Access: IP Readers vs. Control Panels

Should you continue to use traditional centralized, panel-based access control or does it make sense to use IP readers? Let's overview the 2 key options:

• Control panels: Traditional access control systems have used control panels, typically controlling two, four, either, or more doors each. In these configurations, door devices are typically homerun to centrally located panels, though in larger facilities, panels may be distributed throughout. The panels, in turn, typically connect to the access control server via IP, though older or low-end systems may still use serial data connections.
• IP readers: In the second, more recent, approach, intelligence is moved to the door, with a small (1-2 door) control panels located throughout a facility. While some readers now accept a direct IP connection, many deployments move the controller to the edge connecting to a traditional reader very close by. To that end, 'IP reader' is a misnomer, but expresses the intent of this shift.

The traditional approach of larger control panels has caused some problems:

• Often, customers were forced to install four-door control panels to control one or two doors, which drove cost for these small systems up drastically.
• Adding a door here or there, out of reach of existing the existing panel or panels, required a new multi-door panel to be installed.
• IT staff is less comfortable with traditional security wiring. As security systems have become more IP-based, they have fallen more and more under control of network engineers and RCDDs. IP readers allow these designers to follow more familiar cabling topologies, making them more attractive.

While the traditional panel approach has issues, concerns about moving to IP readers also raised concerns including issues with sufficient power, manufacturer support, economics and scalability.

For background, we recommend you review HID makes the case for the edge [link no longer available] to see how manufacturers pitch the idea of IP to skeptics.

Recommendations

Determining use of edge controllers vs. traditional panels depends on 3 fundamental questions:

• Does your access control management system support it?
• Will your locks support it?
• What is the scale/reader density of the system?

The first issue is the simplest: Does the access management system in use or planned support these types of readers? While edge controllers have become much more common in the past couple of years (especially PoE varieties), a number of systems still lack support, or support only RS-485 connected versions. 

The second important consideration when selecting IP controllers is whether PoE will provide enough current to power the needed locks. Be sure to check the locking hardware specs for inrush and constant current, to make sure the controller output will be sufficient. Almost all electric latch retraction devices or high holding strength maglocks will require more power than PoE-powered controllers will provide, so in these cases a separate power supply must be provided, either centralized with network equipment or local to the door.

Regarding system size, there is no hard and fast rule as to where edge controllers are appropriate, but we recommend the following:

• In very small systems (1-4 doors): Pushing controllers to the edge makes a lot of sense. Cabling and installation expenses are much smaller, and installing a single door doesn't require the purchase of a four-door panel, with three wasted ports. However, using single-door controllers without an access control system to manage all of them may become tedious if frequent changes are made, as each controller must be maintained individually. For a couple of doors in a small facility, this most likely will not be much of a timesink.
• In medium-sized systems (4-32 doors): Edge controllers also make a lot of sense in systems of this size, as they're not so big that maintaining hundreds of doors attached to single-door controllers across a facility or campus becomes cumbersome. Adding this number of doors to a network is normally not much of an issue, either, as it incurs little added management, and even lack of PoE switches can be overcome for relatively little cost.
• In large-scale systems: Most likely it will be easier to manage multiple-door control panels as opposed to single-door controllers. Maintaining a network to support only the access controllers will add substantial cost. However, selecting access management software that supports edge controllers will allow single doors may be added to new locations later at a much lower and more predictable cost.

Basics of Using Edge Controllers

While there are some variances between manufacturers of edge controllers, there are some common capabilities most share:

• Power-over-Ethernet: One of the factors driving reduced costs of edge controllers is power-over-ethernet capability. This allows for the controller to be located near the door, reducing the cable that was traditionally run from a centralized control panel. It also simplifies power requirements, since no additional power supplies need to be installed for door control. PoE may not be a good choice for every door, however, which we’ll discuss later.
• Simplified Cabling: Placing the controller at the edge requires less multi-pair cable to be run. Typical panel-based systems require substantial cabling, typically a 6-conductor for the reader, two conductor for the door position switch, four conductor for the request-to-exit device, and two or four conductors for the lock. These cables are either run separately, or via a composite cable which puts all four required cables in the same jacket. The composite cable saves some labor in cable pulling, but either method is expensive.
• Local decision making: Edge controllers push access decision making to the door. Each controller holds the access database and processes events locally at the door(s) it controls. This removes multi-door controllers as a single point of failure in the system. If one controller should go down, only that controller is lost, not two, or four, or more doors.

