Skip to content

Instantly share code, notes, and snippets.

@cstanze

cstanze/README.md

Last active October 22, 2024 08:29
Show Gist options
  • Save cstanze/bb663ad02884932386d8c58c74c279bd to your computer and use it in GitHub Desktop.
Save cstanze/bb663ad02884932386d8c58c74c279bd to your computer and use it in GitHub Desktop.
Download ZIP
eduroam / Legacy WPA2 Enterprise fix for NetworkManager on Linux.
Raw
README.md

Big thanks to:

Assume you've diagnosed the problem with journalctl -xb and come across something similar to:

Oct 18 09:51:58 florence wpa_supplicant[7999]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Oct 18 09:51:58 florence wpa_supplicant[7999]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Oct 18 09:51:58 florence wpa_supplicant[7999]: wlo1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Oct 18 09:51:58 florence kernel: wlo1: deauthenticated from 68:3b:78:12:36:2c (Reason: 23=IEEE8021X_FAILED)

That may indicate that the network you're trying to connect to, requires some very old protocols.

New Method

Automatic (recommended)

nmcli con mod id <YOUR_SSID> 802-1x.phase1-auth-flags 32

Make sure to replace <YOUR_SSID> with the actual SSID of the network which is affected by the previous error. As an example, in the specific case of eduroam, the command will be:

nmcli con mod id eduroam 802-1x.phase1-auth-flags 32

Then restart both NetworkManager and wpa_supplicant:

sudo systemctl restart NetworkManager.service
sudo systemctl restart wpa_supplicant.service

Manual

Add the following line in /etc/NetworkManager/system-connections/YOUR_NETWORK_NAME.nmconnection, under the [802-1x] section:

phase1-auth-flags=32

Then be sure to restart both NetworkManager and wpa_supplicant:

sudo systemctl restart NetworkManager.service
sudo systemctl restart wpa_supplicant.service

Old Method

wpa_supplicant doesn't process /etc/ssl/openssl.conf. So, create a new file at /etc/wpa_supplicant/wpa_supplicant.conf with the following:

openssl_ciphers=DEFAULT@SECLEVEL=0

Then edit the wpa_supplicant.service file via:

systemctl edit --full wpa_supplicant.service

and modify the ExecStart to look similar to (replace INTERFACE with your wireless interface):

ExecStart=/usr/bin/wpa_supplicant -u -s -O /run/wpa_supplicant -i INTERFACE -c /etc/wpa_supplicant/wpa_supplicant.conf

Then restart the service:

systemctl restart wpa_supplicant.service

Then it should be able to connect.

If you have issues with connection after resume:

systemctl edit --full --force wpa_supplicant_r.service

With the contents:

[Unit]
Description=Restart wpa_supplicant after resume
After=suspend.target

[Service]
Type=simple
ExecStart=/usr/bin/systemctl --no-block restart wpa_supplicant.service

[Install]
WantedBy=suspend.target

Then restart wpa_supplicant.service yourself to kick start into a working network

@cstanze
Copy link
Author

cstanze commented Mar 27, 2024

Yep! I'll be adding that in since a recent install seemed to work with that method. It also applies only to that one connection which is much better than stripping down to lower security for all future connections. Thanks!

@brintal
Copy link

brintal commented Oct 9, 2024

You are a life saver. I couldn't connect to my company's enterprise WIFI.
Fixed the issue for me on OpenSUSE Tumbleweed.
THANK YOU!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment