Held State after a Authentication Fail. Help to understand this state.

Jouni Malinen j
Tue May 13 12:12:30 PDT 2008

On Mon, May 12, 2008 at 03:16:24PM -0300, Douglas Diniz wrote:

> I'm having some problems to understand this state. After I receive a
> Access-Reject, the state machine will stop in Held State.
> After that, any packet (related to the station that was rejected) will be
> ignored by hostap SM until quietWhile period goes to 0.
> When this happen, the SM goes to Restart state, sending a Request-Identity
> to the station previously rejected.
> My doubt is: Why the State machine goes to Restart State? In my vison, the
> SM should go to other state, and only go back to Restart State if the
> station re-send a Start, trying to authenticating again.

As far as hostapd behavior itself is concerned, that is because it
follows the IEEE Std 802.1X-2004 standard wherever no clear issue has
been identified.

As far as the standard is concerned, the HELD state is used to stop
processing for a period of time (quietPeriod) to discourage brute force
attacks. As long as the port remains in enabled state, it sounds
reasonable to try to authenticate the supplicant once quietPeriod has
passed. EAPOL-Start is not required to start authentication in the
802.1X design.

I don't think there is a suitable state defined for the behavior that
you described, so if you wanted to change hostapd to do something like
that, you would probably need to change the state machine by adding a
new state that would be used for waiting the supplicant to send an
EAPOL-Start. This would not comply with IEEE 802.1X-2004, but I don't
see this as something that would cause major problems.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list