtained an IP address.

2 green blinks

Searching for host

The reader has a valid IP address and is either

attempting to contact its server(s) or is not yet configured.

1 red blink

No links

Cables are disconnected at one end or the other, or the

reader is configured with rate and duplex settings

incompatible with the local network.

2 red blinks

UDP connect failed

The reader could not connect to the server indicated in

the ‘magic’ UDP packet sent to the printer.

3 red blinks

Host connect failed

The reader is unable to contact its configured server.

4 red blinks

IP address conflict

Another device on the network is using the IP address

assigned to the reader.

Red blink, green blink

Maintenance mode

There is a link on the Printer port only.

If this is unintentional then either the local network is

down, or the reader is configured with incompatible

Network rate and duplex settings.

16 | P a g e

Online indications

Once a configured Ethernet reader has successfully contacted its host system, the system

commands the LED to one of the following indications:

Indication

Status

Description

Solid red

Idle

No user logged in, waiting for card presentation

Slow flashing red

Not ready

A system problem has occurred (misconfiguration, no

printer association, and so on)

Solid green

Session active

A user is logged in to perform tasks

Slow flashing green

Authenticating card

The system is looking up the user

Fast flashing red

Unknown user

The presented card did not match a known user

Fast flashing green

No print jobs

The user has no print jobs queued for release

Alternating red/green

Insufficient funds

The user account balance is too low to release the job

Note: Some systems use only a subset of these indications, consult the appropriate Kofax

product documentation for details.

17 | P a g e

Maintenance and configuration

Kofax Ethernet Card Readers are configurable to:

•select DHCP addressing or assign a static IP

•set a fixed network speed and duplex combination

•select an operating mode compatible with the target use case

•restrict operation to certain card technologies

•adapt the reader to specific customer card system requirements

•update the firmware to support new card types or features

Readers are configured with the Reader Maintainer software, available at delivery.kofax.com.

Note: Equitrac System Manager, Output Manager Console, and the Copitrak Ethernet Reader

Controller Service can factory reset, configure, or update the firmware on a fleet of Ethernet

readers in a single operation. This is more efficient than updating individual readers one at a

time with the Reader Maintainer. Consult appropriate Kofax product documentation for details.

18 | P a g e

Factory resetting in Maintenance Mode

The Reader Maintainer (RM) software is used to Factory Reset a locked Ethernet reader:

1. Launch the RM software and click Select Reader.

2. Connect the Ethernet reader to its power supply, then connect its Printer port directly to

the computer running the RM. This puts the reader in Maintenance Mode, giving it an

Auto IP address. A computer set for DHCP establishes an Auto IP of its own after a

2-minute timeout period, after which the reader is visible to it.

Tip: Assign the computer a static IP of 169.254.1.1 with subnet mask 255.255.0.0 before

connecting the reader to eliminate the timeout.

3. Click the reader serial number when it appears in the list, then click Select.

4. Click Factory Reset, then Yes at the confirmation prompt.

5. When informed that the reader will reboot following reset, click OK.

6. If the RM has newer firmware or configurations than those found in the reader after the

reset, then you are prompted to upgrade. If you click Yes, a progress dialog appears:

The RM reauthenticates with the reader at least once during this process, taking about

20 seconds each time.

7. Click Close to return to the RM’s main window.

19 | P a g e

Configuring network settings

Some networks require pre-configuration of the Ethernet reader with a Static IP or fixed port

speed and duplex prior to connection.

The Reader Maintainer (RM) software is used to pre-configure the network settings:

1. Launch the RM software and click Select Reader.

2. Connect the Ethernet reader to its power supply, then connect its Printer port directly to

the computer running the RM. This puts the reader in Maintenance Mode, giving it an

Auto IP address. A computer set for DHCP establishes an Auto IP of its own after a

2-minute timeout period, after which the reader is visible to it.

Tip: Assign the computer a static IP of 169.254.1.1 with subnet mask 255.255.0.0 before

connecting the reader to eliminate the timeout.

3. Click the reader serial number when it appears in the list, then click Select.

4. Click Configure Network Settings. The RM takes about 20 seconds to authenticate with

the reader and establish an encrypted connection.

5. Select the desired settings, completing all four fields if assigning a Static IP:

Note: Readers must have hotfix firmware 1096 2.30.05 or higher to enable configuration

of the Printer port.

6. Click Update Reader, then Yes when prompted to proceed.

7. When the reboot prompt appears, click OK.

8. The RM reauthenticates with the reader, then focus returns to the main window.

9. If configuring multiple readers, repeat from step 2 for each additional reader.

Note: The RM remembers the last settings used, with the Static IP incremented by 1 after each

successful Update Reader operation.

20 | P a g e

Setting the operating mode

The Kofax Ethernet Card Reader ships from the factory with the beeper enabled and data

output in decimal format (octal for HID Prox cards). For compatibility with older USB readers in a

mixed fleet however, the reader can be set to an alternate mode.

The Reader Maintainer (RM) software configures the operating mode:

1. Launch the RM software and click Select Reader.

2. Connect the reader to the same network subnet as the computer running the RM.

3. Click the reader serial number when it appears in the list, then click Select.

4. Click Customize Reader. The RM takes about 20 seconds to authenticate with the

reader and establish an encrypted connection.

5. Select the desired Mode:

Mode

Beeper

Output Format

Default

Enabled

Decimal, octal for HID Prox cards

Silent

Disabled

Decimal, octal for HID Prox cards

MX Compatible

Enabled

Compatible with Kofax MX card readers for SafeCom

Note: Silent mode is compatible with the Copitrak ID and Equitrac ID card readers.

6. Click Update Reader, then Yes, and wait for the progress bar to complete. The RM

reauthenticates with the reader at least once during this process.

7. Close the dialog and use the Read Card Number function to test the reader.

Note: The Customize Reader dialog always opens to the last mode selected.

The Reader Maintainer is distributed with Reader Settings .bec files corresponding to the Mode

selections in the Customize Reader dialog. Equitrac System Manager, Output Manager

Console, and the Copitrak Ethernet Reader Controller Service can centrally push a .bec file to

all Ethernet readers in a fleet for significant time and labor savings. A Reader Settings .bec push

must be followed by a Stock Solution .bec push to restore card reading functionality. Consult the

appropriate product documentation for details.

This manual suits for next models

Table of contents

Kofax Multi-Card User manual

Popular Card Reader manuals by other brands