What anti-cloning protection does URX-Secure provide?

Two layers. At the card layer, DESFire cards use mutual authentication and site-specific keys, so a contactless sniffer cannot reproduce a valid response without those keys. At the protocol layer, the reader applies anti-clone detection logic — patterns such as the same UID reappearing on different physical readers in implausible time windows are flagged to the master. A standard MIFARE Classic clone that defeats UID-only systems will not authenticate against a properly provisioned DESFire deployment.

Can I mix encrypted URX-Secure readers and legacy Wiegand readers on the same controller?

Yes, on the AXON architecture. URX-Secure talks RS-485 to the master; legacy Wiegand readers can be brought onto the same master via the AXON W2R-N Wiegand-to-RS-485 converter. Both end up as RS-485 endpoints to the master. This lets you keep working hardware at low-risk doors while installing URX-Secure on the doors that need the encrypted credential path.

What card technologies are supported?

MIFARE and DESFire, with DESFire as the recommended technology for any new deployment that needs anti-cloning. MIFARE Classic is supported for backward compatibility and for sites where UID-based identification is sufficient. DESFire EV2 and EV3 give the modern authentication primitives (AES, mutual authentication, secure messaging) that make the encrypted protocol meaningful. The same physical reader supports both — the difference is in how it is provisioned.

How is URX-Secure powered and what does it draw?

URX-Secure runs on 9 to 15 V DC, drawing under 2 W in normal operation. This makes it compatible with the same 12 V DC supply rails commonly used for door strikes, mag-locks, and access panels in Kosovo and the wider region, and it avoids the need for a separate reader power supply. Cable losses on long Cat5 runs should still be calculated; on runs longer than 50 metres of 24 AWG, use a thicker conductor for the power pair.

Is there an IP65 outdoor version?

Yes. The outdoor variant is rated up to IP65, meaning fully dust-tight and protected against low-pressure water jets from any direction. This is the right choice for main building entrances, perimeter gates, gated parking, and any installation where the reader is exposed to weather. The IP20 indoor variant is intended for elevator cabins, internal doors, and other dry, controlled environments and is more cost-effective for those locations.

How many URX-Secure readers can one master handle?

The number is set by the master, not by the reader. On an AXON ICM-GE the same PCB supports up to 120 access points, and each access point may include a URX-Secure reader. In practice the bus topology, addressing scheme and end-of-line termination determine the safe per-bus count; the architecture supports segmenting larger sites into multiple RS-485 segments back to one or several masters. Size the bus to the cable plan, not the reader budget.

Does URX-Secure store any keys on-device, and what happens if it is stolen?

URX-Secure uses secure key storage so that DESFire site keys are not retrievable by removing the reader from the wall. A stolen reader cannot be re-flashed to dump keys to a third-party controller. As an additional layer, the master detects when a reader stops responding and can quarantine its address, and on the next provisioning cycle the master can revoke and rotate the affected site key without a site-wide rekey of all cards. Replacement readers are provisioned at installation time.

Is the AXON URX-Secure available today?

URX-Secure is currently in final testing (ne faze testimi final at the time of writing). Counter Mode operation against existing AXON masters is functional and being validated. The full Encrypted AXON Protocol with DESFire provisioning is on the roadmap for the next firmware milestone. We document this openly so integrators planning Q3 2026 deployments can choose the right module mix; early-access units are available for pilot installations on request.

AXON URX-Secure — Encrypted RFID Reader for Access Control

Name: AXON URX-Secure
Brand: AXON
SKU: URX-SECURE
Availability: InStock

A unified DESFire/MIFARE RFID reader designed for migration from legacy Wiegand installations into a fully encrypted RS-485 access network — anti-clone detection, secure key storage, and IP65 outdoor variant.

Role: Encrypted reader Cards: MIFARE / DESFire Bus: RS-485 to master Modes: Counter / Encrypted AXON IP20 / IP65 Made in Kosovo Updated: 2026-05

AXON URX-Secure is a unified RFID reader for indoor and outdoor access points. It reads MIFARE and DESFire cards, communicates with the AXON master over RS-485, supports an optional Wiegand compatibility mode for legacy panels, and uses anti-clone detection plus secure key storage to remove the cloning weaknesses of UID-only Wiegand systems.

