Eliot Lear (elear) <el...@cisco.com> wrote:
>> Owen, do we have a need to recognize that a device needs to perform
>> onboarding again after a movement?
>>
>> i.e. device A enrolls on network 1, gets an LDevID usable on network
>> 1, uses that with EAP-FOOBAR.
>>
>> device A then is moved to network 2, it tries to use same LDevID,
>> receives an error and then recognizes that it needs to perform another
>> enrollment.
> I think that is up to the device manufacturer and relates to a number
> of factors, such as whether the device is mobile, whether it has a
> reset button, the nature of the device, privacy considerations, whether
> there are federated capabilities on the device, etc.
I can see that some of these are important to the device.
The device may have reasons why it would like to enroll again, but I think
the question is more about when the network recognizes that it does not need
to enroll again.
An example would be a device which was originally enrolled with BRSKI-TEAP,
but is then provided with roaming credentials (EDU-ROAM).
How would it know it was on network 2?
>> What is that error, and is it recognizeable? Do we need a new error
>> code to distinguish from "I reject you" from "I reject you but, you
>> could try enrolling with BRSKI-TEAP"
> I think that can already be detected in the draft based on the action
> request frames.
To clear, it would be doing TEAP (or EAP-TLS) to connect to the network,
because it is already enrolled. If there are BRSKI-specific responses
defined in TEAP, then I'm surprised.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
