Use this page to revoke a node’s access to an existing Wi-SUN network. Revoking a node removes it from the current network by removing it from the local allowlist, and prevents it from rejoining when the authorization policy is configured to deny that device.
Prerequisites
Before you begin, make sure:
-
The Wi-SUN network is active (see Form a network).
-
You can identify the node you want to revoke by its EUI64 value.
To determine an XBee Wi-SUN node EUI64 value, concatinate SH (Serial Number High) and SL (Serial Number Low). -
You know which authorization method the Border Router is using (see Wi-SUN authorization settings).
| Additionally, the EUI64 value of joined devices can be gathered through the use of the [{XREF_show-wisun-verbose_t}] command. |
Revoke a node from the network
Revoking a node from the network consists of three actions:
-
Remove the node from the controlling auth allowlist (see CLI command).
-
Revoke the node’s active security material.
-
Force the node to cycle off the network.
The Border Router handles the key revocation and network removal steps automatically, within a day of initiating the node revocation. No additional user intervention is required for those steps.
As part of this process, the Border Router removes previously used security material for the node, including the Pairwise Master Key (PMK) and Group Temporal Keys (GTKs).
| This method of revoking nodes should not be relied on as a primary way of setting up a network. GTK revocation happens automatically once per month, but revoking a node in this manner will manually trigger the process, causing an increase in your Wi-SUN network traffic. |
CLI command
The following CLI command accepts multiple EUI64 values separated by spaces when multiple nodes require revocation.
> wisun revoke [<EUI64> ...]After you run the command, the CLI shows information about the nodes being removed from the allowlist.
Deleting allowlist entry <idx> (<Hardware Type>, <Serial Number>) which matches the identity of <EUI64>
<EUI64> : SuccessResult
After the revoke process completes, the node is forced off the current Wi-SUN network. Whether the node can join again depends on the authorization method and whether the external authorization source also blocks the node, as described in Additional steps.
Additional steps
Depending on the authorization method the Border Router is using, additional steps might be required to ensure that the node remains off the network.
If the Border Router does not know the identity of the node(s) you’re revoking (either due to the authentication method being external when the node joined, or because the node has previously been removed from the allowlist), then it will not change the allowlist when the wisun revoke command is called.
|
Regardless of which authentication mode is currently active, the Border Router attempts to remove the target node from the local allowlist if present.
Open authentication
With Open Authentication enabled, there is nothing restricting the node selected for revocation from rejoining the network.
RADIUS authentication
With external RADIUS Authentication enabled, access revocation must also be performed on that server. Remove or disable the credentials associated with the target node in the RADIUS system to prevent further authentication.
Digi Remote Manager authentication
With Digi Remote Manager Authentication enabled, removal of the node from the Digi Remote Manager allowlist is still required.
