KNX Access Control: RFID Readers, Door Controllers and Time Schedules
Native KNX RFID card readers from MDT and Gira, door controller logic, multi-door zone architecture, time-based access schedules, and audit logging — all wired from the KNX distribution panel.
KNX-native RFID readers — MDT and Gira
KNX RFID card readers are bus-powered devices that mount flush in a standard 55mm wall box. They send KNX telegrams directly on the bus when a card is presented — no separate access controller hardware required for basic door open logic.
MDT SCN-RFID55
MDT Technologies GmbH — Germany
- • Form factor: 55mm square flush mount (Berker/Gira frame compatible)
- • Card standards: MIFARE Classic, MIFARE DESFire, LEGIC, HID iCLASS
- • LED ring indication: green flash = access granted, red = denied
- • Outputs: binary (card present/absent) or card UID string via KNX
- • Up to 200 card UIDs stored locally in ETS configuration
- • DIN rail gateway version also available (SCN-RFID-DIN)
- • Bus powered: 29V KNX bus (no separate power supply needed)
Gira Card Reader TS (Touch Switch)
Gira Giersiepen GmbH — Germany
- • Integrated into Gira System 55 / E2 / Esprit frame series
- • Card standard: MIFARE (13.56 MHz ISO/IEC 14443A)
- • Combines capacitive touch pushbutton + RFID reader in one device
- • Card UIDs managed via ETS application (up to 100 UIDs)
- • KNX output: binary telegram per stored UID (each card → own GA)
- • LED status indicators: red/green/yellow programmable
- • Ideal for premium residential projects in Gira design language
Both readers are configured entirely in ETS — no external software required for basic operation. Card UIDs are entered as hex strings in the ETS parameter page, each linked to a KNX group address. When a matching card is presented, the reader sends a binary ON telegram to that group address, which is then linked to a door actuator relay or alarm zone.
How KNX RFID access works — telegram flow
The access event chain from card tap to door open involves KNX telegrams across three device types: the RFID reader, the logic/actuator, and the door strike relay output.
Card presented to RFID reader. Reader checks UID against stored list. Matching UID: sends ON telegram to linked group address (e.g. GA 7/1/5 for card A1B2C3). Unknown card: sends telegram to "access denied" GA for alarm or logging.
The KNX bus routes the telegram to all subscribers of GA 7/1/5. This can include: door strike relay actuator, alarm disarm input, lighting scene actuator, visualization update.
KNX binary output (MDT AKK-04UP, Gira 209900) with a configured auto-off timer (5 seconds) activates the relay output → door strike opens. After 5 seconds, relay releases → door relocks.
The same GA 7/1/5 telegram can also disarm an Ajax alarm zone (via KNX-Ajax integration), switch hallway lighting to Welcome scene, and send a log entry to the KNX group monitor.
The relay actuator sends a status telegram on its feedback GA → RFID reader LED goes green for 2 seconds, visualization panel shows "Front Door: Open".
DPT for card readers — binary vs UID string
KNX RFID readers use different data types depending on how the access decision is made — on-device (binary output) or centrally (UID string sent to logic engine).
| DPT | Size | Value | Use case |
|---|---|---|---|
| DPT 1.001 | 1 bit | 0 = no card / 1 = card accepted | Binary output per stored UID — simple door open trigger. Each card gets its own GA. Logic done in ETS/reader. |
| DPT 4.001 (ASCII) | 8 bit per char | Card UID as ASCII string, e.g. "A1B2C3D4" | Reader sends raw UID string to logic engine (IP router, HA, Weinzierl BAOS). Access decision made centrally. |
| DPT 16.001 (string) | 14 bytes | Up to 14 ASCII characters | Full card UID string for 7-byte MIFARE UIDs. Used with Weinzierl KNX IO 581 BAOS for central access decision. |
| DPT 1.001 (denied) | 1 bit | 1 = unknown card presented | Separate GA for rejected cards — triggers alarm, CCTV recording, or notification. |
For most residential and small commercial installations, the binary DPT 1.001 output is sufficient — UIDs are stored in the reader via ETS and the access decision is made locally. Central UID management (string DPT) is used for large installations with many doors and users managed from a database.
