This likely happens because your EAP server only supports old versions of SSL or TLS.
The blog post is a good starting point, except I’m unsure why you came to the conclusion that setting rh-allow-sha1-signatures explicitly was the correct answer.
Incidentally, switching the crypto-policy to LEGACY will also correctly add rh-allow-sha1-signatures to /etc/crypto-policies/back-ends/opensslcnf.config. Specifically, alg_section refers to the configuration value in the section named by openssl_conf that contains the name of the section that can contain rh-allow-sha1-signatures. That’s confusing, so here’s an example:
If this isn’t solved by switching to the LEGACY crypto policy, I either misidentified the root cause, or your EAP server requires SSLv3. In any case, you should ask your university’s IT department to support modern TLS on their EAP server.
Thanks @clang@ankursinha. Unfortunately, I’m a visitor at the University, and I will be back on location a few weeks from now. But I have other eduroam locations near me, I’ll check there this week. That way I can isolate whether it’s this one university, or if the issue is more common.
Sorry for getting back so late. I couldn’t get back on location until now. I tried setting the crypto policy to legacy:
# update-crypto-policies --show
LEGACY
# update-crypto-policies --check
The configured policy matches the generated policy
# update-crypto-policies --is-applied
The configured policy is applied
After setting the policy, I also restarted NetworkManager using systemctl. However I still get the above issue. For now I have been connecting my Android phone to eduroam, and using USB tethering.
Sorry it took me a while, updating the crypto policy actually fixed the problem for me, I just had to reboot. This also helped another colleague who was having the same problem! Thanks again
Thanks for the feedback. You should talk to the IT department of the university and let them know they should upgrade their RADIUS server to support TLS 1.2 or newer.