2015-11-10 |
Nov 2015 Plenary |
The RATIONALE accompanying the request simplifies the PACP state machine to the point of misstating the case for revision.
It is not simply the case that "When retryMax will be reached - the state machine will go to UNAUTHENTICATED state, will clear auth.retryCount and will forever circulate like this as long as Supplicant doesn't respond."
The condition for transition from UNAUTHENTICATED to AUTHENTICATING is "auth.authenticate && !auth.failed && !auth.eapStop" , so this transition will not be taken until the PAE's Logon Process clears auth.failed (see clause 8.4, allowing authentication to be retired after failing - auth.failed is set in UNAUTHENTICATED when auth.retryCount is greater than or equal to retryMax). The Logon Process is in charge of various aspects of policy (such as whether some connectivity, possibly via a restricted VLAN, will be provided if the Supplicant does not
authenticate) so is in a good position to decide whether or not (and with what frequency) PACP should poll for potential supplicants.
|
Rejected |
|