Eliot Lear (elear) <el...@cisco.com> wrote:
    >> Owen, do we have a need to recognize that a device needs to perform
    >> onboarding again after a movement?
    >> i.e. device A enrolls on network 1, gets an LDevID usable on network
    >> 1, uses that with EAP-FOOBAR.
    >> device A then is moved to network 2, it tries to use same LDevID,
    >> receives an error and then recognizes that it needs to perform another
    >> enrollment.

    > I think that is up to the device manufacturer and relates to a number
    > of factors, such as whether the device is mobile, whether it has a
    > reset button, the nature of the device, privacy considerations, whether
    > there are federated capabilities on the device, etc.

I can see that some of these are important to the device.
The device may have reasons why it would like to enroll again, but I think
the question is more about when the network recognizes that it does not need
to enroll again.
An example would be a device which was originally enrolled with BRSKI-TEAP,
but is then provided with roaming credentials (EDU-ROAM).

How would it know it was on network 2?

    >> What is that error, and is it recognizeable?  Do we need a new error
    >> code to distinguish from "I reject you" from "I reject you but, you
    >> could try enrolling with BRSKI-TEAP"

    > I think that can already be detected in the draft based on the action
    > request frames.

To clear, it would be doing TEAP (or EAP-TLS) to connect to the network,
because it is already enrolled.   If there are BRSKI-specific responses
defined in TEAP, then I'm surprised.

Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature

Emu mailing list

Reply via email to