Multi-door system — zone table and central logic
For buildings with multiple controlled doors (office floors, apartment common areas, parking), a central KNX logic engine manages zone-based access rules. The KNX IP router (Weinzierl KNX IP Router 751, MDT IP Router SCN-IP100.02) acts as the logic hub when combined with ETS logic functions.
Example zone table — office building, 3 doors
| Door | Reader GA (in) | Relay GA (out) | Authorized cards | Time restriction |
|---|---|---|---|---|
| Main entrance | 7/0/1 | 7/1/1 | All staff + management | Mon–Fri 07:00–20:00 |
| Server room | 7/0/2 | 7/1/2 | IT staff only (3 cards) | 24/7 |
| Management floor | 7/0/3 | 7/1/3 | Management + director | Mon–Fri 08:00–19:00 |
Each door has its own RFID reader group address (input) and relay output group address. The ETS application links these with time function logic blocks. Readers at different doors can share a card UID — the same card works at all authorized doors — or have completely separate card lists per door.
Time schedules — working hours and weekend lock
KNX time functions (available in ETS as logic function blocks, or via Weinzierl BAOS/Gira X1 timer schedules) enable automatic access control based on time of day and day of week.
Weekday open hours
Main entrance door relay held OPEN (continuous ON telegram) during 08:00–18:00, Mon–Fri. Anyone can enter without card during this window. Outside hours: card required.
Weekend lockdown
Saturday/Sunday: all doors require card access at all times. Time schedule sends LOCKED telegram at 00:00 Saturday, UNLOCK-by-card-only mode re-enabled.
Holiday schedule
ETS or Gira X1 special day list: public holidays treated as weekend (card access only). List updated annually in ETS re-download or via Gira X1 web interface.
Night lockdown
20:00–06:00: even valid card access requires PIN code entry (if reader supports PIN+card dual authentication, e.g. MDT SCN-RFID55 keypad version).
Logic example — card UID + time-based access
The following logic block example shows how a KNX logic engine (ETS logic function or Weinzierl BAOS scripting) implements time-limited access for a specific card UID.
KNX access logic — card UID + time + door open pulse
// ETS Logic Function Block — pseudocode representation
// (implemented as AND logic with time comparator in ETS)
INPUT:
card_uid_signal = GA 7/0/1 (binary, DPT 1.001)
-- triggered by MDT SCN-RFID55 for card A1B2C3
time_condition = GA 8/0/1 (binary, from KNX time schedule)
-- ON between 08:00–18:00 Mon–Fri
-- OFF outside working hours
LOGIC:
IF card_uid_signal == TRUE // card A1B2C3 presented
AND time_condition == TRUE // within working hours
THEN:
SEND GA 7/1/1 = TRUE // door strike relay ON
DELAY 5000 ms
SEND GA 7/1/1 = FALSE // door strike relay OFF (relock)
SEND GA 9/0/1 = TRUE // access log telegram
ELSE IF card_uid_signal == TRUE // card presented but outside hours
AND time_condition == FALSE
THEN:
SEND GA 9/0/2 = TRUE // access denied log telegram
SEND GA 7/2/1 = TRUE // LED: red flash (denied)
// Note: ETS logic blocks implement this as:
// AND gate → card GA + time GA → output → auto-off timer → relay GAIn ETS, this logic is implemented using the Logic Function block from the ETS App store (Thinka, Gira, or manufacturer-specific). The AND gate receives the card telegram and the time schedule output, with the result driving the relay group address. A timer function block handles the 5-second pulse width automatically.
Audit logging — KNX group monitor to InfluxDB
KNX group monitor traffic can be captured and stored for security audit purposes. A Raspberry Pi running Calimero (Java KNX library) or knxd + Python captures all telegrams on the KNX bus and writes access events to InfluxDB.
