Cannot connect to WPA2-Enterprise University wifi (Eduroam) on Fedora 36+

Hi all,

On fedora36 and rawhide, connecting to University wifi (WPA2-Enterprise) silently fails authentication. Specifically, I am trying to connect to eduroam. I can reproduce this issue on both workstation and silverblue.

Running journalctl -f gives me the following output:

Journal Output
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2438] Config: added 'ssid' value 'eduroam'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2440] Config: added 'scan_ssid' value '1'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2442] Config: added 'bgscan' value 'simple:30:-65:300'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2444] Config: added 'key_mgmt' value 'WPA-EAP FT-EAP FT-EAP-SHA384 WPA-EAP-SHA256'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2446] Config: added 'auth_alg' value 'OPEN'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2447] Config: added 'password' value '<hidden>'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2449] Config: added 'eap' value 'TTLS'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2450] Config: added 'fragment_size' value '1266'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2453] Config: added 'phase2' value 'auth=MSCHAPV2'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2455] Config: added 'identity' value '<username removed>'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2456] Config: added 'anonymous_identity' value '<username removed>'
Feb 22 12:12:00 matthew-s NetworkManager[863]: <info>  [1645485120.2458] Config: added 'proactive_key_caching' value '1'
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: wlp1s0: SME: Trying to authenticate with dc:a5:f4:1a:73:6f (SSID='eduroam' freq=5240 MHz)
Feb 22 12:12:01 matthew-s kernel: wlp1s0: authenticate with dc:a5:f4:1a:73:6f
Feb 22 12:12:01 matthew-s kernel: wlp1s0: bad VHT capabilities, disabling VHT
Feb 22 12:12:01 matthew-s kernel: wlp1s0: send auth to dc:a5:f4:1a:73:6f (try 1/3)
Feb 22 12:12:01 matthew-s kernel: wlp1s0: authenticated
Feb 22 12:12:01 matthew-s kernel: wlp1s0: VHT capa missing/short, disabling VHT/HE
Feb 22 12:12:01 matthew-s kernel: wlp1s0: associate with dc:a5:f4:1a:73:6f (try 1/3)
Feb 22 12:12:01 matthew-s kernel: wlp1s0: RX AssocResp from dc:a5:f4:1a:73:6f (capab=0x1111 status=0 aid=3)
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: wlp1s0: Trying to associate with dc:a5:f4:1a:73:6f (SSID='eduroam' freq=5240 MHz)
Feb 22 12:12:01 matthew-s kernel: wlp1s0: associated
Feb 22 12:12:01 matthew-s kernel: wlp1s0: Limiting TX power to 17 (17 - 0) dBm as advertised by dc:a5:f4:1a:73:6f
Feb 22 12:12:01 matthew-s NetworkManager[863]: <info>  [1645485121.3329] device (wlp1s0): supplicant interface state: scanning -> authenticating
Feb 22 12:12:01 matthew-s NetworkManager[863]: <info>  [1645485121.3333] device (p2p-dev-wlp1s0): supplicant management interface state: scanning -> authenticating
Feb 22 12:12:01 matthew-s NetworkManager[863]: <info>  [1645485121.3338] device (wlp1s0): supplicant interface state: authenticating -> associating
Feb 22 12:12:01 matthew-s NetworkManager[863]: <info>  [1645485121.3340] device (p2p-dev-wlp1s0): supplicant management interface state: authenticating -> associating
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: wlp1s0: Associated with dc:a5:f4:1a:73:6f
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Feb 22 12:12:01 matthew-s NetworkManager[863]: <info>  [1645485121.3786] device (wlp1s0): supplicant interface state: associating -> associated
Feb 22 12:12:01 matthew-s NetworkManager[863]: <info>  [1645485121.3789] device (p2p-dev-wlp1s0): supplicant management interface state: associating -> associated
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 -> NAK
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: OpenSSL: openssl_handshake - SSL_connect error:0A000152:SSL routines::unsafe legacy renegotiation disabled
Feb 22 12:12:01 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Feb 22 12:12:02 matthew-s systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Feb 22 12:12:02 matthew-s audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 22 12:12:02 matthew-s audit: BPF prog-id=0 op=UNLOAD
Feb 22 12:12:02 matthew-s audit: BPF prog-id=0 op=UNLOAD
Feb 22 12:12:03 matthew-s wpa_supplicant[932]: wlp1s0: Authentication with dc:a5:f4:1a:73:6f timed out.
Feb 22 12:12:03 matthew-s kernel: wlp1s0: deauthenticating from dc:a5:f4:1a:73:6f by local choice (Reason: 3=DEAUTH_LEAVING)
Feb 22 12:12:03 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-DISCONNECTED bssid=dc:a5:f4:1a:73:6f reason=3 locally_generated=1
Feb 22 12:12:03 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1 duration=10 reason=AUTH_FAILED
Feb 22 12:12:03 matthew-s wpa_supplicant[932]: BSSID dc:a5:f4:1a:73:6f ignore list count incremented to 2, ignoring for 10 seconds
Feb 22 12:12:03 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-DSCP-POLICY clear_all
Feb 22 12:12:03 matthew-s NetworkManager[863]: <info>  [1645485123.5749] device (wlp1s0): supplicant interface state: associated -> disconnected
Feb 22 12:12:03 matthew-s NetworkManager[863]: <info>  [1645485123.5754] device (p2p-dev-wlp1s0): supplicant management interface state: associated -> disconnected
Feb 22 12:12:03 matthew-s NetworkManager[863]: <info>  [1645485123.6733] device (wlp1s0): supplicant interface state: disconnected -> scanning
Feb 22 12:12:03 matthew-s NetworkManager[863]: <info>  [1645485123.6736] device (p2p-dev-wlp1s0): supplicant management interface state: disconnected -> scanning
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-SSID-REENABLED id=0 ssid="eduroam"
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: SME: Trying to authenticate with dc:a5:f4:1a:73:6f (SSID='eduroam' freq=5240 MHz)
Feb 22 12:12:15 matthew-s kernel: wlp1s0: authenticate with dc:a5:f4:1a:73:6f
Feb 22 12:12:15 matthew-s kernel: wlp1s0: bad VHT capabilities, disabling VHT
Feb 22 12:12:15 matthew-s kernel: wlp1s0: send auth to dc:a5:f4:1a:73:6f (try 1/3)
Feb 22 12:12:15 matthew-s kernel: wlp1s0: authenticated
Feb 22 12:12:15 matthew-s kernel: wlp1s0: VHT capa missing/short, disabling VHT/HE
Feb 22 12:12:15 matthew-s kernel: wlp1s0: associate with dc:a5:f4:1a:73:6f (try 1/3)
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: Trying to associate with dc:a5:f4:1a:73:6f (SSID='eduroam' freq=5240 MHz)
Feb 22 12:12:15 matthew-s kernel: wlp1s0: RX AssocResp from dc:a5:f4:1a:73:6f (capab=0x1111 status=0 aid=3)
Feb 22 12:12:15 matthew-s NetworkManager[863]: <info>  [1645485135.5614] device (wlp1s0): supplicant interface state: scanning -> authenticating
Feb 22 12:12:15 matthew-s kernel: wlp1s0: associated
Feb 22 12:12:15 matthew-s NetworkManager[863]: <info>  [1645485135.5619] device (p2p-dev-wlp1s0): supplicant management interface state: scanning -> authenticating
Feb 22 12:12:15 matthew-s NetworkManager[863]: <info>  [1645485135.5649] device (wlp1s0): supplicant interface state: authenticating -> associating
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: Associated with dc:a5:f4:1a:73:6f
Feb 22 12:12:15 matthew-s NetworkManager[863]: <info>  [1645485135.5653] device (p2p-dev-wlp1s0): supplicant management interface state: authenticating -> associating
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Feb 22 12:12:15 matthew-s NetworkManager[863]: <info>  [1645485135.5946] device (wlp1s0): supplicant interface state: associating -> associated
Feb 22 12:12:15 matthew-s kernel: wlp1s0: Limiting TX power to 17 (17 - 0) dBm as advertised by dc:a5:f4:1a:73:6f
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Feb 22 12:12:15 matthew-s NetworkManager[863]: <info>  [1645485135.5949] device (p2p-dev-wlp1s0): supplicant management interface state: associating -> associated
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 -> NAK
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: OpenSSL: openssl_handshake - SSL_connect error:0A000152:SSL routines::unsafe legacy renegotiation disabled
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Feb 22 12:12:17 matthew-s wpa_supplicant[932]: wlp1s0: Authentication with dc:a5:f4:1a:73:6f timed out.
Feb 22 12:12:17 matthew-s kernel: wlp1s0: deauthenticating from dc:a5:f4:1a:73:6f by local choice (Reason: 3=DEAUTH_LEAVING)
Feb 22 12:12:17 matthew-s wpa_supplicant[932]: BSSID dc:a5:f4:1a:73:6f ignore list count incremented to 3, ignoring for 60 seconds
Feb 22 12:12:17 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-DISCONNECTED bssid=dc:a5:f4:1a:73:6f reason=3 locally_generated=1
Feb 22 12:12:17 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2 duration=30 reason=AUTH_FAILED
Feb 22 12:12:17 matthew-s wpa_supplicant[932]: BSSID dc:a5:f4:1a:73:6f ignore list count incremented to 4, ignoring for 120 seconds
Feb 22 12:12:17 matthew-s wpa_supplicant[932]: wlp1s0: CTRL-EVENT-DSCP-POLICY clear_all
Feb 22 12:12:17 matthew-s NetworkManager[863]: <info>  [1645485137.7492] device (wlp1s0): supplicant interface state: associated -> disconnected
Feb 22 12:12:17 matthew-s NetworkManager[863]: <info>  [1645485137.7496] device (p2p-dev-wlp1s0): supplicant management interface state: associated -> disconnected
Feb 22 12:12:17 matthew-s NetworkManager[863]: <info>  [1645485137.8476] device (wlp1s0): supplicant interface state: disconnected -> scanning
Feb 22 12:12:17 matthew-s NetworkManager[863]: <info>  [1645485137.8478] device (p2p-dev-wlp1s0): supplicant management interface state: disconnected -> scanning
Feb 22 12:12:25 matthew-s NetworkManager[863]: <warn>  [1645485145.2240] device (wlp1s0): Activation: (wifi) association took too long
Feb 22 12:12:25 matthew-s NetworkManager[863]: <info>  [1645485145.2245] device (wlp1s0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
Feb 22 12:12:25 matthew-s NetworkManager[863]: <warn>  [1645485145.2271] device (wlp1s0): Activation: (wifi) asking for new secrets
Feb 22 12:12:25 matthew-s NetworkManager[863]: <info>  [1645485145.2349] device (wlp1s0): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
Feb 22 12:12:25 matthew-s NetworkManager[863]: <info>  [1645485145.2382] device (wlp1s0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Feb 22 12:12:25 matthew-s NetworkManager[863]: <info>  [1645485145.2403] device (wlp1s0): Activation: (wifi) connection 'eduroam' has security, and secrets exist.  No new secrets needed.

