KNX · RFID · Access Control · 9 min read

KNX Access Control: RFID Readers, Door Controllers and Time Schedules

Native KNX RFID card readers from MDT and Gira, door controller logic, multi-door zone architecture, time-based access schedules, and audit logging — all wired from the KNX distribution panel.

KNX-native RFID readers — MDT and Gira

KNX RFID card readers are bus-powered devices that mount flush in a standard 55mm wall box. They send KNX telegrams directly on the bus when a card is presented — no separate access controller hardware required for basic door open logic.

MDT SCN-RFID55

MDT Technologies GmbH — Germany

  • • Form factor: 55mm square flush mount (Berker/Gira frame compatible)
  • • Card standards: MIFARE Classic, MIFARE DESFire, LEGIC, HID iCLASS
  • • LED ring indication: green flash = access granted, red = denied
  • • Outputs: binary (card present/absent) or card UID string via KNX
  • • Up to 200 card UIDs stored locally in ETS configuration
  • • DIN rail gateway version also available (SCN-RFID-DIN)
  • • Bus powered: 29V KNX bus (no separate power supply needed)

Gira Card Reader TS (Touch Switch)

Gira Giersiepen GmbH — Germany

  • • Integrated into Gira System 55 / E2 / Esprit frame series
  • • Card standard: MIFARE (13.56 MHz ISO/IEC 14443A)
  • • Combines capacitive touch pushbutton + RFID reader in one device
  • • Card UIDs managed via ETS application (up to 100 UIDs)
  • • KNX output: binary telegram per stored UID (each card → own GA)
  • • LED status indicators: red/green/yellow programmable
  • • Ideal for premium residential projects in Gira design language

Both readers are configured entirely in ETS — no external software required for basic operation. Card UIDs are entered as hex strings in the ETS parameter page, each linked to a KNX group address. When a matching card is presented, the reader sends a binary ON telegram to that group address, which is then linked to a door actuator relay or alarm zone.

How KNX RFID access works — telegram flow

The access event chain from card tap to door open involves KNX telegrams across three device types: the RFID reader, the logic/actuator, and the door strike relay output.

1. Card tap

Card presented to RFID reader. Reader checks UID against stored list. Matching UID: sends ON telegram to linked group address (e.g. GA 7/1/5 for card A1B2C3). Unknown card: sends telegram to "access denied" GA for alarm or logging.

2. KNX group address routing

The KNX bus routes the telegram to all subscribers of GA 7/1/5. This can include: door strike relay actuator, alarm disarm input, lighting scene actuator, visualization update.

3. Door strike relay

KNX binary output (MDT AKK-04UP, Gira 209900) with a configured auto-off timer (5 seconds) activates the relay output → door strike opens. After 5 seconds, relay releases → door relocks.

4. Simultaneous actions

The same GA 7/1/5 telegram can also disarm an Ajax alarm zone (via KNX-Ajax integration), switch hallway lighting to Welcome scene, and send a log entry to the KNX group monitor.

5. Feedback

The relay actuator sends a status telegram on its feedback GA → RFID reader LED goes green for 2 seconds, visualization panel shows "Front Door: Open".

DPT for card readers — binary vs UID string

KNX RFID readers use different data types depending on how the access decision is made — on-device (binary output) or centrally (UID string sent to logic engine).

DPTSizeValueUse case
DPT 1.0011 bit0 = no card / 1 = card acceptedBinary output per stored UID — simple door open trigger. Each card gets its own GA. Logic done in ETS/reader.
DPT 4.001 (ASCII)8 bit per charCard UID as ASCII string, e.g. "A1B2C3D4"Reader sends raw UID string to logic engine (IP router, HA, Weinzierl BAOS). Access decision made centrally.
DPT 16.001 (string)14 bytesUp to 14 ASCII charactersFull card UID string for 7-byte MIFARE UIDs. Used with Weinzierl KNX IO 581 BAOS for central access decision.
DPT 1.001 (denied)1 bit1 = unknown card presentedSeparate GA for rejected cards — triggers alarm, CCTV recording, or notification.

For most residential and small commercial installations, the binary DPT 1.001 output is sufficient — UIDs are stored in the reader via ETS and the access decision is made locally. Central UID management (string DPT) is used for large installations with many doors and users managed from a database.