01 — What URX-Secure Does in the System

AXON URX-Secure is the credential-capture endpoint of the AXON architecture for any access point that does not sit inside an elevator cabin: main entrances, internal doors, gated garages, perimeter pedestrian gates, ramp barriers, and staff-only landing doors. Where AXON Node is the cabin-and-floor specialist, URX-Secure is the door specialist. Its job is to read an RFID credential, exchange that credential with an AXON master (ICM-GE or ICM-LR) over RS-485, and let the master decide whether the relay on the door side fires.

What makes it distinct from a generic Wiegand reader is that the credential leaves the reader on an encrypted path, not as a 26-bit string in the clear. In Counter Mode the read is paired with a rolling counter so a recording of a previous read cannot be replayed against the bus. In Encrypted AXON Protocol the reader and the master authenticate each other before the credential is ever exchanged, and the credential is encrypted with site-specific keys.

URX-Secure is also a deliberate migration tool. Many buildings in Prishtinë, Tiranë and the wider region already have a panel cabinet full of Wiegand wiring and a stock of MIFARE Classic cards that cannot be replaced overnight. URX-Secure includes an optional Wiegand compatibility mode so it can drop into those installations on day one, then graduate into Encrypted AXON Protocol once the panel and cards are upgraded — without re-pulling cable.

The reader is offered in two physical variants: an IP20 indoor unit for elevator cabins, office interiors and lobbies, and an IP65 (IEC 60529) outdoor unit for main entrances, perimeter gates and weather-exposed installations. The electronics, modes and protocol are identical; the enclosure and sealing differ.

Card Compatibility — Dual-Mode DESFire EV3 and MIFARE Classic

AXON URX-Secure supports both MIFARE DESFire EV3 (recommended for security) and MIFARE Classic 1K/4K (for migration and low-security tiers) on the same physical reader. The card technology is selected at provisioning and at the per-door policy level, not by swapping hardware. This dual-mode design is deliberate: it lets buildings already deployed with Classic cards begin a migration without replacing every credential on day one.

Per-door policy. The site administrator can configure each access point with one of three card-acceptance policies at the master:

DESFire only — high-security doors, server rooms, executive floors, hospital restricted wards. A Classic card presented at the reader is rejected before authorisation is even considered.
Classic only — low-risk doors during legacy operation (e.g., a storage door in a building still rolling out new cards). Accepts UID-based identification with the understood security limitations.
Both accepted — migration window. The reader will authenticate a DESFire card using AES-128 mutual auth and fall back to Classic UID for any card that does not respond to DESFire authentication. This lets a building issue DESFire credentials to new tenants while existing tenants finish using their Classic cards.

Why dual mode matters. In practice, no medium-sized building rekeys 200+ residents or 50+ office staff overnight. The realistic upgrade path is: install URX-Secure readers, set per-door policy to "Both accepted" at low-risk doors and "DESFire only" at high-security doors, issue DESFire cards as the new default, and let Classic cards age out as people lose them or move out. Without dual-mode support the only option is a hard cutover, which is operationally expensive and tends to get postponed indefinitely — leaving the building on Classic forever.

Honest disclosure about MIFARE Classic. MIFARE Classic uses the legacy CRYPTO1 algorithm, which was publicly broken in 2008 and can be cloned with €30 hardware in under one second. We support it because many existing buildings in this region deployed Classic cards and replacing all at once is impractical. If you are starting a new deployment with security requirements, choose DESFire EV3 from day one — there is no cost reason to start a new site on Classic in 2026.

Smartphone NFC. Smartphone-based credentials over NFC HCE are on the roadmap as an additional mode alongside cards, not a replacement; see the roadmap section below.

Read our DESFire EV3 vs Classic deep-dive for the cryptographic detail, attack analysis, and a migration checklist.

02 — Required Components

A URX-Secure-based door requires the following parts on the access-point side:

Part	Role	Notes
AXON URX-Secure reader	Credential capture	One per door / gate / lane. IP20 or IP65 variant per location.
MIFARE or DESFire cards / fobs	User credentials	DESFire recommended for any new deployment that needs anti-cloning.
AXON master (ICM-GE or ICM-LR)	Authorization decision	Holds the user database, permissions and time windows.
RS-485 cable	Bus to master	Twisted pair, dedicated run from reader to master segment.
12 V DC supply (or 9–15 V DC)	Reader power	Shared with door strike rail is acceptable if sized for combined load.
Door relay / strike driver	Physical unlock	Driven by the master or by a paired AXON I/O module on the door side.
Wiegand pigtail (optional)	Legacy panel compatibility	Used only when URX-Secure is installed in front of a third-party Wiegand panel.

Why these specific parts

DESFire is the card technology that makes the security claims of the reader meaningful. A reader can be as cryptographically clever as it wants — if it is reading a MIFARE Classic UID, an attacker with a €30 sniffer can clone the credential in seconds. DESFire EV2/EV3 add mutual authentication and AES-based secure messaging at the card layer (built on ISO/IEC 14443 proximity contactless cards), which is the layer most cloning attacks target. RS-485 (TIA-485-A) was chosen as the reader-to-master bus because it is electrically robust over the long, multi-drop runs typical in buildings, requires only two wires plus power, and is the same physical layer the rest of the AXON access network uses — so adding URX-Secure does not introduce a new bus type to the site.

03 — How URX-Secure Works End-to-End

A read at a URX-Secure door, in the Encrypted AXON Protocol path:

Card presentation. The user holds an RFID card or fob to the reader. The reader's antenna energises the card and begins the contactless protocol appropriate to the card technology (MIFARE or DESFire).
Card authentication. For DESFire, the reader performs mutual authentication using the site-specific application key stored in secure key storage. A cloned UID without the matching key fails this step and is rejected before the credential leaves the reader.
Counter increment. The reader increments its rolling counter, which is the per-reader anti-replay primitive on the RS-485 bus.
Encrypted exchange with master. The reader sends an encrypted message to the master over RS-485 containing the authenticated credential, the reader address, and the counter value.
Authorisation decision. The master verifies the counter has not regressed, decrypts the credential, looks up the user, checks the access policy (time window, lockdown state, door permissions) and decides whether to grant access.
Door command. If granted, the master energises the door relay through its own driver (or through a paired AXON I/O module at the door) and the lock releases for the configured duration.
Audit and reader feedback. The master logs the event, and the reader is told to acknowledge with an LED / buzzer pattern so the user knows what happened.

In Counter Mode (legacy migration path), steps 2 and 4 are simplified: the reader emits its credential plus the counter, and the master treats the credential as a low-trust input that must still match an active user but no longer has to be cross-checked against a card-layer cryptographic authentication. This is appropriate for low-risk doors during migration, not for high-security entrances.

04 — Communication Architecture: RS-485 and Wiegand Compatibility

Why RS-485 to the master

RS-485 is a differential, multi-drop electrical standard that handles long cable runs (up to ~1000 m at moderate baud rates) and tolerates the electrical noise typical of building utility spaces. For URX-Secure that matters because the reader frequently sits at the perimeter of a site — outdoor pedestrian gates, garage entries — and runs back to a master in a service room that may be hundreds of metres away. Ethernet would require active gear at every node and a structured cabling plant most retrofit projects do not have; CAN would constrain the bus length more tightly at the higher rates needed for an encrypted exchange.

Encrypted AXON Protocol over RS-485

The Encrypted AXON Protocol is a framed, addressed protocol where each message carries the source address, message type, an encrypted payload, and an integrity field. Reader and master are paired during provisioning so each side knows the other's address and the shared site key. The same physical bus can carry traffic from multiple URX-Secure readers because each one is individually addressed.

Wiegand compatibility mode

When URX-Secure is configured for Wiegand compatibility it emulates a standard Wiegand-26 or Wiegand-34 reader on its output. This is the option that lets it drop into a building still wired to a third-party panel: the panel sees a familiar Wiegand stream, and the new reader is installed without ripping out the cabinet. This mode does not provide the encrypted credential path — Wiegand by construction transports the credential in the clear. It is a migration step, not a final state. Once the central panel is replaced with an AXON master, the same reader is reconfigured for RS-485 Encrypted AXON Protocol with no hardware change.

05 — Interface Layout and Wiring

URX-Secure exposes the following lines at its rear pigtail:

Line	Purpose	Notes
V+ / GND	Power	9–15 V DC, < 2 W typical. Share rail with door strike is acceptable if sized.
A / B	RS-485 differential pair	Primary data path to master. Twist with constant impedance.
D0 / D1 (optional)	Wiegand compatibility output	Active only when reader is provisioned in Wiegand mode.
LED / BEEP (optional)	Visual / audible feedback	Driven by the reader on command from the master.

For the RS-485 pair, use a single dedicated twisted pair with 120 Ω termination at both physical ends of the bus segment — not at every reader. Route the reader cable away from elevator motor leads, mains feeders, and fluorescent ballast cables. On outdoor IP65 installations, seal the cable entry with the supplied gland and provide a service loop so the cable is not under tension.

06 — Security and Robustness

The security model has four cooperating layers:

Card-layer authentication (DESFire). Mutual authentication with site-specific keys means a cloned UID alone is not a valid credential. This eliminates the most common attack against legacy MIFARE Classic / Wiegand systems.
Secure key storage on the reader. Site keys are stored such that physically removing a reader from the wall and dumping its memory does not yield a usable key. This protects every other reader on the site when one is stolen.
Anti-clone detection logic. The reader (and master) detect patterns inconsistent with normal use — for example, the same UID appearing on physically distant readers within seconds — and report them as suspect events. This catches even attacks that bypass the card layer.
Counter-based replay protection on the bus. Every read carries a counter that the master verifies has not regressed. A recording of a previous bus exchange cannot be replayed to fire the relay.

Beyond credential security, URX-Secure includes the standard robustness primitives expected of a 24/7 access endpoint: brown-out protection on the reader supply, watchdog on the firmware loop, and bounded protocol timeouts so a stuck or noisy bus does not produce a stuck door.

07 — Real-World Deployment Scenarios

Multi-tenant office in Prishtinë

A six-floor multi-tenant office building places URX-Secure (IP20) at each tenant suite's main door, with a single IP65 unit at the street-level main entrance. All readers terminate on RS-485 segments back to an AXON ICM-GE in the basement service room. Each tenant manages its own user list inside the ICM-GE permission model; the building manager retains the main-door policy. DESFire cards mean a copied UID at the street level does not grant access to the upstairs suites.

Hotel main entrance and staff doors in Tiranë

A boutique hotel installs IP65 URX-Secure at the main staff entrance, the back-of-house service door and the rooftop access door, with IP20 units at the housekeeping and management offices. Guest doors keep their existing in-room locks. The master enforces time windows: housekeeping cards work between 06:00–22:00, management cards 24/7, contractor cards only on their scheduled dates. The encrypted path means that even if a guest casually clones a fob from a room, that clone does not unlock a back-of-house door.

Hospital ward access in Pejë

A regional hospital uses URX-Secure (IP20) at ward doors with different policies per ward — paediatric, oncology, ICU. Medical staff cards have ward-specific permissions written into the master; cleaning staff cards work during defined cleaning windows; family-visit cards work only during visiting hours. DESFire authentication and anti-clone detection are operationally important here because the same card population also pays for cafeteria and accesses lockers, and visibly clonable cards would have created a privacy incident.

Gated residential complex in Prishtinë

A 120-unit residential complex installs IP65 URX-Secure at the vehicle gate, the pedestrian gate, the underground garage entrance and the building lobby. All four read points run back to a single AXON ICM-GE which holds the resident database. Visitors are issued one-shot codes by the resident through the management app; the readers themselves only see the resulting credential. The encrypted path removes the cloning problem that plagues the typical "every resident gets a 125 kHz fob" setup these complexes start with.

08 — Installation Requirements

Power: 9–15 V DC, < 2 W. A typical 12 V access-control rail is suitable; budget combined current including the strike or maglock load on the same rail.
RS-485 cable: shielded twisted pair, dedicated run from reader to the master's RS-485 segment. Do not loop through unrelated equipment.
Termination: 120 Ω at both physical ends of the RS-485 segment only. Test with all devices off — you should measure ~60 Ω across A/B.
Mounting: flush or surface mount per the variant; outdoor IP65 unit needs cable gland and a downward-facing cable entry where practical.
Distance from sources of RF noise: keep at least 30 cm from VFD elevator drives, fluorescent ballasts and switch-mode supplies wherever possible.
Provisioning: each URX-Secure must be addressed and keyed during commissioning. Plan to do this with the master on the bench, before installation.

