[Networkmanager] 802.1x Reauth with linux bridge not working - NetworkManager does not reply to get identiy

STEINLECHNER Paul paul.steinlechner at tirol.gv.at
Fri Jan 27 08:12:00 UTC 2023 

Hi,

i already wrote a message to users at lists.freedesktop.org some time ago, but so far no response. Maybe somebody is able to give a hint how to fix the problems we are currently facing with our setup:

We are trying to implement 802.1x on our Fedora-Workstations (36, latest updates) for both, the workstation itself and a Windows KVM Guest. Therefor we created a linux bridge with the physical and virtual device as members. The virtual kvm guest has been configured to use the br0 within kvm. To make 802.1x Link Local frames passing the bridge to the actual interfaces we configured the group_fw_mask.

Both, the guest and the host system are able to authenticate them via 802.1x. Also the Windows Guest is able to reauthenticate (the switch forces a reauth every 2h), but not the linux host. The wireshark trace shows, that the switch is sending the request identiy frame (Type identity(1)), but the host system is not responding to it. Packet can be seen on bridge br0 and slave interface enp0s31f6, so the bridge is working. For me it seems that the network manager does ignore these packets. If I do a setup without a bridge the network manager response to the request identiy frame and everything is working.

When i reup the connection, the 802.1x auth process starts with an eapol start and works as expected. Only the reauth is not working. Below you find my configurations – any help appreciated.

  *   br0 Connection:


[connection]
id=br0
type=bridge
interface-name=enp0s31f6

[bridge]
group-forward-mask=8
mac-address=<mac-of-the-physical-interface>
stp=false

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]


slave Connection:


[connection]
id=bridge-slave-enp0s31f6
type=ethernet
interface-name=enp0s31f6
master=br0
slave-type=bridge

[802-1x]
ca-cert=<path-to-file>
client-cert=<path-to-file>
eap=tls;
identity=<identity>
optional=true
private-key=<path-to-file>
private-key-password=<password>
private-key-password-flag=4

[ethernet]

[bridge-port]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/networkmanager/attachments/20230127/62e5e509/attachment.htm>

More information about the Networkmanager mailing list