Big thanks to:
- @simonesestito - for the updated method.
- @Misaka13514 - for noting that NetworkManager offers a different method.
Assume you've diagnosed the problem with journalctl -xb
and come across something similar to:
Oct 18 09:51:58 florence wpa_supplicant[7999]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Oct 18 09:51:58 florence wpa_supplicant[7999]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Oct 18 09:51:58 florence wpa_supplicant[7999]: wlo1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Oct 18 09:51:58 florence kernel: wlo1: deauthenticated from 68:3b:78:12:36:2c (Reason: 23=IEEE8021X_FAILED)
That may indicate that the network you're trying to connect to, requires some very old protocols.
nmcli con mod id <YOUR_SSID> 802-1x.phase1-auth-flags 32
Make sure to replace <YOUR_SSID>
with the actual SSID of the network which is affected by the previous error.
As an example, in the specific case of eduroam, the command will be:
nmcli con mod id eduroam 802-1x.phase1-auth-flags 32
Then restart both NetworkManager
and wpa_supplicant
:
sudo systemctl restart NetworkManager.service
sudo systemctl restart wpa_supplicant.service
Add the following line in /etc/NetworkManager/system-connections/YOUR_NETWORK_NAME.nmconnection
, under the [802-1x]
section:
phase1-auth-flags=32
Then be sure to restart both NetworkManager
and wpa_supplicant
:
sudo systemctl restart NetworkManager.service
sudo systemctl restart wpa_supplicant.service
wpa_supplicant
doesn't process /etc/ssl/openssl.conf
. So, create a new file at /etc/wpa_supplicant/wpa_supplicant.conf
with the following:
openssl_ciphers=DEFAULT@SECLEVEL=0
Then edit the wpa_supplicant.service
file via:
systemctl edit --full wpa_supplicant.service
and modify the ExecStart to look similar to (replace INTERFACE
with your wireless interface):
ExecStart=/usr/bin/wpa_supplicant -u -s -O /run/wpa_supplicant -i INTERFACE -c /etc/wpa_supplicant/wpa_supplicant.conf
Then restart the service:
systemctl restart wpa_supplicant.service
Then it should be able to connect.
If you have issues with connection after resume:
systemctl edit --full --force wpa_supplicant_r.service
With the contents:
[Unit]
Description=Restart wpa_supplicant after resume
After=suspend.target
[Service]
Type=simple
ExecStart=/usr/bin/systemctl --no-block restart wpa_supplicant.service
[Install]
WantedBy=suspend.target
Then restart wpa_supplicant.service
yourself to kick start into a working network
It works for me, thanks!
Btw if you are using NetworkManager, you can also try setting
phase1-auth-flags=32
in the/etc/NetworkManager/system-connections/eduroam.nmconnection
file. (then you don't need to fix wpa_supplicant)