Multi-door system — zone table and central logic

For buildings with multiple controlled doors (office floors, apartment common areas, parking), a central KNX logic engine manages zone-based access rules. The KNX IP router (Weinzierl KNX IP Router 751, MDT IP Router SCN-IP100.02) acts as the logic hub when combined with ETS logic functions.

Example zone table — office building, 3 doors

DoorReader GA (in)Relay GA (out)Authorized cardsTime restriction
Main entrance7/0/17/1/1All staff + managementMon–Fri 07:00–20:00
Server room7/0/27/1/2IT staff only (3 cards)24/7
Management floor7/0/37/1/3Management + directorMon–Fri 08:00–19:00

Each door has its own RFID reader group address (input) and relay output group address. The ETS application links these with time function logic blocks. Readers at different doors can share a card UID — the same card works at all authorized doors — or have completely separate card lists per door.

Time schedules — working hours and weekend lock

KNX time functions (available in ETS as logic function blocks, or via Weinzierl BAOS/Gira X1 timer schedules) enable automatic access control based on time of day and day of week.

Weekday open hours

Main entrance door relay held OPEN (continuous ON telegram) during 08:00–18:00, Mon–Fri. Anyone can enter without card during this window. Outside hours: card required.

Weekend lockdown

Saturday/Sunday: all doors require card access at all times. Time schedule sends LOCKED telegram at 00:00 Saturday, UNLOCK-by-card-only mode re-enabled.

Holiday schedule

ETS or Gira X1 special day list: public holidays treated as weekend (card access only). List updated annually in ETS re-download or via Gira X1 web interface.

Night lockdown

20:00–06:00: even valid card access requires PIN code entry (if reader supports PIN+card dual authentication, e.g. MDT SCN-RFID55 keypad version).

Logic example — card UID + time-based access

The following logic block example shows how a KNX logic engine (ETS logic function or Weinzierl BAOS scripting) implements time-limited access for a specific card UID.

KNX access logic — card UID + time + door open pulse

// ETS Logic Function Block — pseudocode representation
// (implemented as AND logic with time comparator in ETS)

INPUT:
  card_uid_signal   = GA 7/0/1  (binary, DPT 1.001)
                      -- triggered by MDT SCN-RFID55 for card A1B2C3

  time_condition    = GA 8/0/1  (binary, from KNX time schedule)
                      -- ON between 08:00–18:00 Mon–Fri
                      -- OFF outside working hours

LOGIC:
  IF card_uid_signal == TRUE          // card A1B2C3 presented
  AND time_condition == TRUE          // within working hours
  THEN:
    SEND GA 7/1/1 = TRUE             // door strike relay ON
    DELAY 5000 ms
    SEND GA 7/1/1 = FALSE            // door strike relay OFF (relock)
    SEND GA 9/0/1 = TRUE             // access log telegram

  ELSE IF card_uid_signal == TRUE     // card presented but outside hours
  AND time_condition == FALSE
  THEN:
    SEND GA 9/0/2 = TRUE             // access denied log telegram
    SEND GA 7/2/1 = TRUE             // LED: red flash (denied)

// Note: ETS logic blocks implement this as:
// AND gate → card GA + time GA → output → auto-off timer → relay GA

In ETS, this logic is implemented using the Logic Function block from the ETS App store (Thinka, Gira, or manufacturer-specific). The AND gate receives the card telegram and the time schedule output, with the result driving the relay group address. A timer function block handles the 5-second pulse width automatically.

Audit logging — KNX group monitor to InfluxDB

KNX group monitor traffic can be captured and stored for security audit purposes. A Raspberry Pi running Calimero (Java KNX library) or knxd + Python captures all telegrams on the KNX bus and writes access events to InfluxDB.

Python — KNX group monitor to InfluxDB access log

import asyncio
from xknx import XKNX
from xknx.io import ConnectionConfig, ConnectionType
from influxdb_client import InfluxDBClient, WriteOptions

