Alexander Clouter <[email protected]> wrote: > During discovery I can see there being two sets of clients, those with > and without an identity.
Yes, that's true.
> For those with an identity there may be an opportunity to identify
> which onboarding network to settle upon faster.
Assuming that there is more than one such network :-)
There are many incentives not to have more than one, and one of the major
pushbacks that occured back in 2018 around SSIDs only for onboarding, is that
networks have limited space for WiFi SSIDs. Each one costs a beacon
broadcast at lowest bit-rate, high-power.
> The identity could be placed in the SNI of the ClientHello[1] as it
> need not be DNS related and may be treated as opaque data instead.
As you said below, it seems wrong.
> Upon seeing this the client would then know to move on to another
> network transparently cycling them till it struck gold.
The problem of finding the right WiFi network on which to onboard is a problem.
And this is accute in dense areas, like multi-tenant residential buildings.
I'm told that signal reflects off the glass on the adjacent windows...
> This would remove the need for a device to wait for L3 to light up and
> execute any discovery there to determine eligibility for enrolment.
Yes, but it's more complicated.
> [1] SNI is only being used here to aid me describing my thinking, a
> ClientHello extension could be used if preferred
+1
> [2] This could simultaneously be used for routing allowing the server
> to drop the device into a different VLAN or apply different networking
> filter rules
The APs already have to be able to divert individual stations into a/the
quarantine "VLAN" without the device getting new credentials and restarting
EAP/etc.
That is because when devices go "bad", they can't be expected to cooperative.
("bad" might not mean infected for sure, it might mean, needs more recent
patches).
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
