eap Mailing List: Re: [Issue] Corner case in 802.1X/EAP State Machines

[Jari Arkko (jari.arkko]

Bhawani Sapkota wrote:
> Hi Bernard,
>
> I think there is only one positive action in this case. Since the client has 
> already
> abandoned the on-going eap conversation, and most likely has already reset its 
> eap

Yes.

> state machine, by retransmitting original eap request (id=2 in your original 
> email)
> does not fix any problem. The correct action must therefore be the second 
> option.

You may have a point there.

There appears to be a few cases where the retransmission would
work:

- We are still in the EAP identity request phase at the time
  the EAPOL-Start arrives.

- We are sending the first message in a method, the peer
  is OK with skipping the identity request phase, and the
  EAP server is the right one for the peer.

But in general, it doesn't work. A lengthy timeout will
result.

> The question about what the server is supposed to do when it receives
> Access-Request/EAP-Response/Identity, since it is an EAP-Response/Identity, the
> server can unambiguously determine that this is not a continuation of the 
> existing
> session. However, if the state attribute is included, based on server's
> implementation, it can further utilize that information to gain additional
> information about the client's previous state.

Maybe. Too bad RFC 3579 doesn't say anything about this matter.

--Jari