On Fri, Feb 11, 2022 at 10:11, Florian Fainelli [off-list ref] wrote:

It makes sense that we are using the bridge layer to support 802.1x but
this leaves behind the case of standalone ports which people might want
to use. Once we cover the standalone ports there is also a question of
what to do in the case of a regular Ethernet NIC, and whether it can
actually support 802.1x properly given their MAC filtering capabilities
(my guess is that most cannot without breaking communication with other
stations connecting through the same port).

The only interface I can think of that would be generic enough to
support all cases is TC offloading. I.e. you could program a matchall
rule drop rule, and then later insert exceptions for authenticated
clients before the drop rule.

It feels awfully cumbersome for drivers to have to figure this out
though.

Looking at what Broadcom Roboswitch support, the model you propose
should be working, it makes me wonder if we need to go a bit beyond what
can be configurable besides blocked/not-blocked and have different
levels of strictness. These switches do the following on a per-port
basis you can:

- set the EAP destination MAC address if different than 01:80:C2:00:00:03

- enable EAP frame with destination MAC address specified

- set the EAP block mode:
	0 - disabled
	1 - only the frames with the EAP reserved multicast address will be
forwarded, otherwise frames will be dropped
	3 - only the frames with the EAP reserved multicast address will be
forwarded. Forwarding verifies that each egress port is enabled for EAP
+ BLK_MODE
- set the EAP mode:
	0 - disabled
	2 - extended mode: check MAC SA, port, drop if unknown
	3 - simplified mode: check SA, port, trap to management if SA is unknown

We have a number of vectors that can be used to accept specific MAC SA
addresses.

Then we have a global register that allows us to configure whether we
want to allow ARP, DHCP, BPDU, RMC, RARP or the frames with the
specified destination IP address/masks being specified. I would assume
that the two registers allowing us to specify a destination IP/subnet
might be used to park unauthenticated stations to a "guest" VLAN maybe?

So with that said, it looks like we may not need a method beyond just
setting the port state. In your case, it sounds like you would program
the mv88e6xxx switch's ATU with the MAC addresses learned from the
bridge via the standard FDB learning notification?

The idea is that hostapd (or whatever authenticator daemon you're
running) would do the equivalent of:

    bridge fdb add <sa-of-station> [vid X] dev <port> permanent

(Vladimir can correct the flags that I have undoubtedly gotten wrong,
but you get the idea :))

Would this approach not work on a Roboswitch?

In the future, we also want to support things like MAB (mac
authentication bypass), i.e. allowing for some vetting of legacy
devices. This is a bit more complicated, because it requires a
notification from the HW about which exact address that was seen.

Our idea is to add a flag to FDB entries ("locked"), that would indicate
that a dynamic entry has been learned on a locked port. The entry must
therefore never be used to forward traffic. Its addition to the FDB will
trigger an event though, which can be noticed by a daemon that can
perform the necessary verifications. If the station is allowed, the
deamon will clear the locked flag on the FDB entry, allowing forwarding.

In a software setting, this entry will be added by the bridge when a new
SA is detected on a locked port. For switchdevs, the drivers could use
the existing way of notifying the bridge of new entries that it has
learned, except that the locked flag would be set on the entry.

So on Roboswitch, for example, I imagine you could:

- Use EAP mode 3 to trap the frames to the CPU
- Add a hardware FDB entry with a null-destination to block any further
  traps for that SA.
- Generate a locked FDB entry notification to the bridge (and by
  extension to userspace).

This will let you enforce policies like "only allow stations with OUI
02:de:ad on swp3".

In the case of Broadcom switches, I suppose the same should be done,
however instead of programming the main FDB, we would have to program
the multi-port vector when the port is in blocked state. This becomes a
switch driver detail.

I would like other maintainers of switch drivers to chime in to know
whether microchip, Qualcomm/Atheros and Mediatek have similar features
or not.

Does that make sense?

Time to dust off my freeradius settings to test this out, it's been
nearly 15 years since I last did this, time to see if EAP-TTLS or
EAP-PEAP are more streamlined on the client side :)