Instantly share code, notes, and snippets.
Save cstanze/bb663ad02884932386d8c58c74c279bd to your computer and use it in GitHub Desktop.
Big thanks to:
- @simonesestito - for the updated method.
- @Misaka13514 - for noting that NetworkManager offers a different method.
Assume you've diagnosed the problem withjournalctl -xb and come across something similar to:
Oct 18 09:51:58 florence wpa_supplicant[7999]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol versionOct 18 09:51:58 florence wpa_supplicant[7999]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocolOct 18 09:51:58 florence wpa_supplicant[7999]: wlo1: CTRL-EVENT-EAP-FAILURE EAP authentication failedOct 18 09:51:58 florence kernel: wlo1: deauthenticated from 68:3b:78:12:36:2c (Reason: 23=IEEE8021X_FAILED)That may indicate that the network you're trying to connect to, requires some very old protocols.
nmcli con mod id<YOUR_SSID> 802-1x.phase1-auth-flags 32
Make sure to replace<YOUR_SSID> with the actual SSID of the network which is affected by the previous error.As an example, in the specific case ofeduroam, the command will be:
nmcli con mod id eduroam 802-1x.phase1-auth-flags 32
Then restart bothNetworkManager andwpa_supplicant:
sudo systemctl restart NetworkManager.servicesudo systemctl restart wpa_supplicant.service
Add the following line in/etc/NetworkManager/system-connections/YOUR_NETWORK_NAME.nmconnection, under the[802-1x] section:
phase1-auth-flags=32
Then be sure to restart bothNetworkManager andwpa_supplicant:
sudo systemctl restart NetworkManager.servicesudo systemctl restart wpa_supplicant.service
wpa_supplicant doesn't process/etc/ssl/openssl.conf. So, create a new file at/etc/wpa_supplicant/wpa_supplicant.conf with the following:
openssl_ciphers=DEFAULT@SECLEVEL=0Then edit thewpa_supplicant.service file via:
systemctl edit --full wpa_supplicant.serviceand modify the ExecStart to look similar to (replaceINTERFACE with your wireless interface):
ExecStart=/usr/bin/wpa_supplicant -u -s -O /run/wpa_supplicant -i INTERFACE -c /etc/wpa_supplicant/wpa_supplicant.confThen restart the service:
systemctl restart wpa_supplicant.serviceThen it should be able to connect.
If you have issues with connection after resume:
systemctl edit --full --force wpa_supplicant_r.serviceWith the contents:
[Unit]Description=Restart wpa_supplicant after resumeAfter=suspend.target[Service]Type=simpleExecStart=/usr/bin/systemctl --no-block restart wpa_supplicant.service[Install]WantedBy=suspend.targetThen restartwpa_supplicant.service yourself to kick start into a working network
Misaka13514 commentedMar 4, 2024
It works for me, thanks!
Btw if you are using NetworkManager, you can also try settingphase1-auth-flags=32 in the/etc/NetworkManager/system-connections/eduroam.nmconnection file. (then you don't need to fix wpa_supplicant)
cstanze commentedMar 27, 2024
Yep! I'll be adding that in since a recent install seemed to work with that method. It also applies only to that one connection which is much better than stripping down to lower security for all future connections. Thanks!
brintal commentedOct 9, 2024
You are a life saver. I couldn't connect to my company's enterprise WIFI.
Fixed the issue for me on OpenSUSE Tumbleweed.
THANK YOU!
lovely-necromancer commentedMar 2, 2025
Of all the solutions (things like uninstalling or downgrading pkcs11-provider), this was the only thing that worked for me.
THANK YOU 💯 ❤️
clickCA commentedAug 13, 2025
Real saver! Big thanks.