Enable 802.1X forwarding for KVM guests

If you are trying to run a virtual machine using libvirt (KVM) with bridged networking on the host, the default configuration for 802.1D MAC bridging doesn’t support forwarding of EAPOL traffic for 802.1X authentication. Running the wpa_supplicant on the VM guest will fail. The following assumes you’ve already configured bridged networking on the VM host and that it is named br0.

All commands should be run on the virtual machine host, not guest.

Disable stp for your bridge interface for Debian-based Linux:

$ sed -i "/^iface\ br0.*/ a \\\tbridge_stp off" /etc/network/interfaces

And for RHEL-based Linux:

$ sed -i '$ a STP=off' /etc/sysconfig/network-scripts/ifcfg-br0

Create the following shell script in /usr/local/sbin/8021Xforward.sh, making it executable with a chmod a+rx /usr/local/sbin/8021Xforward.sh.

/bin/echo 8 > /sys/class/net/br0/bridge/group_fwd_mask

Create the following system unit file in /etc/systemd/system/8021Xforward

Description=802.1X Forwarder
ExecStartPre=/bin/sleep 60

Enable and start the 8021Xforward.service

$ systemctl enable 8021Xforward.service; systemctl start 8021Xforward.service

Verify that this has taken effect. The follow command should return an 0x8.

$ cat /sys/class/net/br0/bridge/group_fwd_mask

Restart the network or reboot your VM host.

for RHEL-based Linux:

$ systemctl restart network

or for Debian-based Linux:

$ systemctl restart networking