ACCESS_GAS = {
    "7/0/1": "Main Entrance",
    "7/0/2": "Server Room",
    "7/0/3": "Management Floor",
    "9/0/2": "ACCESS DENIED",
}

influx = InfluxDBClient(
    url="http://localhost:8086",
    token="your_token",
    org="panelcraft"
)
write_api = influx.write_api(write_options=WriteOptions(batch_size=1))

async def telegram_received(telegram):
    ga = str(telegram.destination_address)
    if ga in ACCESS_GAS:
        door_name = ACCESS_GAS[ga]
        point = {
            "measurement": "access_events",
            "tags": {"door": door_name, "ga": ga},
            "fields": {"value": int(telegram.payload.value)},
        }
        write_api.write(bucket="access_log", record=point)
        print(f"{door_name}: access event at {telegram.date_time}")

async def main():
    xknx = XKNX(connection_config=ConnectionConfig(
        connection_type=ConnectionType.TUNNELING,
        gateway_ip="192.168.1.10",
    ))
    xknx.telegram_queue.register_telegram_received_cb(telegram_received)
    await xknx.start()
    await asyncio.sleep(float("inf"))

asyncio.run(main())

This creates a permanent access log in InfluxDB queryable via Grafana. A dashboard showing door access events per day, per card, and per time of day provides both security oversight and operational insight (e.g. detecting after-hours access attempts). Retention policy can be set to 365 days for compliance.

Comparison — KNX RFID vs 2N video intercom vs Nuki smart lock

CriterionKNX native RFID2N video intercomNuki smart lock
Cost per door€150–250€350–900€250–350 + Bridge
Security levelHigh — encrypted MIFARE DESFireHigh — camera + RFID + FR optionMedium — Bluetooth, no camera
Audit logKNX group monitor → external loggerBuilt-in 2N Access Commander logNuki app log + HA InfluxDB
Visitor managementNone — card holders onlyFull — video call, face recognitionLimited — guest codes via app
KNX integrationNative — ETS, no gatewayVia KNX module or REST API bridgeVia Home Assistant bridge
Offline resilienceFull — no server requiredFull — local SIP, no cloudFull — local Bridge API
Best forInterior doors, lift lobbies, officesBuilding entrance, gate, hotel lobbyApartment door, rental, retrofit

Panel wiring — door strike and magnetic lock power

All door-locking hardware power supplies and relay outputs must be wired from the distribution panel. This is where PanelCraft panels differ from site-assembled solutions — all door hardware outputs are pre-wired, labeled, and tested in the panel before delivery.

24V DC PSU for door strikes

Dedicated 24V DC DIN rail PSU (Meanwell DR-30-24 or similar), minimum 3A per PSU. Separate PSU per door zone group to isolate fault impact. Fused per output (2A slow-blow per strike).

KNX output module for door relay

MDT AKK-04UP or Gira 209900 — KNX binary output actuator with 16A relay contacts and configurable auto-off timer. Auto-off programmed in ETS to 5 seconds for door strike open pulse. Separate channel per door.

Back-EMF suppression for magnetic locks

Magnetic lock coils generate high-voltage spikes on relay release. Install 1N4007 diode in reverse-bias across maglock terminals (cathode to +24V, anode to GND). Without suppression, relay contact life reduced by 80%. Some relay actuators have built-in suppression — check datasheet.

Fire alarm interlock wiring

Magnetic locks (fail-safe) must be connected via fire alarm relay output — fire alarm panel cuts power to maglock bus on alarm activation. Use separate mains relay (24V coil, NC contacts) in fire alarm circuit, in series with maglock PSU positive line. Fail-secure electric strikes do not require fire alarm interlock.

Door open sensor input

Reed switch or magnetic door contact wired to KNX binary input (MDT SCN-UP4.01 or equivalent). Provides door-open status feedback to KNX — enables logic like: relay activated but door sensor shows closed after 10s → fault alarm.

Panel terminal layout — one door zone

Panel DIN rail — Door Zone 1 (Main Entrance)

[24V PSU] ──── F1 (2A) ──── [KNX relay OUT 1] ──── X1:1 (strike +)
                                  ↑ NO contact      X1:2 (strike –, GND)
[KNX IP Router]
[MDT AKK-04UP]                   D1 (1N4007)       ← across X1:1/X1:2

[KNX binary IN] ─────────────── X2:1 (door sensor A)
                                  X2:2 (door sensor B)

[RFID reader KNX bus] ────────── KNX TP bus terminals

Terminal labels:
X1 = Door strike / maglock power output (PROTECTED)
X2 = Door sensor reed switch input
X3 = KNX TP bus to RFID reader in wall box

Access control integration in your KNX panel

We pre-wire door controller outputs, RFID reader bus, and video intercom relay contacts into CE-certified panels ready for on-site connection.

Request a quote →
Loading...
Back to top