In particular, these lines seems suspect:

Feb 22 12:12:15 matthew-s wpa_supplicant[932]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure
Feb 22 12:12:15 matthew-s wpa_supplicant[932]: OpenSSL: openssl_handshake - SSL_connect error:0A000152:SSL routines::unsafe legacy renegotiation disabled

I did not encounter this problem on fedora35 or any other distribution. Would appreciate any help on how to resolve this.

2 Likes

Note that fedora 36 is still in development so you are not likely to receive much assistance here. This forum actively supports the released versions.

I don’t know the links to the developers, but possibly @ankursinha or someone else who has those links can point you to the correct site.

3 Likes

+1

It is most likely related to the OpenSSL change, maybe the eduroam server is using an older insecure renegotiation method that is no longer part of the OpenSSL3 defaults:

https://fedoraproject.org/wiki/Changes/OpenSSL3.0

but I couldn’t find any more information or bugs about this. There’s one here for Ubuntu that looks similar but was closed without an answer:

https://askubuntu.com/questions/1394104/802-1x-connection-handshake-failure-ssl3-error-in-jammy-jellyfish

The OpenSSL3.0 docs suggest that these legacy providers are disabled by default, and you can enable them using the snippet provided here:

https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers

So maybe trying that would be a good first option. The configuration file on Fedora is here:

/etc/pki/tls/openssl.cnf

This is also worth reporting to the university IT folks so they can upgrade their server infrastructure, since more and more OSes will move to OpenSSL3 in the future.


As @computersavvy noted, please do not use rawhide for your daily machines. It is meant only for development and users are expected to be able to spend time troubleshooting and reporting issues and trying out fixes.

I’d report this to the test and devel mailing list to see what devs who know more about OpenSSL than us here suggest.

4 Likes

Thanks for your help!

I wasn’t sure where to report issues for in-development versions, will be sure to use the mailing list/bugzilla in future.

