[Networkmanager] 802.1x Reauth with linux bridge not working - NetworkManager does not reply to get identiy

Thomas Haller thaller at redhat.com
Fri Jan 27 12:51:50 UTC 2023


On Fri, 2023-01-27 at 08:12 +0000, STEINLECHNER Paul wrote:
> Hi,
> i already wrote a message to users at lists.freedesktop.org some time

I don't know that list. It doesn't seem the right place for such a

> ago, but so far no response. Maybe somebody is able to give a hint
> how to fix the problems we are currently facing with our setup:
> We are trying to implement 802.1x on our Fedora-Workstations (36,
> latest updates) for both, the workstation itself and a Windows KVM
> Guest. Therefor we created a linux bridge with the physical and
> virtual device as members. The virtual kvm guest has been configured
> to use the br0 within kvm. To make 802.1x Link Local frames passing
> the bridge to the actual interfaces we configured the group_fw_mask.
> Both, the guest and the host system are able to authenticate them via
> 802.1x. Also the Windows Guest is able to reauthenticate (the switch
> forces a reauth every 2h), but not the linux host. The wireshark
> trace shows, that the switch is sending the request identiy frame
> (Type identity(1)), but the host system is not responding to it.
> Packet can be seen on bridge br0 and slave interface enp0s31f6, so
> the bridge is working. For me it seems that the network manager does
> ignore these packets. If I do a setup without a bridge the network
> manager response to the request identiy frame and everything is
> working.
> When i reup the connection, the 802.1x auth process starts with an
> eapol start and works as expected. Only the reauth is not working.
> Below you find my configurations – any help appreciated.
>  * br0 Connection:
> [connection] id=br0 type=bridge interface-name=enp0s31f6 [bridge]
> group-forward-mask=8 mac-address=<mac-of-the-physical-interface>
> stp=false [ipv4] method=auto [ipv6] addr-gen-mode=stable-privacy
> method=auto [proxy]
> slave Connection:
> [connection] id=bridge-slave-enp0s31f6 type=ethernet interface-
> name=enp0s31f6 master=br0 slave-type=bridge [802-1x] ca-cert=<path-
> to-file> client-cert=<path-to-file> eap=tls; identity=<identity>
> optional=true private-key=<path-to-file> private-key-
> password=<password> private-key-password-flag=4 [ethernet] [bridge-
> port]

I don't know the solution.

NetworkManager uses wpa_supplicant for 802-1x. 

The way to debug an issue is by looking at debug logs.

For NetworkManager, configure `level=TRACE`. See "DEBUGGING" in `man

As the issue is possibly with supplicant, also get supplicant debug
logs. You do that by passing "-ddd` on the commandline. I think, in
Fedora you can edit /etc/sysconfig/wpa_supplicant and pass it to
OTHER_ARGS. Then `systemctl restart wpa_supplicant`.

good luck,

More information about the Networkmanager mailing list