[SOLVED] Proxmox guest 802.1x authenticator?

[membranex]

Hi,

I'm looking to experiment a bit with 802.1x wired authentication. I've setup a vm with hostapd and radius unfortunately I can't see any eap frames with tcpdump from the windows vm that is trying to authenticate - is it a limitation of Proxmox/linux? Any idea how could I emulate a working 802.1x network?

 

[membranex]

I managed to solve my issue. The problem was that vmbr adapter was not passing EAP frames. It appears that it's really easy to change that just by executing one of those lines (taken from here: http://thornton.info/tools/mibr.htm):

echo 8 > /sys/class/net/<vmbrX>/bridge/group_fwd_mask
or
echo 49144 > /sys/class/net/<vmbrX>/bridge/group_fwd_mask

 

[tipex]

Just in the process of trying to get Proxmox setup using 802.1X.

I've manage to get Proxmox to authenticate using 802.1X by editing /etc/network/interfaces and also creating /etc/wpa_supplicant.conf.

Cant seem to get guests to authenticate though. I tried both the lines above but neither have worked. I have my network switch setup for multiple authentication i.e. all devices connecting to a given port need to authenticate.

Has anyone else got this working? Wondering if the fix has changed since 2019?

 

[tipex]

Some additional info:

When I have Proxmox authenticating using 802.1x (using this guide https://help.ubuntu.com/community/Network802.1xAuthentication)
/sys/class/net/vmbr0/bridge/group_fwd_mask gets reset to 0 at boot. So setting it to 8 or 49144 then becomes pointless.

I set Proxmox back to not using 802.1X which meant it just ended up in the guest VLAN. /sys/class/net/vmbr0/bridge/group_fwd_mask is then not reset and retains 8 or 49144 but VMs still cant authenticate.

 

[tipex]

Actually it seems no matter what /sys/class/net/vmbr0/bridge/group_fwd_mask gets reset to 0 on reboot.

Found that adding the following to /etc/network/interfaces means the setting is put in right at the start and therefore the setting survives a reboot:

post-up echo 8 > /sys/class/net/vmbr0/bridge/group_fwd_mask

VMs still cant authenticate though

 

[tipex]

Whats the best practice with regards to this thread being marked as solved. The original poster managed to get it working but I cant. Should I create a new thread or is it best to continue adding to this one? I imagine most people will see this as being solved and therefore not jump in to help. Dont want to create a duplicate thread though.

 

[tipex]

This site explains things pretty well:
https://interestingtraffic.nl/2017/11/21/an-oddly-specific-post-about-group_fwd_mask/

From this I now understand why we need to set the forward mask to 8. It talks about a patched kernal but that should not be required as 802.1X is the 4th bit and its only the first 3 bits that require the patched kernal. Its quite frustrating because there is so little information online about getting Linux bridging to work with 802.1X (understandable because that not that many people want to do it). Everything I have found says the same thing about setting the forward mask to 8, like I have done.

Here is my network config incase anyone can spot any mistakes I've made.

 

[kenso]

Hi tipex,
the question is marked as SOLVED, but was there a solution?
Because I have the excact same problem.

 

[tipex]

The orginial poster membranex managed to solve it which is why its marked as solved. The solution they used did not work for me though so I'm still at the point of it not working. I am currently using mac authencation bypass as a wrok around until I can find a proper solution.

I also started a thread here as I dont think the problem is directly related to proxmox - its just general linux bridging with 802.1x:
https://serverfault.com/questions/1132393/virtual-machines-not-working-with-802-1x-linux-bridge

I think very few people are trying to do this which is why there is a lack of responses