09 — Recommended Topology

For RS-485, the correct topology is a linear bus with short stubs to each reader. A typical site layout:

One master (ICM-GE or ICM-LR) in the service room.
One or more RS-485 segments leaving the master, each terminated at both ends.
URX-Secure readers daisy-chained along the segment via short stubs (<30 cm).
Power distributed from a single supply rail per service room, sized for total reader plus strike load.

Avoid common mistakes: star topology back to a central junction (causes reflections), terminating every reader (drops impedance below specification), routing the bus next to mains or motor cables (induced noise eats into the error budget), and sharing the bus with other RS-485 protocols (collisions and address conflicts).

10 — Troubleshooting Guide

Reader powers up but no card reads register at the master

Most often an RS-485 wiring issue: A/B reversed, missing termination, or the reader's address is not provisioned at the master. Confirm the reader's onboard LED indicates power and clock, swap A/B at the reader as a quick test, and check the master's bus diagnostic log for any frames from that address. If the master logs frames but rejects them, the issue is provisioning or key mismatch, not wiring.

Reader works for MIFARE Classic but rejects DESFire cards

The reader's DESFire application key does not match the key written to the cards. This happens when cards from a previous batch are provisioned against a different site key. Re-provision either the cards or the reader so both sides hold the same key. URX-Secure does not have a "skip DESFire authentication" mode by design — that would defeat the security claim.

Intermittent reads, especially on cold mornings outdoors

Condensation or seal failure on the IP65 enclosure. Inspect the cable gland and the rear gasket. If the reader has been removed and reinstalled, the gasket may not be seated correctly. Also check the antenna tuning hasn't drifted due to nearby metal (some retrofits mount the reader directly on a steel doorframe, which detunes the antenna; a 5 mm plastic spacer usually fixes it).

Wiegand compatibility output works but RS-485 path does not

The reader is still in Wiegand mode and has not been reconfigured for RS-485 Encrypted AXON Protocol. Re-provision the mode at commissioning. Note that the two modes are mutually exclusive in normal operation — the same reader does not emit Wiegand and RS-485 traffic simultaneously.

Anti-clone alerts firing in normal traffic

Usually a misconfiguration of the "physically distant readers" threshold rather than an actual attack. Two readers genuinely close together (e.g., a turnstile pair) should be configured as a logical group so a card seen on both within seconds is not flagged. Review the alert log to confirm the pattern matches benign use before relaxing the rule.

11 — How URX-Secure Compares to Alternatives

Generic 125 kHz Wiegand readers. Cheap and ubiquitous, but transport credentials in the clear and can be cloned by a sub-€50 device in seconds. URX-Secure keeps the Wiegand cable interface available for migration but replaces the credential path with an encrypted RS-485 exchange against the AXON master.
OSDP Secure Channel readers. A reasonable competitor on the security claim — OSDP v2 with Secure Channel does provide encryption. The trade-off is that OSDP-only readers tie you to OSDP-compatible panels, which in this region are more expensive, less available and not always honestly implemented. URX-Secure speaks the AXON encrypted protocol natively and offers the Wiegand bridge for legacy panels.
Proximity readers paired with cloud panels. Increasingly common, but they push the authorisation decision into the cloud, which means a momentary internet outage is a momentary access outage. URX-Secure pairs with a local AXON master that performs authorisation on-site; cloud is for management, not for the critical path.
Mobile credential (NFC / BLE) only readers. Great for users with smartphones, terrible for users without. URX-Secure focuses on card-based credentials, which are the realistic baseline in residential and hospital contexts where not every user has a personal mobile to install an app on.

12 — Current Implementation vs Roadmap

To set integrator expectations honestly, URX-Secure is currently in final testing (ne faze testimi final).

