Disconnect the STA if EAP timeout is reached

There is not really much else the Authenticator can do if it does not
receive valid EAP response from the Supplicant/EAP peer. EAP-Failure
would need to be sent before trying to start again with
EAP-Request/Identity, but that is not allowed before the EAP peer
actually replies. Anyway, forcing a new association is likely to clean
up peer state, too, so it can help fixing some issues that could have
caused the peer not to be able to reply in the first place.

diff --git a/hostapd/ieee802_1x.c b/hostapd/ieee802_1x.c
index 17c743f..eddc82f 100644 (file)
--- a/hostapd/ieee802_1x.c
+++ b/hostapd/ieee802_1x.c
@@ -1361,6 +1361,22 @@ void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta)
                os_free(sm->last_recv_radius);
                sm->last_recv_radius = NULL;
        }
+
+       if (sm->eap_if->eapTimeout) {
+               /*
+                * Disconnect the STA since it did not reply to the last EAP
+                * request and we cannot continue EAP processing (EAP-Failure
+                * could only be sent if the EAP peer actually replied).
+                */
+               sm->eap_if->portEnabled = FALSE;
+               hostapd_sta_deauth(hapd, sta->addr,
+                                  WLAN_REASON_PREV_AUTH_NOT_VALID);
+               sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
+                               WLAN_STA_AUTHORIZED);
+               eloop_cancel_timeout(ap_handle_timer, hapd, sta);
+               eloop_register_timeout(0, 0, ap_handle_timer, hapd, sta);
+               sta->timeout_next = STA_REMOVE;
+       }
 }