Held State after a Authentication Fail. Help to understand this state.

Douglas Diniz dgdiniz at gmail.com
Tue May 13 16:20:06 EDT 2008


ok, thanks.

But if when hostap receive the first response identity, send it to radius
server and wait for server response before receive the second response
identity? This second response identity will also be sent to radius server?
Sorry for this questions, I should search this myself on the state machine.

In fact, i don't have any EAPOL-Start. I have a wimax setup where wpa
supplicant runs in background in the subscriber station, so when a SS try to
connect to a BS, the BS send a request identity, starting the process.

On Tue, May 13, 2008 at 5:01 PM, Jouni Malinen <j at w1.fi> wrote:

> On Tue, May 13, 2008 at 04:27:42PM -0300, Douglas Diniz wrote:
>
> > I'm asking because i have a setup where hostap receive a Start several
> times
> > while in Held State, so i'm afraid that when the quietPeriod goes to 0
> the
> > following scenario  occur:
> >
> > 1-) Hostap goes from held state to restart state, sending a request
> identity
> > 2-) Just after that hostap receive a Start, re-sending a Request
> Identity
> > 3-) In this meanwhile wpa supplicant receive the first request identity
> and
> > send a response identity.
> > 4-) The second Request Identity is received by wpa supplicant, which
> abort
> > the authentication.
> >
> > This could occur?
>
> The steps 1 to 3 can happen and they do indeed happen quite frequently
> with many supplicant implementations and if you follow the EAPOL state
> machine definitions in 802.1X, both supplicant and authenticator are
> trying to initialize authentication at the same time whenever the port
> becomes enabled. wpa_supplicant is actually delaying the initial
> EAPOL-Start to avoid the extra frames since in case of wireless networks
> the AP/Authenticator will always know when a new supplicant appears and
> can start new authentication immediately without any need for
> EAPOL-Start.
>
> However, step 4 does not result in supplicant aborting the
> authentication. wpa_supplicant will reply to both identity requests and
> authenticator will use the second reply since that is for the last
> pending request. Authentication continues normally after that so the
> only "problem" is the two unnecessary frames due to the duplicated
> identity request.
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080513/97a36f11/attachment-0001.htm 


More information about the HostAP mailing list