Shipping today (final-test units)

MIFARE and DESFire card reading.
Counter Mode operation against an AXON master over RS-485.
Wiegand compatibility output for legacy panel integration.
Anti-clone detection logic and secure key storage.
IP20 indoor and IP65 outdoor physical variants.
9–15 V DC supply at under 2 W consumption.

On the roadmap (next milestone)

Full Encrypted AXON Protocol with DESFire site-key provisioning from a master-side commissioning tool, including key rotation and per-reader key derivation.
Per-reader certificate-based pairing so a stolen reader can be revoked centrally without re-keying the rest of the site.
Mobile-credential pilot (NFC and BLE), to be added as an option alongside card support rather than replacing it.
OTA firmware updates over RS-485 distributed from the master.

13 — Key Takeaways

URX-Secure is the door-and-gate reader of the AXON architecture — DESFire/MIFARE in, encrypted RS-485 out, optional Wiegand for legacy migration.
The security claim is meaningful only with DESFire cards and Encrypted AXON Protocol — Counter Mode and Wiegand mode are migration tools, not the final state.
Anti-clone detection plus secure key storage make a stolen reader and a cloned UID materially harder to weaponise than in a generic Wiegand installation.
IP20 indoor and IP65 outdoor variants share electronics — choose the enclosure per location, not per project.
Currently in final testing; Counter Mode is functional today, full Encrypted AXON Protocol with DESFire provisioning is the next milestone.

14 — Frequently Asked Questions

Does URX-Secure work with existing Wiegand readers and panels?

Yes, via the optional Wiegand compatibility mode that emulates Wiegand-26 / 34 on output. This lets the reader drop into legacy installations while a phased migration to RS-485 Encrypted AXON Protocol is planned. Wiegand mode is a migration tool — the encrypted RS-485 path is the recommended long-term operating mode.

What is the difference between Counter Mode and Encrypted AXON Protocol?

Counter Mode adds a rolling counter to each read so replays are detectable, but does not require card-layer cryptography. Encrypted AXON Protocol additionally performs mutual authentication with DESFire cards and encrypts the credential on the bus. Counter Mode is for migration; Encrypted AXON Protocol is for new builds and high-security doors.

What anti-cloning protection is provided?

Two layers: card-layer authentication with DESFire site keys, and bus-layer anti-clone detection that flags implausible patterns such as the same UID on physically distant readers within seconds. Combined, this defeats the standard MIFARE Classic clone attack and most replay attacks.

Can I mix encrypted and Wiegand readers on the same master?

Yes. URX-Secure runs on RS-485 to the master; legacy Wiegand readers can be brought onto the same master via AXON W2R-N converter nodes. Both arrive at the master as RS-485 endpoints.

What cards are supported?

MIFARE and DESFire. DESFire (EV2 / EV3) is the recommended technology for any deployment that needs anti-cloning. MIFARE Classic is supported for backward compatibility.

What power does URX-Secure draw?

9 to 15 V DC, under 2 W in normal operation. Compatible with the standard 12 V access-control rails used in this region.

Is there an outdoor version?

Yes — the IP65 variant is fully dust-tight and protected against low-pressure water jets. The IP20 variant is for dry indoor installations.

How is the reader provisioned and re-keyed?

Each reader is addressed and keyed during commissioning, against the paired master. Re-keying after a theft or scheduled rotation is performed centrally at the master; the reader picks up the new key on its next provisioning cycle.

How many readers can one master handle?

The master sets the cap. The AXON ICM-GE PCB supports up to 120 access points; URX-Secure readers can occupy any of those slots. Bus topology and termination limits matter more in practice than the per-master cap.

Is URX-Secure shipping today?

It is in final testing. Counter Mode is functional, full Encrypted AXON Protocol with DESFire provisioning is the next firmware milestone. Early-access pilot units are available on request.

15 — Related Guides and Products

16 — Get a URX-Secure Quote for Your Site

Planning a door, gate or main-entrance access upgrade in Kosovo, Albania or the wider region? We can size the bus, recommend the right card technology mix, supply pilot units and support commissioning. For sites that are still on Wiegand, we can sequence the migration so day-one operations are uninterrupted.

View in Store Request Quote

References and Standards

External standards and technical specifications referenced in this guide: