Kantech field-hardware guide

KT-1, KT-2, KT-4 and encrypted ioSmart door architecture

Choose current controller density and operating mode, then coordinate reader protocol, credential keys, lock power, input/output expansion, wireless openings and failure behavior for every door.

Kantech KT-4 four-door access controller

KT-4 is the current four-door product to evaluate first

Kantech’s current controller catalog now highlights KT-4 as the scalable four-door controller alongside KT-1, KT-2, KT-Standalone and KT-NCC Gen 2. KT-4 supports up to four doors and 100,000 users, PoE, onboard Wi-Fi, EntraPass integration and modular input/output expansion. This makes it the current starting point for a new four-door comparison.

KT-400 remains visible in EntraPass compatibility and installed-base documentation, and many existing sites may continue to operate it. Reuse can be valid when the exact hardware revision and firmware remain supported, but new designs should not substitute the older KT-400 automatically where current KT-4 is available.

Controller Current public product information Best-fit review
KT-1 One-door IP controller; supports entry and exit readers, PoE, embedded browser setup and optional EntraPass enrollment. Remote or edge door, small standalone opening or a distributed EntraPass design where one-door economics and local wiring make sense.
KT-2 Two-door controller with up to 100,000 users, PoE, Wi-Fi, auto-discovery, embedded browser operation and optional EntraPass integration. Small standalone site or two-door cluster; confirm reader topology, PoE budget, lock power, Wi-Fi policy and migration to centralized management.
KT-4 Current four-door controller with support for up to 100,000 users, PoE, onboard Wi-Fi, EntraPass integration and modular input/output expansion. New multi-door work where four-door density, modern connectivity and expansion align with the enclosure, power and network design.
KT-NCC Gen 2 Current network communication controller for centralized and distributed Kantech systems and supported secondary-controller arrangements. Large or distributed Global Edition architectures; verify supported topology, controller count, release, network design and failover behavior.
KT-400 / KT-300 / KT-200 / KT-100 Still represented in EntraPass compatibility documentation for installed systems, but not all appear in the current five-product controller portfolio. Inventory exact revision, firmware, interface boards and lifecycle before reuse. Do not treat retained compatibility as proof that an older model is the preferred new design.

Controller-to-opening connection diagram

Drawing requirement: show controller model and revision, network/PoE switch port, power supply and battery, reader protocol and address, credential technology, cable and distance, lock voltage/current, suppression, contact, REX, fire-alarm interface and every expansion module.

KT-1: one door with entry and exit readers

Kantech KT-1 single-door IP controller

KT-1 is a compact Ethernet-ready controller for one door and can support readers on both sides of the opening. Current product information highlights PoE, embedded web configuration, standalone operation and optional EntraPass integration. It is useful where the controller can be located near a remote or edge door.

PoE can simplify controller power, but it does not eliminate the lock-power design. The electric lock, magnetic lock or exit-device trim may need a separate listed power supply, standby battery, fire-alarm release and voltage-drop calculation. Confirm whether the selected PoE class powers only the controller and readers or other permitted loads.

One controlled opening

Use entry-only or entry/exit reader architecture as supported; document anti-passback and exit behavior if both sides use credentials.

Standalone browser

Basic local management can avoid a server, but the owner still needs secure accounts, backup, firmware records and a recovery plan.

EntraPass enrollment

Confirm server release, IP/VLAN, encryption, addressing, time and whether the controller is primary or secondary in the supported topology.

Mounting

Select single-gang or PCB/enclosure form, service access, tamper protection, cable entry, heat and environmental protection.

KT-2: two-door standalone or EntraPass controller

Kantech KT-2 two-door access controller

KT-2 is a two-door IP controller with a built-in web interface, PoE and Wi-Fi options, auto-discovery and optional EntraPass integration. Kantech publishes support for up to 100,000 users. The controller can be a practical small-site platform or part of a larger centrally administered system.

Door count alone does not settle the design. Confirm whether each opening has entry only or entry and exit readers, which reader protocol is used, how locks are powered and what the system must do when the network or EntraPass server is unavailable. For Wi-Fi, document signal quality, security policy, credentials, monitoring and recovery—not just coverage at installation.

Two-door topology

Schedule reader ports, contacts, exit inputs, lock relays and any shared functions for both openings.

100,000-user reference

Large local card capacity does not replace license, event, administrator, backup or enterprise-governance planning.

PoE and Wi-Fi

Verify switch power budget, UPS, VLAN, radio policy, signal, roaming/interference, credentials and fallback connectivity.

Migration

A standalone KT-2 can transition to EntraPass, but controller data, credentials, site ownership and cutover behavior need a written plan.

KT-4: current four-door expansion platform

Kantech KT-4 four-door controller

KT-4 expands the current platform to four doors with up to 100,000 users, wired Ethernet, onboard Wi-Fi, PoE support and native EntraPass operation. Supported input/output modules extend monitoring and control for elevators, alarm interfaces, sensors and other project-specific functions.