I tried out the configuration file change but unfortunately no luck just yet. I will go ahead and report it to University IT and on the mailing list and see if I can come to a solution. There is a similar issue on Ubuntu’s issue tracker, by the same user as that stack overflow I presume.

Re: Using rawhide - this is running on a spare machine, as I need some GNOME 42 components installed for testing. So I’m not worried about issues/breakages :slight_smile:

2 Likes

I ran into the same issue after upgrading to Fedora 36 and investigated what may be causing it, and how we could fix it.

At my campus, the logs would say this when I’d try to connect to Eduroam:

Mar 17 15:12:05 raam wpa_supplicant[1100]: wlp5s0: SME: Trying to authenticate with dc:a5:f4:f2:e1:0e (SSID='eduroam' freq=5180 MHz)
Mar 17 15:12:05 raam wpa_supplicant[1100]: wlp5s0: Trying to associate with dc:a5:f4:f2:e1:0e (SSID='eduroam' freq=5180 MHz)
Mar 17 15:12:05 raam wpa_supplicant[1100]: wlp5s0: Associated with dc:a5:f4:f2:e1:0e
Mar 17 15:12:05 raam wpa_supplicant[1100]: wlp5s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Mar 17 15:12:05 raam wpa_supplicant[1100]: wlp5s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Mar 17 15:12:05 raam wpa_supplicant[1100]: wlp5s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Mar 17 15:12:05 raam wpa_supplicant[1100]: wlp5s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Mar 17 15:12:05 raam wpa_supplicant[1100]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure
Mar 17 15:12:05 raam wpa_supplicant[1100]: OpenSSL: openssl_handshake - SSL_connect error:0A000152:SSL routines::unsafe legacy renegotiation disabled
Mar 17 15:12:06 raam wpa_supplicant[1100]: wlp5s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Mar 17 15:12:08 raam wpa_supplicant[1100]: wlp5s0: Authentication with dc:a5:f4:f2:e1:0e timed out.
Mar 17 15:12:08 raam wpa_supplicant[1100]: wlp5s0: CTRL-EVENT-DISCONNECTED bssid=dc:a5:f4:f2:e1:0e reason=3 locally_generated=1
Mar 17 15:12:08 raam wpa_supplicant[1100]: wlp5s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1 duration=10 reason=AUTH_FAILED

So I went looking for this error:

OpenSSL: openssl_handshake - SSL_connect error:0A000152:SSL routines::unsafe legacy renegotiation disabled

and ran into this ticket:

It links to docs and stuff but it wasn’t clear to me what I had to do to re-enable this legacy renegotiation. Some more searching took me to this mailing list thread (in Polish):

https://www.mail-archive.com/pld-users-pl@lists.pld-linux.org/msg29188.html

Once I had the option, I searched the OpenSSL repo for it and found this page:

After some tinkering, it turned out that on Fedora, we only need to add a line to the openssl config file to re-enable this. So, in /etc/pki/tls/openssl.cnf, in the [crypto_policy] section, add this line:

Options = UnsafeLegacyRenegotiation

so that it looks like this:

[ crypto_policy ]

Options = UnsafeLegacyRenegotiation
.include = /etc/..

So it isn’t quite related to the providers. More information in the migration guide:
https://www.openssl.org/docs/man3.0/man7/migration_guide.html

I’ve informed university IT here of all of this. I hope this works for others too.

6 Likes

Hi I just wanted to say thank you for your answer. I was able to reconnect to my university’s network after adding UnsafeLegacyRenegotiation line to openssl.conf

4 Likes

Welcome to the forum @majore-biscuit

That’s great news. I expect a lot of us at universities will hit this issue. I’ll try and document it nicely in a post somewhere so it gets more visibility too.

2 Likes

Indeed. Definitely bookmarking this. Many thanks!

This might be a good candidate for Common Issues. I’ve definitely seen this come up in other communication channels (as I work in Higher Ed).

1 Like

This didn’t work for me. What did is:

sudo update-crypto-policies --set DEFAULT:FEDORA32

Ref: wpa supplicant - Since updating to fedora 33 I can't connect to eduroam (wpa_supplicant) - Unix & Linux Stack Exchange

2 Likes

I dont know if you managed to get on the UU network, and i dont know if it’s even relevant but i’ve got the solution. I found myself in the same position.

sudo update-crypto-policies --set LEGACY

During login you can fill in different things. Do the folowing:

check the box saying no ca requiered.

Authentication is Protected EAP (PEAP)
Inner Authentication is MSCHAPv2

  • Cerveza