It is possible to do wired 802.1X authentication with devices that have a Broadcom switch.
Here is what you need to know.
First off some devices have a WAN port that is internally separated from the switch. If you happen to have such a device it is preferable to use this WAN port for authentication. No special actions ought to be taken and the ordinary wired driver of wpa_supplicant should suffice.
If authentication through a RoboSwitch (the family name of Broadcom switch chipsets) is desired, you need a version of wpa_supplicant with the roboswitch driver included. Note that Kamikaze 8.09 does not have such a version by default.
You can build wpa_supplicant from the trunk sources. If you selected Broadcom/2.4 as your target, the roboswitch driver is included per default. For other targets (i.e. Broadcom/2.6) you need to modify package/wpa_supplicant/config to contain "CONFIG_DRIVER_ROBOSWITCH=y".
Early versions of the roboswitch driver are only able to receive packets sent to the PAE group address. If you need authentication on an "own MAC address" basis there are two things you can do.
When the internal switch port is untagged in the vlan used for authentication, wpa_supplicant will receive all EAPOL frames on the vlan. This has the disadvantage that frames directed at other clients are treated as if they are part of the local authenticalion. This is no problem when the router is the only device authenticating to an authenticator on the chosen vlan, but violates the IEEE 802.1X.
Example: suppose you wish to authenticate on port 0 (internal numbering) in vlan 1 and the authenticator sends its packets to your MAC address. You can make the internal port untag frames in vlan 1 by giving the following command:
# echo 0 5u > /proc/switch/eth0/vlan/1/ports
Next you run wpa_supplicant on interface eth0.1, with driver roboswitch.
Use a recent (still unreleased on April 16, 2009) version of the roboswitch driver. New versions are able to receive and filter EAPOL frames in an 802.1X conform way.
When using a new (post 0.6.9) version of wpa_supplicant and the roboswitch driver you should use the multicast_only parameter whenever possible:
# wpa_supplicant -i <interface>.<vlan> -D roboswitch -p multicast_only=1 [etc.]
This is because the new EAPOL filter is a little CPU intensive and can suffer frame drop.
So: if authentication takes place on the PAE group address, just use the parameter. If all EAPOL frames are relevant for authentication, use the parameter, combined with method ONE (above). Else: live with the CPU strain.