The four-door label does not include every project component. Create a terminal-level schedule for readers, contacts, REX, lock relays, auxiliary inputs and outputs, expansion modules, enclosure, power and batteries. For multi-controller sites, confirm supported polling relationships and the EntraPass release rather than assuming every KT model can be chained in any arrangement.

KT-4 design area Information to document
Doors and users Opening number/name, reader direction, access workflow, credential population, cardholder growth and offline requirements.
Connectivity Wired Ethernet or approved Wi-Fi, addressing, VLAN, certificates/encryption, PoE class, UPS, NTP/time and monitoring.
Reader protocol ioSmart, OSDP or permitted legacy interface; address, baud rate, secure-channel/encryption state, cable and termination.
Expansion KT-MOD input/output/relay model, quantity, SPI or RS-485 path, module address, point function, supervision and spare capacity.
Power Controller, reader, module and lock loads; supply listing, voltage drop, battery runtime, fire-alarm behavior and surge protection.
Acceptance Valid/denied use, schedules, anti-passback, alarms, operator commands, offline operation, event recovery and maintenance access.

KT-NCC Gen 2 and distributed systems

Kantech KT-NCC Gen 2 communication controller

KT-NCC Gen 2 is part of Kantech’s current controller portfolio for centralized connectivity in distributed systems. Current EntraPass release documentation includes KT-NCC Gen 2 and supported secondary IP controller polling arrangements for KT-1, KT-2, KT-4 and KT-400 revision 1 under defined conditions.

Use the exact current release and installation documentation to define controller count, primary/secondary roles, same-network requirements, IP mode, gateway type and integration limitations. A communication-controller design should also address network segmentation, event buffering, local autonomy, redundant paths and recovery testing.

Retained KT-400, KT-300, KT-200 and KT-100 hardware

EntraPass 9.00 compatibility information still identifies firmware references for KT-400 revisions, KT-300, KT-200 and KT-100. That is valuable for migration projects, but it should be interpreted as version-specific compatibility—not an unlimited lifecycle promise.

Identify the exact revision

Photograph labels and record part number, board revision, enclosure, power supply, firmware and communication interface.

Read the target matrix

Confirm the proposed EntraPass release lists that controller and the required conversion or operational firmware.

Assess field condition

Inspect batteries, corrosion, heat, grounding, surge protection, terminal damage, cable shield/ground practice and spare parts.

Map reader risk

Older controllers may retain Wiegand or legacy proximity credentials; document how reader and card security will migrate.

Plan a failure boundary

Avoid concentrating unsupported hardware behind a critical opening or site without spares, bypass procedure and replacement design.

Define retirement

Set objective triggers such as unsupported release, unavailable replacement, failed cybersecurity requirement or renovation phase.

ioSmart Gen 2, DESFire and OSDP

Kantech ioSmart smart card reader family

The current ioSmart family uses smart-card credentials and mutual authentication to reduce cloning risk. Public specifications identify MIFARE DESFire EV1/EV2, AES-128 protected reader-to-controller communication, OSDP support, tamper detection, indoor/outdoor reader designs and a published read range up to approximately two inches under stated conditions.

ioSmart product and EntraPass documentation distinguishes reader generations and firmware. The EntraPass 9.00 matrix lists separate ioSmart Gen 1 and Gen 2 firmware. Inventory the exact reader part number and generation before applying updates or enabling capabilities such as mobile access, OSDP or specific credential formats.

ioSmart item Published reference Project verification
Credential technology MIFARE DESFire EV1/EV2 smart credentials with mutual authentication. Card/application keys, encoder, card format, issuance, replacement, revocation and retained legacy credentials.
Reader communication OSDP support and AES-128 protected reader-to-controller communication in supported Kantech arrangements. Exact controller, reader generation, protocol, address, baud rate, secure/encrypted state, cable, termination and firmware.
Form factors Mullion and single-gang readers, including keypad and multi-technology variants. Mounting surface/backbox, metal, accessibility, PIN policy, vandal exposure and finish.
Environment Manufacturer presents indoor and outdoor models with LED status and tamper detection. Exact model rating, temperature, humidity, seal, sunlight, water path and surge/lightning exposure.
Read behavior Published smart-card read range up to about two inches under stated conditions. Commission every card type at the installed surface; do not promise laboratory range through metal or unknown card stock.
Mobile access Selected readers and services support smartphone-based credentialing. Reader generation, Bluetooth capability, licensing/service, app/device support, enrollment, revocation and user alternative.

Reader and credential choices

Kantech ioSmart multi-technology keypad reader

Keypad and multi-technology readers

Use keypad models for a defined card-plus-PIN policy and multi-technology only for a controlled migration period with a retirement plan.

Kantech ioSmart smart card credential

DESFire smart credentials

Protect card/application keys, encoding stations, formats, issuance records and replacements as part of the security system.

Kantech ioSmart mobile credential reader

Mobile credentials

Plan phone eligibility, enrollment, Bluetooth behavior, privacy, lost-device revocation, replacement and a no-phone alternative.

