Authentication methods
PaperCut MF offers several methods to authenticate copier users. The authentication methods supported by your copier are listed as options in the External Device Settings area of its Device Details page:
-
Username and password, as specified in an external user directory source such as Active Directory or LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. (except for internal users; see Internal users (users managed by PaperCut NG)).
-
Identity number, see User card and ID numbers.
For two-factor authentication, you can require users to also enter a PIN. Users without a PIN are asked to enter a PIN the first time they log in at the copier (set ext-device.allow-new-pin-for-id-num to N to disable this; see Using the Config Editor).
You can also mask the identity number (like a password) as the user enters it on the copier. This is particularly useful when no PIN is required.
-
Swipe card, see User card and ID numbers.
Enable network card reader - This requires a compatible serial or USB card reader connected to an ethernet network adapter or switch.
You can configure your network card reader using any one of the following Connection Modes:
- Generic— This is the default mode and requires a valid and unique Hostname / IP of you network adapter (switch) and port. For more information on the ports used by different card readers, see Fast Release Card Reader Terminal Network Protocol.
- RF Ideas 241 (Client Mode)—Select this mode only if you are using a compatible RFIDeas Ethernet 241 device with Serial or USB card reader connected. This requires only a valid and unique Hostname/IP of your Ethernet 241 device.
Require PIN - For two-factor authentication, you can require users to enter a PIN after swiping a card. Users without a PIN are asked to enter a PIN the first time they log in at the copier.
Enable self-association with existing user accounts - Some copiers allow self-association, where the copier prompts for a username and password after a user swipes an unrecognized card, in order to associate the card to the user's account.
You can control whether or not a card swipe can also be used to log the user out of the copier.
Some copiers have an offline mode where they continue to operate while the Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. is unavailable, see Offline mode below.
- Generic— This is the default mode and requires a valid and unique Hostname / IP of you network adapter (switch) and port. For more information on the ports used by different card readers, see Fast Release Card Reader Terminal Network Protocol.
-
Allow guest/anonymous access, allows any user to access the device at the press of a button. They are logged in under a specified guest user accountGuest user accounts are accounts for users who do not have a domain login and will print only on an adhoc or short term basis. Guest user accounts can be either Internal Users, shared or generic users, or anonymous printing. Internal users are added directly to PaperCut and are not synced with an external user directory. Internal users may be added by a PaperCut administrator or self-registered. Shared or generic users have a shared username and password for guests to allow them to login and print using company equipment. All guest jobs are logged in against this generic user. Anonymous Printing is for guests not registered in PaperCut are permitted to send jobs to a special email address for printing. Jobs are logged against a single internal guest user. and all copy, scan or fax jobs are tracked to this account.
All devices allow guest/ anonymous access to be used when no authentication methods are selected. The following devices also allow guest/ anonymous access whilst one or more authentication methods are also selected:
- Konica Minolta (i-Option)
- Sindoh (i-Option)
- Canon (MEAP)
- Sharp (OSA)
- HP (OSA)
- Toshiba eConnect
- Kyocera
On these devices, the label of the guest/ anonymous access button is "Guest" by default, but may also be customized. For more information, refer to the individual device manuals for customization instructions. On all other devices, whilst in guest/ anonymous mode, the button is always labeled “Start”.
Offline mode
Server or network downtime usually means that the PaperCut Application Server is unavailable and copiers cannot be used. Offline mode, if available, offers continued use of copiers without a server connection.
When the copier is working in offline mode, users can log in to the copier with a swipe card, and activity is logged against the card number. This activity is not restricted. When connection to the server is restored, the activity is logged against the user with that card number. If no user is found for the card number, the activity is logged against the username unknown (edit ext-device.unknown-offline-username to change this; see Using the Config Editor). A warning is displayed in the App.Log when this happens. If there is no account for the unknown user, one is created automatically.
It is important to note that in offline mode, the copier is not able to:
-
authenticate users anonymously or via username, identity number or PIN
-
associate swipe cards or PINs with users
-
access shared accounts
-
check account balances
-
release print jobs
You can specify a delay between the time the copier first fails to contact the server and the copier going offline. This is useful to avoid switching to offline mode just for brief periods of server unavailability, e.g. a server reboot.
Carefully consider offline mode before it is enabled as it allows overrunning of account balances on restricted user accounts. You can configure offline mode based on the environment, including an option to set up an administrative unlock code. This allows offline mode to be set up in environments such as schools where administrative oversight is required before each activation of offline mode.
Commercial environments
You can set up offline mode for commercial environments where the tracking of print usage to users, groups or departments is important and charging is not a factor. You can configure the copier to go into offline mode automatically when it fails to contact the Application Server.
Education organizations
For added security, you can require offline mode to be unlocked before users can log in to the copier with a swipe card. Unlocking offline mode involves entering the specified code at the copier and choosing to unlock the copier for a single use or until connection to the server is restored. This is specifically useful for education organizations where a supervisor or teacher can enter this code before users can use the copier in offline mode.