When a Wi-SUN network is configured with allow-list authorization in Remote Manager, Remote Manager adds a second layer of control on top of device authentication. Even after a device passes authentication, Remote Manager checks the following parameters against a per-network allow-list. Only devices with a matching entry can join:

  • Hardware Type: Identifies the device model. It comes from the device’s identity certificate. Read it from any XBee for Wi-SUN using AT command IH (Hardware Type OID) via XBee Studio.

  • Hardware Serial Number: Uniquely identifies the physical device. It also comes from the identity certificate. Read it using AT command IN (Hardware Serial Number) via XBee Studio.

Use Allow-list authorization when certificate management alone is not sufficient. It gives you explicit control over which physical devices are permitted in the network.

Allow-list authorization applies to each XBee Hive for Wi-SUN configured to use Remote Manager as the authentication server. See Configure the border router to use Remote Manager as auth server.

Configure allow-list authorization

To set a network authorization mode to Allow-List in Remote Manager:

  1. Log in to Remote Manager.

  2. Go to XBee Networks and click the Name or ID of the network. The XBee Network page opens.

  3. Select the Security tab.

  4. Set Authorization to Allow-List.

  5. Click Save. The Allow-List Entries card appears on the right side of the tab.

Switching the authorization mode from Open to Allow-List makes the network more restrictive. The change has two effects on devices currently in the network:

  • At Remote Manager level, all XBee for Wi-SUN nodes are unlinked from their border routers, so they no longer appear in the network’s Devices tab.

  • The next time a node attempts to join, the network’s current authorization rules apply. Without a matching allow-list entry, the node cannot rejoin.

Add allow-list entries

To add devices to a network’s allow-list in Remote Manager:

  1. Log in to Remote Manager.

  2. Go to XBee Networks and click the Name or ID of the network. The XBee Network page opens.

  3. Select the Security tab.

  4. Click Add. The Add Allow-List Entries panel opens with one empty entry pre-populated.

  5. Fill in the entry:

    1. In Hardware Type, enter the hardware type OID from the device’s identity certificate. Read it from the device using AT command IH in XBee Studio.

    2. In Hardware Serial Number, enter the hardware serial number. Read it using AT command IN in XBee Studio.

  6. To add more entries, click Add Allow-List Entry and repeat for each device.

  7. Click Save.

Duplicate entries are not allowed. If you add a device already in the list, Remote Manager returns an error.

Remove allow-list entries

To remove devices from a network’s allow-list in Remote Manager:

  1. Log in to Remote Manager.

  2. Go to XBee Networks and click the Name or ID of the network. The XBee Network page opens.

  3. Select the Security tab.

  4. To remove selected entries:

    1. Select the entries to remove.

    2. Click Actions.

    3. Click Delete.

    4. Click Confirm.

  5. To remove all entries at once:

    1. Click Actions.

    2. Click Delete All.

    3. Click Confirm.

Removing an allow-list entry that matches a device currently in the network has two effects:

  • At Remote Manager level, the device is unlinked from the border router, so it no longer appears in the network’s Devices tab.

  • The next time the device attempts to join, the network’s current authorization rules apply. Without a matching allow-list entry, the device cannot rejoin.