Eliot Lear (elear) <el...@cisco.com> wrote: >> Owen, do we have a need to recognize that a device needs to perform >> onboarding again after a movement? >> >> i.e. device A enrolls on network 1, gets an LDevID usable on network >> 1, uses that with EAP-FOOBAR. >> >> device A then is moved to network 2, it tries to use same LDevID, >> receives an error and then recognizes that it needs to perform another >> enrollment.
> I think that is up to the device manufacturer and relates to a number > of factors, such as whether the device is mobile, whether it has a > reset button, the nature of the device, privacy considerations, whether > there are federated capabilities on the device, etc. I can see that some of these are important to the device. The device may have reasons why it would like to enroll again, but I think the question is more about when the network recognizes that it does not need to enroll again. An example would be a device which was originally enrolled with BRSKI-TEAP, but is then provided with roaming credentials (EDU-ROAM). How would it know it was on network 2? >> What is that error, and is it recognizeable? Do we need a new error >> code to distinguish from "I reject you" from "I reject you but, you >> could try enrolling with BRSKI-TEAP" > I think that can already be detected in the draft based on the action > request frames. To clear, it would be doing TEAP (or EAP-TLS) to connect to the network, because it is already enrolled. If there are BRSKI-specific responses defined in TEAP, then I'm surprised. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu