eduroam / Legacy WPA2 Enterprise fix for NetworkManager on Linux.

README.md

Big thanks to:

• @simonesestito - for the updated method.
• @Misaka13514 - for noting that NetworkManager offers a different method.

Assume you've diagnosed the problem with journalctl -xb and come across something similar to:

Oct 18 09:51:58 florence wpa_supplicant[7999]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Oct 18 09:51:58 florence wpa_supplicant[7999]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Oct 18 09:51:58 florence wpa_supplicant[7999]: wlo1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Oct 18 09:51:58 florence kernel: wlo1: deauthenticated from 68:3b:78:12:36:2c (Reason: 23=IEEE8021X_FAILED)

That may indicate that the network you're trying to connect to, requires some very old protocols.

New Method

Automatic (recommended)

nmcli con mod id <YOUR_SSID> 802-1x.phase1-auth-flags 32

Make sure to replace <YOUR_SSID> with the actual SSID of the network which is affected by the previous error. As an example, in the specific case of eduroam, the command will be:

nmcli con mod id eduroam 802-1x.phase1-auth-flags 32

Then restart both NetworkManager and wpa_supplicant:

sudo systemctl restart NetworkManager.service
sudo systemctl restart wpa_supplicant.service

Manual

Add the following line in /etc/NetworkManager/system-connections/YOUR_NETWORK_NAME.nmconnection, under the [802-1x] section:

phase1-auth-flags=32

Then be sure to restart both NetworkManager and wpa_supplicant:

sudo systemctl restart NetworkManager.service
sudo systemctl restart wpa_supplicant.service

Old Method

wpa_supplicant doesn't process /etc/ssl/openssl.conf. So, create a new file at /etc/wpa_supplicant/wpa_supplicant.conf with the following:

openssl_ciphers=DEFAULT@SECLEVEL=0

Then edit the wpa_supplicant.service file via:

systemctl edit --full wpa_supplicant.service

and modify the ExecStart to look similar to (replace INTERFACE with your wireless interface):

ExecStart=/usr/bin/wpa_supplicant -u -s -O /run/wpa_supplicant -i INTERFACE -c /etc/wpa_supplicant/wpa_supplicant.conf

Then restart the service:

systemctl restart wpa_supplicant.service

Then it should be able to connect.

If you have issues with connection after resume:

systemctl edit --full --force wpa_supplicant_r.service

With the contents:

[Unit]
Description=Restart wpa_supplicant after resume
After=suspend.target

[Service]
Type=simple
ExecStart=/usr/bin/systemctl --no-block restart wpa_supplicant.service

[Install]
WantedBy=suspend.target

Then restart wpa_supplicant.service yourself to kick start into a working network

It works for me, thanks!

Btw if you are using NetworkManager, you can also try setting phase1-auth-flags=32 in the /etc/NetworkManager/system-connections/eduroam.nmconnection file. (then you don't need to fix wpa_supplicant)

Yep! I'll be adding that in since a recent install seemed to work with that method. It also applies only to that one connection which is much better than stripping down to lower security for all future connections. Thanks!

You are a life saver. I couldn't connect to my company's enterprise WIFI.
Fixed the issue for me on OpenSUSE Tumbleweed.
THANK YOU!

Of all the solutions (things like uninstalling or downgrading pkcs11-provider), this was the only thing that worked for me.
THANK YOU 💯 ❤️

Real saver! Big thanks.