Minutes for 0165: Authenticator PACP state machine

Standard: 802.1X-2010 Clause: 8 Draft with fix: Submitted: 2015-06-16
Show Request Show Preformatted Request
Date Meeting Text Status
2015-07-14 Jul 2015 Plenary Refer to Security TG Technical experts review
2015-11-10 Nov 2015 Plenary The RATIONALE accompanying the request simplifies the PACP state machine to the point of misstating the case for revision. It is not simply the case that "When retryMax will be reached - the state machine will go to UNAUTHENTICATED state, will clear auth.retryCount and will forever circulate like this as long as Supplicant doesn't respond." The condition for transition from UNAUTHENTICATED to AUTHENTICATING is "auth.authenticate && !auth.failed && !auth.eapStop" , so this transition will not be taken until the PAE's Logon Process clears auth.failed (see clause 8.4, allowing authentication to be retired after failing - auth.failed is set in UNAUTHENTICATED when auth.retryCount is greater than or equal to retryMax). The Logon Process is in charge of various aspects of policy (such as whether some connectivity, possibly via a restricted VLAN, will be provided if the Supplicant does not authenticate) so is in a good position to decide whether or not (and with what frequency) PACP should poll for potential supplicants. Rejected