Cost Comparisons

The prices below are based on online pricing, assuming typical building construction: 9’ drop ceiling with drywall walls. Prices are based on doors 300’ away from the IDF, using HID Edge Solo line, and an average cost of multiple manufacturers’ four-door control panels. We chose 300’ for two reasons: 1. It is the maximum cable length when using edge controllers so it is therefore worst-case, and 2. With Wiegand runs typically being limited to 500’, we felt it was a good middle ground. 

On the surface, a substantial savings. Keep in mind, however, that the edge price assumes existing PoE switches are in place, and no external power is needed. When PoE switches must be supplied, the cost increases.

Assuming a Cisco 300 series switch, which we would recommend as the lowest-tier model that should be used in this scenario, add nearly $300 more. Some IT departments may demand a higher-class of switch, which may easily add a few hundred dollars more. These additions may reduce or eliminate cost savings.

Another cost which may vary widely is that of the access management software. Most access control panels do not have built-in webservers and on-board management; Honeywell NetAXS line and the HID Edge are two common exceptions. Having to add software, which is typically not free, and a PC to this mix would add further cost.

Should I use PoE?

While PoE is an important benefit for edge controller systems, using it depends on two key items:

• Power output requirements: While it varies greatly by manufacturer and type of locking hardware, we would estimate that 40-50% or more of the locks on the market are unsuitable for use with edge controllers. In a brief search of five manufacturers’ electromagnetic locks and electric door strikes we saw many that required more power than most edge controllers will supply (>500-600mA). Generally speaking, most normal or light duty electric strikes, and low-holding-force mag locks (300 lbs. or below) will be okay with many edge controllers. Heavier duty-locks and electrified panic hardware is almost guaranteed to draw too much power. From a brand standpoint, our experience has pointed us to the Assa Abloy brands (HES, Securitron) when using PoE-powered controllers, as even most of their heaviest-duty locks fall under the typical limit of what a PoE controller can output. The Ingersoll-Rand brands (Von Duprin, Locknetics, etc.) seem to be more power hungry and less likely to work. Also, while card readers should not need more power than the controller will output, biometric readers such as hand geometry and iris readers may.
• Power failure handling: If the door is in the path of egress, it typically must unlock in case of power failure. However, in the case of doors equipped with panic hardware, using electric strikes, the door may remain locked. In brief power outages, this is usually not a problem, as the switches powering the edge controller will typically be backed up. Even large UPSes typically do not run for more than 2-4 hours, however. In the case of extended power failure, however, once the UPS has failed, and the controller has lost power, there will be no way to electronically open any doors from card reader side. In these cases, keys must be used, or the door forced open. To combat this, it is recommended that critical doors be powered via a separate battery-backed power supply with as much run time as budget allows.

Mercury “The Myth of Access at the Edge”

In this section, we review Mercury Security whitepaper “The Myth of Access at the Edge [link no longer available]”. While not explicitly anti-edge access control, it does offer some arguments against it, including:

Network resources are readily available: In short, this addresses the common misconception that Ethernet networks are everywhere, with cables just waiting to be utilized for various applications. This myth is put forward by many industries -- IP surveillance being famous for it as well.

• Mercury concerns: According to Mercury, there are four factors at play here: 1. Available network ports are not necessarily available where the door is located. 2. Not all switches support PoE. 3. Not all switches are guaranteed to be on the same VLAN. 4. The access controllers may present a risk to network security.
• Our comments: We would agree that all of the above are valid concerns. Whether they are showstoppers must be taken on a case-by-case basis. True, network ports may not be available. However, access control cabling is almost guaranteed not to be available, and as evidenced in our cost comparisons above, is more expensive than running a single UTP to the door. Switches supporting PoE may be a problem. Depending on the lock hardware being used, however, it may be a problem, anyway, if PoE won’t supply the power required for the locking device. Running a second power cable and supplying a low voltage power supply, or providing a PoE midspan, are reasonable options that do add more cost. The VLAN issue is more difficult to solve. If networks are segmented for security reasons, getting an IT department to open holes in those segments is often extremely challenging. The impact of compromising an edge controller may be mitigated somewhat by proper VLANs, so that anyone plugging a computer into the cable it uses would be unable to see any devices other than what is on the access control VLAN.

Total cost of ownership: The short version of the myth is that reducing cabling and utilizing existing network infrastructure lead to much lower TCO than using traditional RS-485 connected controllers.

• Mercury concerns: Valid concerns over the ability of IT managers to manage an additional security network, whether it be VLAN or physical exist. Getting IT staff to prioritize a security LAN can be quite challenging (to which our experience can attest). Additionally, IT policies, such as requiring certain security measures to be in play on the entire network, forcing DHCP to be used, etc., may adversely affect security equipment performance (which we can also attest to).
• Our comments: We agree. In many facilities, there is little advantage to running a new UTP cable to a door. Also consider that in some systems, Mercury-based systems are one example, a third option exists: utilizing RS-485-based single-door controllers. This reduces cabling, with wiring to all doors being in a loop configuration, instead of homerun.

Security and IT speak the same language: This myth speaks to differing expectations of IT and security managers.

• Mercury concerns: Specifically, the whitepaper speaks to how “100% uptime” is interpreted. In the IT world, 99.9% uptime may be acceptable. In the security world, this equates to a full workday (8.75 hours) per year of downtime, which security staff would find unacceptable. It also speaks to the fact that IT may not grant access to network closets to security staff, so security staff may need to wait should a problem arise on the security network.
• Our comments: The difference in uptime is a valid concern. Even if that workday per year were spread out, it would still equate to ten minutes of downtime every week. We believe security staff would indeed find that unacceptable. However, most network specs we see are aiming for four or five nines of uptime (99.99% or 99.999%), which reduces this drastically. Additionally, the impact of the network being down may vary. If each controller holds the cardholder database locally, and does not need to communicate to a central server or other controllers simply to grant access, the card readers will still function. If the system is being monitored in realtime, however, it will be a major concern, since guard staff will have no idea what is happening at their doors. Access to IT spaces is less of a problem. Waiting may occur, but we doubt it would be to an extreme level that would drastically impact system performance.

All-in-all, the Mercury whitepaper recommends knowing the limitations of the network and individual access control system before arbitrarily deciding upon edge-based controllers. They put forth separate networks, PoE+, encrypted communication between controllers and the host, and hybrid systems (consisting of some edge-based and some centralized as necessary), as potential considerations in system design. We’d agree that these may be intelligent recommendations.

Manufacturer Offerings

When discussing edge-based access control, there are two major manufacturers providing open platform solutions:

• HID: HID provides the Edge [link no longer available] and VertX [link no longer available] solutions, which are both part of their OPIN API [link no longer available] program, and utilized by over two-dozen different OEM partners. Both are available for use in host-based systems, and the Edge is available in the Solo version, a web-accessible single door standalone unit.
• Mercury: Mercury also provides multiple edge-based products: The EP1501 is a multi-door controller with a single-door interface built into it. It is capable of controlling 16 doors through either the MR51e or MR50 single-door interfaces, or the MR52 two-door interface. The MR50 and MR52 door interfaces cable back to the EP1501 via RS-485. The MR51e is rather unique - an Ethernet-based “dumb” door interface with no processing on-board. It simply communicates with the EP1501 via Ethernet, where all access control decisions are made.

Additionally, proprietary options exist from most of the major manufacturers such as: GE (DirecDoor) [link no longer available], Honeywell (NetAXS-123) [link no longer available], Infinias (Intelli-M) [link no longer available], S2 (MicroNode) [link no longer available], and Software House (iStar Edge).