What EAP Lower Layer does when EAP State machine reaches Failure state??

Jouni Malinen jkmaline
Sat Nov 18 15:07:34 PST 2006

On Wed, Nov 15, 2006 at 03:10:48PM +0530, Ravi Kishore wrote:

> After getting Code = EAP Fail, in eapReq, EAP State machine sets 
> EAPOL_eapFail
> (boolean to indicate to EAPOL state machine, or EAP Lower Layer), sends 
> no Response
> back to the Authenticator and remains in EAP Failure state. What should 
> be the next step
> for EAP Lower Layer, what I think:

It depends on the lower layer..

> 1: Either it should restart authentication.
> 2: OR should disassociate with the AP after canceling registered
>     EAP_Authentication timers.

In case of IEEE 802.1X/EAPOL state machines, EAP-Failure is delivered by
EAP state machine setting eapFail = TRUE. This will trigger Supplicant
Backend state machine to transition to FAIL state and set suppFail =
TRUE. This in turn makes the Supplicant PAE state machine go to HELD
state and wait heldPeriod seconds. After this wait, the PAE state
machine will restart authentication.

In case of wpa_supplicant implementation, there is also a timeout for
the full authentication and that may trigger before the EAPOL state
machines try again. This timer causing disassociation and search for a
new AP.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list