Skip to content

Instantly share code, notes, and snippets.

@cstanze

cstanze/README.md

Last active March 2, 2025 07:39
Show Gist options
  • Save cstanze/bb663ad02884932386d8c58c74c279bd to your computer and use it in GitHub Desktop.
Save cstanze/bb663ad02884932386d8c58c74c279bd to your computer and use it in GitHub Desktop.
Download ZIP
eduroam / Legacy WPA2 Enterprise fix for NetworkManager on Linux.
Raw
README.md

Big thanks to:

Assume you've diagnosed the problem with journalctl -xb and come across something similar to:

Oct 18 09:51:58 florence wpa_supplicant[7999]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Oct 18 09:51:58 florence wpa_supplicant[7999]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Oct 18 09:51:58 florence wpa_supplicant[7999]: wlo1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Oct 18 09:51:58 florence kernel: wlo1: deauthenticated from 68:3b:78:12:36:2c (Reason: 23=IEEE8021X_FAILED)

That may indicate that the network you're trying to connect to, requires some very old protocols.

New Method

Automatic (recommended)

nmcli con mod id <YOUR_SSID> 802-1x.phase1-auth-flags 32

Make sure to replace <YOUR_SSID> with the actual SSID of the network which is affected by the previous error. As an example, in the specific case of eduroam, the command will be:

nmcli con mod id eduroam 802-1x.phase1-auth-flags 32

Then restart both NetworkManager and wpa_supplicant:

sudo systemctl restart NetworkManager.service
sudo systemctl restart wpa_supplicant.service

Manual

Add the following line in /etc/NetworkManager/system-connections/YOUR_NETWORK_NAME.nmconnection, under the [802-1x] section:

phase1-auth-flags=32

Then be sure to restart both NetworkManager and wpa_supplicant:

sudo systemctl restart NetworkManager.service
sudo systemctl restart wpa_supplicant.service

Old Method

wpa_supplicant doesn't process /etc/ssl/openssl.conf. So, create a new file at /etc/wpa_supplicant/wpa_supplicant.conf with the following:

openssl_ciphers=DEFAULT@SECLEVEL=0

Then edit the wpa_supplicant.service file via:

systemctl edit --full wpa_supplicant.service

and modify the ExecStart to look similar to (replace INTERFACE with your wireless interface):

ExecStart=/usr/bin/wpa_supplicant -u -s -O /run/wpa_supplicant -i INTERFACE -c /etc/wpa_supplicant/wpa_supplicant.conf

Then restart the service:

systemctl restart wpa_supplicant.service

Then it should be able to connect.

If you have issues with connection after resume:

systemctl edit --full --force wpa_supplicant_r.service

With the contents:

[Unit]
Description=Restart wpa_supplicant after resume
After=suspend.target

[Service]
Type=simple
ExecStart=/usr/bin/systemctl --no-block restart wpa_supplicant.service

[Install]
WantedBy=suspend.target

Then restart wpa_supplicant.service yourself to kick start into a working network

@brintal
Copy link

brintal commented Oct 9, 2024

You are a life saver. I couldn't connect to my company's enterprise WIFI.
Fixed the issue for me on OpenSUSE Tumbleweed.
THANK YOU!

@lovely-necromancer
Copy link

Of all the solutions (things like uninstalling or downgrading pkcs11-provider), this was the only thing that worked for me.
THANK YOU 💯 ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment