NFC Authentication: questions and answers

#1

SavaPage supports NFC Authentication with low-cost commodity NFC Card Readers. If you have questions or findings about NFC Cards or Readers, please let us know.

Getting started with SavaPage: questions and answers
#2

HID ProxCard II compatible Network Card Reader.

Savapage supports card reader authentication by building a Raspberry PI with a USB card reader. In this howto we are gonna be using the HID OMNIKEY® 5025CL which are fully compatible with HID 1326 ProxCard II 125 KHz.

HID OMNIKEY® 5025CL is native CCID compatible. You can access the list of CCID compatible devices from here. In this howto we will be working with 5025CL but you are welcome to try with any device from the previous link.

To build the release station you will need:
1 - Raspberry PI with Raspbian installed.
2 - HID OMNIKEY® 5025CL card reader
3 - SavaPage server with at least one proxy printer installed.
4 -This Network Card Reader configuration (IP, Port, Description, etc.) added to SavaPage server.

We are going to follow the prerequisites steps from (1) through (5) from the card reader service readme with some additional modifications. The file path is /opt/savapage/providers/nfc/linux-armv6/README on the SavaPage server.

(1) Use Raspbian as OS. (We have compiled and run savapage-nfc-reader binary file on x86_64 architecture and it works fine, the configuration from this howto can be adapted to CentOS or Ubuntu)

(2) Make sure the Pi has a static IP address. A how-to to for assigning a static address can be found at:

http://www.penguintutor.com/news/raspberrypi/linux-static

(3) Install dependent packages. (libacsccid1 package won’t be used since our tags are HID 1326 ProxCard II 125 KHz. We have not tested it on Raspbian but we tested it on CentOS and worked without the libacsccid1 CentOS package replacement)

$ sudo apt-get install libccid libacsccid1 pcscd 
$ sudo apt-get install libpcsclite-dev

(4) Disable pn533 and nfc drivers in Raspbian kernel. (We supposed these modules could be automatically loaded for HID OMNIKEY® 5025CL, so we disabled them as well). When an ACS Reader (ACR122U) plugs in, the Raspbian kernel(>3.5) will automatically load the pn533 driver. However, with the pn533 driver, pcscd will report a “Can’t claim interface” error. Therefore the pn533 and nfc driver should be disabled in the kernel. Edit the /etc/modprobe.d/blacklist.conf file like this:

$ sudo vi /etc/modprobe.d/blacklist.conf

… and make sure that the file contains the following 2 lines:

install nfc /bin/false
install pn533 /bin/false

(5) Reboot the Raspberry Pi

$ sudo reboot

Now, on the same readme file follow the steps from the Build section:

(1) Install git.

$ sudo apt-get install git

(2) Create directory to clone in.

$ cd
$ mkdir savapage-git

(3) Clone.

$ cd savapage-git
$ git clone https://gitlab.com/savapage/xmlrpcpp.git
$ git clone https://gitlab.com/savapage/savapage-nfc-reader.git

(4) Build.

$ cd xmlrpcpp
$ make
$ cd ..
$ cd savapage-nfc-reader
$ make

On the Install section is where we made mayor modifications:

(1) Create directory for the SavaPage files.

$ sudo mkdir /usr/local/bin/savapage

(2) Copy files from SavaPage Server.

$ sudo scp root@server:/opt/savapage/providers/nfc/linux-armv6/* /usr/local/bin/savapage/

(3) Copy binary from build target. We are renaming savapage-nfc-reader to card-reader since we are using HID 125 KHz.

$ cd ~/savapage-git/savapage-nfc-reader/target
$ sudo cp savapage-nfc-reader /usr/local/bin/savapage/card-reader

(4) Create card-reader.ini from savapage-nfc-reader.ini.template file and edit the settings.

$ cd /usr/local/bin/savapage
$ sudo cp savapage-nfc-reader.ini.template card-reader.ini
$ sudo vi card-reader.ini

Change the IP address and check the port of the SavaPage Server. You can change the default port of the network reader service as well. Sample sound files are present. You can use the sample script files for your own customization: e.g to communicate with PiGlow or PiFace Control & Display.

NOTE: Check that your firewall is open for the IP address and ports set in the .ini file.

(5) Install the service. (The original readme file describes how to install with SysV service, for our release station we are going to use Systemd service).

(5.1) Create the card reader service unit under /etc/systemd/system.

 $ sudo vi /etc/systemd/system/card-reader.service

And copy and paste the following lines into it:

[Unit]
Description=SavaPage card reader unit file 
After=network.target

[Service]
User=card-reader
### The WorkingDirectory directive allows card-reader to find card-reader.ini
WorkingDirectory=/usr/local/bin/savapage
#### If you want to switch this service to debug mode just add the --verbose param 
#### to next line
ExecStart=/usr/local/bin/savapage/card-reader
ExecReload=/bin/kill -HUP $MAINPID
#### Next line will restart the process if it’s not running
#### unless we stopped it with “systemctl stop card-reader.service”
Restart=always
KillMode=process

[Install]
WantedBy=multi-user.target

And save the changes.

(5.2) Create the card-reader user you mention in the service file and add it to group audio.

 $ sudo useradd -M -s /bin/false card-reader

The -M and -s switch are to restrict the user with no home directory and no shell.

 $ sudo usermod -aG audio card-reader

(5.3) Change primary user and group ownership to /usr/local/bin/savapage.

 $ sudo chown -R card-reader:nogroup /usr/local/bin/savapage

(5.4) Enable the card reader service to load at boot and start the service.

$ sudo systemctl enable card-reader.service && sudo systemctl start card-reader.service

(5.5) Check service status

$ sudo systemctl status card-reader.service
#3

@eabreu Thanks for sharing your findings! Great to get confirmed that SavaPage not only works with ACS readers like ACR122U but with CCID compatible NFC Readers in general.

Your Systemd card-reader.service alternative is a valuable bonus. I will add it to the original README file (with credits to you).