Python — KNX group monitor to InfluxDB access log
import asyncio
from xknx import XKNX
from xknx.io import ConnectionConfig, ConnectionType
from influxdb_client import InfluxDBClient, WriteOptions
ACCESS_GAS = {
"7/0/1": "Main Entrance",
"7/0/2": "Server Room",
"7/0/3": "Management Floor",
"9/0/2": "ACCESS DENIED",
}
influx = InfluxDBClient(
url="http://localhost:8086",
token="your_token",
org="panelcraft"
)
write_api = influx.write_api(write_options=WriteOptions(batch_size=1))
async def telegram_received(telegram):
ga = str(telegram.destination_address)
if ga in ACCESS_GAS:
door_name = ACCESS_GAS[ga]
point = {
"measurement": "access_events",
"tags": {"door": door_name, "ga": ga},
"fields": {"value": int(telegram.payload.value)},
}
write_api.write(bucket="access_log", record=point)
print(f"{door_name}: access event at {telegram.date_time}")
async def main():
xknx = XKNX(connection_config=ConnectionConfig(
connection_type=ConnectionType.TUNNELING,
gateway_ip="192.168.1.10",
))
xknx.telegram_queue.register_telegram_received_cb(telegram_received)
await xknx.start()
await asyncio.sleep(float("inf"))
asyncio.run(main())This creates a permanent access log in InfluxDB queryable via Grafana. A dashboard showing door access events per day, per card, and per time of day provides both security oversight and operational insight (e.g. detecting after-hours access attempts). Retention policy can be set to 365 days for compliance.
Comparison — KNX RFID vs 2N video intercom vs Nuki smart lock
| Criterion | KNX native RFID | 2N video intercom | Nuki smart lock |
|---|---|---|---|
| Cost per door | €150–250 | €350–900 | €250–350 + Bridge |
| Security level | High — encrypted MIFARE DESFire | High — camera + RFID + FR option | Medium — Bluetooth, no camera |
| Audit log | KNX group monitor → external logger | Built-in 2N Access Commander log | Nuki app log + HA InfluxDB |
| Visitor management | None — card holders only | Full — video call, face recognition | Limited — guest codes via app |
| KNX integration | Native — ETS, no gateway | Via KNX module or REST API bridge | Via Home Assistant bridge |
| Offline resilience | Full — no server required | Full — local SIP, no cloud | Full — local Bridge API |
| Best for | Interior doors, lift lobbies, offices | Building entrance, gate, hotel lobby | Apartment door, rental, retrofit |
Panel wiring — door strike and magnetic lock power
All door-locking hardware power supplies and relay outputs must be wired from the distribution panel. This is where PanelCraft panels differ from site-assembled solutions — all door hardware outputs are pre-wired, labeled, and tested in the panel before delivery.
24V DC PSU for door strikes
Dedicated 24V DC DIN rail PSU (Meanwell DR-30-24 or similar), minimum 3A per PSU. Separate PSU per door zone group to isolate fault impact. Fused per output (2A slow-blow per strike).
KNX output module for door relay
MDT AKK-04UP or Gira 209900 — KNX binary output actuator with 16A relay contacts and configurable auto-off timer. Auto-off programmed in ETS to 5 seconds for door strike open pulse. Separate channel per door.
Back-EMF suppression for magnetic locks
Magnetic lock coils generate high-voltage spikes on relay release. Install 1N4007 diode in reverse-bias across maglock terminals (cathode to +24V, anode to GND). Without suppression, relay contact life reduced by 80%. Some relay actuators have built-in suppression — check datasheet.
Fire alarm interlock wiring
Magnetic locks (fail-safe) must be connected via fire alarm relay output — fire alarm panel cuts power to maglock bus on alarm activation. Use separate mains relay (24V coil, NC contacts) in fire alarm circuit, in series with maglock PSU positive line. Fail-secure electric strikes do not require fire alarm interlock.
Door open sensor input
Reed switch or magnetic door contact wired to KNX binary input (MDT SCN-UP4.01 or equivalent). Provides door-open status feedback to KNX — enables logic like: relay activated but door sensor shows closed after 10s → fault alarm.
Panel terminal layout — one door zone
Panel DIN rail — Door Zone 1 (Main Entrance)
[24V PSU] ──── F1 (2A) ──── [KNX relay OUT 1] ──── X1:1 (strike +)
↑ NO contact X1:2 (strike –, GND)
[KNX IP Router]
[MDT AKK-04UP] D1 (1N4007) ← across X1:1/X1:2
[KNX binary IN] ─────────────── X2:1 (door sensor A)
X2:2 (door sensor B)
[RFID reader KNX bus] ────────── KNX TP bus terminals
Terminal labels:
X1 = Door strike / maglock power output (PROTECTED)
X2 = Door sensor reed switch input
X3 = KNX TP bus to RFID reader in wall boxAccess control integration in your KNX panel
We pre-wire door controller outputs, RFID reader bus, and video intercom relay contacts into CE-certified panels ready for on-site connection.
Request a quote →