We are trying to implement 802.1x on our Fedora-Workstations (36, latest updates) for
both, the workstation itself and a
Windows KVM Guest. Therefor we created a linux bridge with the physical and virtual device
as members. The virtual kvm
guest has been configured to use the br0 within kvm. To make 802.1x Link Local frames
passing the bridge to the actual
interfaces we configured the group_fw_mask.
Both, the guest and the host system are able to authenticate them via 802.1x. Also the
Windows Guest is able to
reauthenticate (the switch forces a reauth every 2h), but not the linux host. The
wireshark trace shows, that the switch is
sending the request identiy frame (Type identity(1)), but the host system is not
responding to it. Packet can be seen on
bridge br0 and slave interface enp0s31f6, so the bridge is working. For me it seems that
the network manager does ignore
these packets. If I do a setup without a bridge the network manager response to the
request identiy frame and everything is
working.
When i reup the connection, the 802.1x auth process starts with an eapol start and works
as expected. Only the reauth is not
working.
Below you find my configurations – any help appreciated.
-------------------------------------------------------------------------------------------------------------------------
br0 Connection:
[connection]
id=br0
type=bridge
interface-name=enp0s31f6
[bridge]
group-forward-mask=8
mac-address=<mac-of-the-physical-interface>
stp=false
[ipv4]
method=auto
[ipv6]
addr-gen-mode=stable-privacy
method=auto
[proxy]
slave Connection:
[connection]
id=bridge-slave-enp0s31f6
type=ethernet
interface-name=enp0s31f6
master=br0
slave-type=bridge
[802-1x]
ca-cert=<path-to-file>
client-cert=<path-to-file>
eap=tls;
identity=<identity>
optional=true
private-key=<path-to-file>
private-key-password=<password>
private-key-password-flag=4
[ethernet]
[bridge-port]
-------------------------------------------------------------------------------------------------------------------------
Show replies by date