This section provides a general overview of authentication and authorization concepts within the Wi-SUN protocol. It then explains how these concepts are applied in the XBee Hive for Wi-SUN and XBee for Wi-SUN.

General concepts

Wi-SUN networks use Public Key Infrastructure (PKI) for secure communication. Each device has a unique identity. This identity is used to authenticate devices before they can join the network.

Wi-SUN nodes support two identity mechanism:

  • Initial Device Identifier (IDevID): A factory-installed certificate issued when the device is manufactured.

  • Locally Significant Device Identifier (LDevID): A user-installed certificate that can override the IDevID.

Authorization determines whether an authenticated device is permitted to join the network. Authorization mechanisms may include allow-lists, certificate trust validation, or integration with external servers like RADIUS.

Trusted Certificate Authorities (CAs) play a critical role. Devices use these CAs to verify the credentials of other nodes before establishing communication.

Implementation in Digi products

The XBee Hive for Wi-SUN and XBee for Wi-SUN follow Wi-SUN authentication and authorization standards. They are equipped to support both IDevID and LDevID.

Identity management

The XBee Hive for Wi-SUN and nodes come with a pre-installed IDevID. This identity is assigned during manufacturing and cannot be altered.

Users may configure an LDevID by uploading a Private key and Certificate. This enables the use of organization-specific authentication infrastructure.

See Wi-SUN Border Router identity on how to configure IDevID and LDevID on the XBee Hive for Wi-SUN.

See UC (Load Certificates) on how to configure IDevID and LDevID on XBee for Wi-SUN.

Authorization options

The XBee Hive for Wi-SUN includes the following configuration options to authorize devices joining the network:

  • Open: Any device which presents an identity certificate signed by a configured certificate authority (CA) may join.

  • Allowlist: Any device which presents an identity certificate signed by a configured CA may join, if its hardware type and serial number are in the allowlist.

  • RADIUS: Authorization is handled exclusively through an external RADIUS server.

See Wi-SUN device authorization on how to configure the authorization setting on the XBee Hive for Wi-SUN.

Certificate trust

By default, the Digi CA is enabled on XBee Hive for Wi-SUN and XBee for Wi-SUN. This allows automatic trust and connectivity between Digi devices. Users may also upload their own CA certificates or chains to customize trust relationships.

See Wi-SUN device authorization on how to load certificates on the XBee Hive for Wi-SUN.

See UC (Load Certificates) on how to load certificates on the XBee for Wi-SUN.

If you need to join a non-Digi Wi-SUN node to the XBee Hive for Wi-SUN you must create your own CA certificates. Digi does not currently provide a way to have non-Digi Wi-SUN nodes get their LDevID certificate signed by the Digi CA. Creating your own CA certificates is beyond the scope of this document.

Adding devices to the allowlist

To add devices to the allowlist, users must provide the device’s Hardware Type and Serial Number.

See Security Commands on how to get the Hardware Type and Serial Number for the XBee for Wi-SUN.

See Wi-SUN device authorization on how to add devices to the allow-list of the XBee Hive for Wi-SUN.