Legacy ioProx, HID, ShadowProx or other proximity credentials may exist at a client site. Inventory the card technology and bit format before deciding whether a multi-technology reader is appropriate. A migration reader is a bridge, not a reason to leave cloneable credentials enabled indefinitely.

Input, output, elevator and alarm expansion

Kantech publishes modular I/O options in four-, eight- and sixteen-point configurations for supported KT controller designs. Applications include supervised alarm points, auxiliary relays, elevator floor control, device triggers and building-system interfaces. Select the exact module and topology from the controller documentation.

Supervised input

Record normal/alarm/trouble states, resistor values, cable supervision, debounce, event message, priority and response owner.

Relay output

Document load voltage/current, interposing relay, activation logic, duration, manual override, safe failure state and suppression.

Elevator control

Coordinate floor relays, destination/control interface, schedules, fire service, accessibility and elevator-contractor acceptance.

Intrusion interface

Use only supported panel/controller/release combinations and prove arming authority, partition status, alarm events and recovery.

Capacity

Count module addresses, I/O points, enclosure space, communication distance, power, batteries and future spare points.

Naming

Match EntraPass point names, drawings, terminal labels, cable tags, test sheets and owner documentation exactly.

Wireless and electronic lock integrations

Kantech’s current lock-integration catalog identifies ASSA ABLOY Aperio and Salto. Aperio can extend EntraPass to compatible wireless mortise, cylindrical, cabinet and server-rack openings through encrypted lock-to-hub communication, with status, battery and access events in the platform. EntraPass 9.00 adds Salto integration across Corporate, Global and Web.

Opening type Why it may fit What must be verified
Wired electric strike or lock Real-time supervised door operation and broad hardware choice. Door/frame preparation, listing, free egress, power, voltage drop, suppression, contact, REX and fire release.
Aperio wireless lock Reduced pathway work for suitable interior openings and unified EntraPass management. Lock/hub/controller/release support, radio survey, battery, status interval, offline behavior, privacy and emergency operation.
Salto integration Adds supported Salto wired/wireless/offline door workflows to current EntraPass operation. Salto Space and EntraPass versions, middleware, encoder, schedule limits, event delays, online/offline behavior and migration.
Mechanical retained opening May remain outside access control where risk and operations allow. Key control, life-safety function, monitoring need, incident history and future electrification pathway.

Wireless does not mean infrastructure-free. Hubs, gateways, network services, batteries, radio coverage, firmware, permissions and replacement stock become part of the lifecycle plan.

Power, network and life-safety coordination

  • Calculate controller, reader, expansion and lock loads separately for normal and alarm conditions.
  • Document PoE/PoE+/PoE++ class, switch power budget, UPS runtime and what happens when the network switch fails.
  • Use listed lock power, batteries, fire-alarm interface and emergency release appropriate to the opening and adopted code.
  • Verify free egress, accessibility, delayed-egress or controlled-egress requirements with the authority having jurisdiction and door-hardware team.
  • Provide surge/lightning protection, grounding and outdoor pathway practices appropriate to Carolina conditions.
  • Restrict controller Web, Wi-Fi and EntraPass management to approved networks, accounts and current supported encryption.

Commissioning and handoff checklist

  1. Inventory and label: controller model/revision, firmware, modules, reader generation, credentials, lock, power, batteries, network and every terminal.
  2. Verify normal use: valid, denied, expired, disabled, schedule, card-plus-PIN, entry/exit and anti-passback behavior.
  3. Verify alarms: forced, held, tamper, communication, power, low battery and supervised-input trouble with correct priority and response.
  4. Test failures: server, gateway, network, Wi-Fi, controller, reader, lock power, wireless hub and utility power, followed by event recovery.
  5. Test integrations: video, intrusion, elevator, Aperio, Salto and remote Web/mobile commands where included.
  6. Deliver records: supported-version matrix, drawings, labels, database/configuration backup, test reports, training, spare parts and official support links.

Continue to EntraPass software

Official Kantech product and support resources

Use current Kantech and Johnson Controls pages for product specifications, compatibility, release notes, cybersecurity guidance and authorized downloads. Software, firmware and some technical documents require registration or an entitled support account. 360 Technology Group links to those official portals and does not host firmware or software installers locally.

Build the controller and reader schedule from the doors

We can survey existing Kantech hardware or design a current KT-1, KT-2, KT-4 and ioSmart architecture with documented power, network, life-safety and migration requirements.

Review Kantech field hardware

Official Kantech software, firmware and support

Use these manufacturer-owned portals for current downloads, release notes, manuals, advisories and technical resources. 360 Technology Group links to official sources and does not copy or host firmware files.

Update carefully: confirm the exact model, region, hardware revision, installed version, prerequisites, required intermediate releases, support entitlement, integrations, backup, maintenance window, rollback limitations and post-update tests. The wrong package or sequence can interrupt service or prevent a downgrade.

Some portals require a customer, dealer, certified-technician or active-support login. Cloud-managed products may update automatically and may not offer a public firmware file.