Understand authentication and device identity |

Wi-SUN networks use strong, certificate-based authentication to ensure only authorized devices can join the mesh. Each device presents a unique identity, which the network validates using secure protocols like EAP-TLS. Once authenticated, the device becomes part of the secure Wi-SUN mesh and can begin communicating with other devices and applications.

Why authentication matters

Wi-SUN is designed for large, often unattended outdoor networks, where physical access to devices can’t always be guaranteed. To protect the network from unauthorized access, Wi-SUN uses a standards-based authentication process that ensures:

Only trusted devices can join the mesh
Each device has a unique, verifiable identity
Communication is encrypted and secure

Device identity

Each Wi-SUN device is assigned a unique identity based on digital certificates. These certificates:

Prove the device was issued credentials by a trusted authority
Are used during the joining process to verify the device’s authenticity
Follow the standard X.509 certificate format

A typical Wi-SUN device will contain:

A Join Certificate: Identifies the device and is used during authentication
A Private Key: Securely stored on the device and never shared
A Trust Anchor (CA Certificate): Used to verify the identity of the network (e.g., border router)

Devices may have additional operational certificates if required by the network, but the join certificate is essential for initial onboarding.

Authentication process overview

When a device attempts to join the Wi-SUN mesh, the following authentication flow occurs:

The device discovers the Wi-SUN Border Router (the root of the mesh).
It initiates a secure connection using the IEEE 802.1X protocol.
EAP-TLS (Extensible Authentication Protocol with TLS) is used to authenticate the device using its certificate.
If successful, the Border Router accepts the device into the mesh and issues network configuration parameters.
Encrypted communication is established using negotiated keys.

This process is automatic once the device is powered on and configured with the correct credentials.

Authentication components

Component	Description
Join Certificate	A device-specific X.509 certificate issued by a trusted authority
Private Key	Secure cryptographic key paired with the join certificate; kept private on the device
Trust Anchor (CA Certificate)	Used to verify the certificate chain during authentication
EAP-TLS	The protocol used to authenticate devices securely using certificates
802.1X	The link-layer framework used to manage network access control

Component

Description

Join Certificate

A device-specific X.509 certificate issued by a trusted authority

Private Key

Secure cryptographic key paired with the join certificate; kept private on the device

Trust Anchor (CA Certificate)

Used to verify the certificate chain during authentication

EAP-TLS

The protocol used to authenticate devices securely using certificates

802.1X

The link-layer framework used to manage network access control