802.1x Reauth with linux bridge not working - NetworkManager does not reply to get identiy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We are trying to implement 802.1x on our Fedora-Workstations (36, latest updates) for both, the workstation itself and a
Windows KVM Guest. Therefor we created a linux bridge with the physical and virtual device as members. The virtual kvm
guest has been configured to use the br0 within kvm. To make 802.1x Link Local frames passing the bridge to the actual
interfaces we configured the group_fw_mask.

Both, the guest and the host system are able to authenticate them via 802.1x. Also the Windows Guest is able to
reauthenticate (the switch forces a reauth every 2h), but not the linux host. The wireshark trace shows, that the switch is
sending the request identiy frame (Type identity(1)), but the host system is not responding to it. Packet can be seen on
bridge br0 and slave interface enp0s31f6, so the bridge is working. For me it seems that the network manager does ignore
these packets. If I do a setup without a bridge the network manager response to the request identiy frame and everything is
working.

When i reup the connection, the 802.1x auth process starts with an eapol start and works as expected. Only the reauth is not
working.

Below you find my configurations – any help appreciated. 

-------------------------------------------------------------------------------------------------------------------------

br0 Connection:

[connection]
id=br0
type=bridge
interface-name=enp0s31f6

[bridge]
group-forward-mask=8
mac-address=<mac-of-the-physical-interface>
stp=false

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

slave Connection:

[connection]
id=bridge-slave-enp0s31f6
type=ethernet
interface-name=enp0s31f6
master=br0
slave-type=bridge

[802-1x]
ca-cert=<path-to-file>
client-cert=<path-to-file>
eap=tls;
identity=<identity>
optional=true
private-key=<path-to-file>
private-key-password=<password>
private-key-password-flag=4

[ethernet]

[bridge-port]

-------------------------------------------------------------------------------------------------------------------------
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux