Held State after a Authentication Fail. Help to understand this state.

Douglas Diniz dgdiniz at gmail.com
Tue May 13 15:27:42 EDT 2008 

Thanks for the answer.
I'm asking because i have a setup where hostap receive a Start several times
while in Held State, so i'm afraid that when the quietPeriod goes to 0 the
following scenario  occur:

1-) Hostap goes from held state to restart state, sending a request identity
2-) Just after that hostap receive a Start, re-sending a Request Identity
3-) In this meanwhile wpa supplicant receive the first request identity and
send a response identity.
4-) The second Request Identity is received by wpa supplicant, which abort
the authentication.

This could occur?

On Tue, May 13, 2008 at 4:12 PM, Jouni Malinen <j at w1.fi> wrote:

> On Mon, May 12, 2008 at 03:16:24PM -0300, Douglas Diniz wrote:
>
> > I'm having some problems to understand this state. After I receive a
> > Access-Reject, the state machine will stop in Held State.
> > After that, any packet (related to the station that was rejected) will
> be
> > ignored by hostap SM until quietWhile period goes to 0.
> > When this happen, the SM goes to Restart state, sending a
> Request-Identity
> > to the station previously rejected.
> > My doubt is: Why the State machine goes to Restart State? In my vison,
> the
> > SM should go to other state, and only go back to Restart State if the
> > station re-send a Start, trying to authenticating again.
>
> As far as hostapd behavior itself is concerned, that is because it
> follows the IEEE Std 802.1X-2004 standard wherever no clear issue has
> been identified.
>
> As far as the standard is concerned, the HELD state is used to stop
> processing for a period of time (quietPeriod) to discourage brute force
> attacks. As long as the port remains in enabled state, it sounds
> reasonable to try to authenticate the supplicant once quietPeriod has
> passed. EAPOL-Start is not required to start authentication in the
> 802.1X design.
>
> I don't think there is a suitable state defined for the behavior that
> you described, so if you wanted to change hostapd to do something like
> that, you would probably need to change the state machine by adding a
> new state that would be used for waiting the supplicant to send an
> EAPOL-Start. This would not comply with IEEE 802.1X-2004, but I don't
> see this as something that would cause major problems.
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080513/f5912482/attachment.htm

More information about the HostAP mailing list