How to handle EAP failure in custom EAP method

[Jouni Malinen]

On Mon, May 19, 2014 at 11:26:30AM +0300, khali singh wrote:
> I am implementing a custom EAP method. I am wondering how can a register a
> function on the peer/supplicant side that gets called when there is EAP
> Failure received from the Radius server. This is necessary to allow the
> user to take necessary actions.

Why would the EAP method implement that? Could you provide some more
details on the use case where this would be needed?

> I didn't find any other EAP methods that seem to do this.
> for example:
> eap->init = eap_sake_init;
> eap->deinit = eap_sake_deinit;
> eap->process = eap_sake_process;
> eap->isKeyAvailable = eap_sake_isKeyAvailable;
> eap->getKey = eap_sake_getKey;
> eap->get_emsk = eap_sake_get_emsk;
> 
> 
> Can there be a function eap->failure=eap_sake_failure.

The EAP method API does not provide such capability. In addition, it is
a bit difficult to understand why the EAP method would need to do
anything when EAP-Failure is received. At that point in time, the EAP
method is not really active anymore and there is no operation that the
method implementation could really trigger for the EAP state machine.

> If not, where I can add code to do some necessary stuff to handle EAP
> failure on the supplicant side.

Authentication failure notified to multiple places, so I would need to
understand what kind of operations you are trying to perform at this
point in time to be able to suggest a good location for it.

-- 
Jouni Malinen                                            PGP id EFC895FA