IIRC EAP doesn't authenticate the logoff communication's frame. You may know that already, if not, perhaps that might help the search.
Mike Shiffman from @Stake has a tool called Omerta that spoofs disconnects of an 802.11b client to the AP, which causes a DoS if the attacker has enough db in his antenna. Maybe not relevant but with the current 802.1X + EAP hype and his recent demo of the tool at Blackhat maybe it is that of which you are thinking?
HTH,
Matt
-- PGP RSA Key ID: 0x1F6A4471 aim: beyondzero123 PGP DH/DSS Key ID: 0xAFF35DF2 icq: 120941588
yahoo msg: beyondzero123 I want peace on earth and good will toward men.
-Erwin "Whistler" Emory We are the United States Government. We don't do that sort of thing.
-Bernard Abbott