Use this page to configure how the XBee Hive for Wi-SUN authorizes devices to join the Wi-SUN network. Authorization settings control admission policy, trusted certificate authorities, identity, and allow-list entries.

Authorization method

Select one of the following methods:

Allowlist (default)

Devices must present a certificate issued by a trusted CA and must be explicitly listed in the Allowlist.

Open

Any device with a certificate issued by a trusted CA may join. Use this only when you control the CA and issued identities.

RADIUS

Authorization is handled by an external RADIUS server. When RADIUS is selected, local identity, trust store, and allowlist settings are not used.

For detailed behavior and security considerations, see Wi-SUN device authorization and Use a RADIUS server for authentication.

Allowlist entries

When the Allowlist is enabled, each entry identifies a device by its hardware type and serial number. Obtain these values from the device vendor or via the device’s security commands.

See Wi-SUN device authorization for the allow-list fields and examples.

Trusted CA certificates

Trusted CA certificates are required for Allowlist and Open methods. The Border Router uses these CA certificates to validate device identity certificates during join.

  • Include Digi CA: Adds the Digi Wi-SUN CA certificate to the trusted set.

  • CA certificates: One or more additional trusted CA certificates in PEM format.

See Wi-SUN device authorization for certificate requirements and format details.

Identity

The Border Router uses an identity certificate and private key when authorization is Allowlist or Open. You can use the factory identity (initial) or configure a local identity.

See Wi-SUN Border Router identity for identity options and certificate requirements.

Configure Wi-SUN authorization settings

Use the Web UI or the Admin CLI to configure authorization settings. The exact labels can vary by firmware, but the settings are grouped under the Wi-SUN Border Router authorization area.

Use the command line to configure Wi-SUN authorization settings.

See Change settings for how to access the command line.

Example: configure the authorization method
> config
(config)> wisun auth
(config wisun auth)> method open
(config wisun auth)> save
>
Example: add a device to the Allowlist

Use this example when the authorization method is set to Allowlist.

Replace:

  • <oid> with the device Hardware Type OID (example: 1.3.6.1.4.1.332.11.20.1.1).

  • <hex> with the device Serial Number in hex (example: CB580CED07D190857FC42C52).

See Security on how to get the Hardware Type and Serial Number for the XBee for Wi-SUN.

> config
(config)> wisun auth
(config wisun auth)> method allowlist
(config wisun auth)> allowlist
(config wisun auth allowlist)> add 0
(config wisun auth allowlist 0)> hardware_type <oid>
(config wisun auth allowlist 0)> serial_number <hex>
(config wisun auth allowlist 0)> save
>
Example: add a CA certificate to the trust store

Use this example when the authorization method is set to Allowlist or Open.

Replace:

  • <pem-certificate> with the CA certificate content in PEM format.

> config
(config)> wisun auth trust_store ca_certs
(config wisun auth trust_store ca_certs)> add 0
(config wisun auth trust_store ca_certs 0)> content "<pem-certificate>"
(config wisun auth trust_store ca_certs 0)> save
>
Example: set the Border Router to use local identity

Use this example when the authorization method is set to Allowlist or Open.

Replace:

  • <pem-certificate> with the identity certificate content in PEM format.

  • <pem-key> with the identity private key content in PEM format.

> config
(config)> wisun auth identity
(config wisun auth identity)> type local
(config wisun auth identity)> local
(config wisun auth identity local)> certificate "<pem-certificate>"
(config wisun auth identity local)> private_key "<pem-key>"
(config wisun auth identity local)> save
>
Example: configure RADIUS settings

Replace:

  • <host-address> with the RADIUS server host address.

  • <secret> with the RADIUS shared secret.

> config
(config)> wisun auth
(config wisun auth)> method radius
(config wisun auth)> radius
(config wisun auth radius)> host <host-address>
(config wisun auth radius)> secret <secret>
(config wisun auth radius)> save
>

Configure Wi-SUN authorization settings using the Web UI.

See Change settings for how to access the Web UI.

Navigate to: Wi-SUN Border Router > Authorization

Select an authorization method

  1. In Method, select Allow-list only, Open, or RADIUS.

  2. Click Apply to save changes.

Add a device to the Allowlist (Allow-list only)

If Allow-list only is selected, add devices so they can join the Border Router.

  1. In Allowlist, click Add device.

  2. Enter the Hardware Type and Serial Number.

  3. Click Apply to save changes.

See Security on how to get the Hardware Type and Serial Number for the XBee for Wi-SUN.

Add or update trusted CA certificates (Allow-list only or Open)

The Trusted CA certificates section is visible when Allow-list only or Open is selected.

  1. Set Include Digi CA to true or false.

  2. Under CA certificates, enter a name in Add and click Add.

  3. Paste the PEM certificate in Certificate content.

  4. Click Apply to save changes.

Configure Border Router identity (Allow-list only or Open)

The Identity section is visible when Allow-list only or Open is selected.

  1. In Identity type, select Initial identity or Local identity.

  2. If Local identity is selected, paste the Certificate and Private key.

  3. Click Apply to save changes.

Configure RADIUS authorization

If RADIUS is selected, enter the RADIUS server details.

  1. In RADIUS, enter Host and Secret.

  2. Click Apply to save changes.