Fedora 39 802.1x TLS authentication does not work

, , ,

After upgrading to Fedora 39 I am no longer able to connect to my dorm network that uses 802.1x TLS authentication.
I tried recreating the connection profile with no success.
I’m certain that certificates are valid - I generated new ones and they work on a windows machine and on another laptop running Fedora 38.
I tested this with two laptops: Thinkpad T14s gen1 AMD and Thinkpad T14 gen3 AMD.
Network worked on both with Fedora 38 and stopped working after the upgrade.
Downgrade to Fedora 38 fixed issue on both laptops, then upgrade to Fedora 39 broke things again.
One thing to note is that my dormitory apparently uses old crypto protocols, so I had to set crypto policies to DEFAULT:FEDORA32 to make it work back on Fedora 37 and 38. Now with Fedora 39 it won’t work at all regardless of crypto policies settings.

Here are logs from NetworkManager

Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5026] device (enp5s0f4u1u2): disconnecting for new activation request.
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5027] device (enp5s0f4u1u2): state change: activated -> deactivating (reason 'new-activation', sys-iface-state: 'managed')
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5028] manager: NetworkManager state is now CONNECTED_LOCAL
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5033] audit: op="connection-activate" uuid="5aeffe9e-3b2f-4ba9-84b0-f2dfa404e82c" name="TK" pid=3823 uid=1000 result="success"
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5327] device (enp5s0f4u1u2): state change: deactivating -> disconnected (reason 'new-activation', sys-iface-state: 'managed')
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5333] dhcp4 (enp5s0f4u1u2): canceled DHCP transaction
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5333] dhcp4 (enp5s0f4u1u2): activation: beginning transaction (timeout in 45 seconds)
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5333] dhcp4 (enp5s0f4u1u2): state changed no lease
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5720] device (enp5s0f4u1u2): Activation: starting connection 'TK' (5aeffe9e-3b2f-4ba9-84b0-f2dfa404e82c)
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5733] device (enp5s0f4u1u2): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5735] manager: NetworkManager state is now CONNECTING
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5736] device (enp5s0f4u1u2): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5741] device (enp5s0f4u1u2): Activation: (ethernet) connection 'TK' has security, but secrets are required.
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5741] device (enp5s0f4u1u2): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5742] device (enp5s0f4u1u2): Activation: (ethernet) asking for new secrets
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5758] device (enp5s0f4u1u2): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5759] device (enp5s0f4u1u2): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.5768] device (enp5s0f4u1u2): Activation: (ethernet) connection 'TK' requires no security. No secrets needed.
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6147] device (enp5s0f4u1u2): supplicant interface state: internal-starting -> disconnected
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6148] Config: added 'key_mgmt' value 'IEEE8021X'
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6148] Config: added 'eapol_flags' value '0'
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6148] Config: added 'eap' value 'TLS'
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6148] Config: added 'fragment_size' value '1266'
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6148] Config: added 'ca_cert' value '/home/roman/Documents/certs/root.pem'
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6148] Config: added 'private_key' value '/home/roman/Documents/certs/user-qqmarian.pem'
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6150] Config: added 'private_key_passwd' value '<hidden>'
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6150] Config: added 'client_cert' value '/home/roman/Documents/certs/user-qqmarian.pem'
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6150] Config: added 'identity' value 'qqmarian@mendelu.cz'
Nov 19 22:37:34 fedora-ics NetworkManager[1215]: <info>  [1700429854.6210] device (enp5s0f4u1u2): supplicant interface state: disconnected -> associated
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <warn>  [1700429879.5863] device (enp5s0f4u1u2): Activation: (ethernet) association took too long.
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.5864] device (enp5s0f4u1u2): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.5868] device (enp5s0f4u1u2): Activation: (ethernet) asking for new secrets
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.5884] device (enp5s0f4u1u2): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.5885] device (enp5s0f4u1u2): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.5893] device (enp5s0f4u1u2): Activation: (ethernet) connection 'TK' requires no security. No secrets needed.
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6463] device (enp5s0f4u1u2): supplicant interface state: internal-starting -> disconnected
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6463] Config: added 'key_mgmt' value 'IEEE8021X'
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6463] Config: added 'eapol_flags' value '0'
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6463] Config: added 'eap' value 'TLS'
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6463] Config: added 'fragment_size' value '1266'
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6463] Config: added 'ca_cert' value '/home/roman/Documents/certs/root.pem'
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6464] Config: added 'private_key' value '/home/roman/Documents/certs/user-qqmarian.pem'
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6464] Config: added 'private_key_passwd' value '<hidden>'
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6464] Config: added 'client_cert' value '/home/roman/Documents/certs/user-qqmarian.pem'
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6464] Config: added 'identity' value 'qqmarian@mendelu.cz'
Nov 19 22:37:59 fedora-ics NetworkManager[1215]: <info>  [1700429879.6522] device (enp5s0f4u1u2): supplicant interface state: disconnected -> associated
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <warn>  [1700429904.5840] device (enp5s0f4u1u2): Activation: (ethernet) association took too long.
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.5842] device (enp5s0f4u1u2): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.5845] device (enp5s0f4u1u2): Activation: (ethernet) asking for new secrets
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.5863] device (enp5s0f4u1u2): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.5865] device (enp5s0f4u1u2): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.5872] device (enp5s0f4u1u2): Activation: (ethernet) connection 'TK' requires no security. No secrets needed.
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6427] device (enp5s0f4u1u2): supplicant interface state: internal-starting -> disconnected
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6427] Config: added 'key_mgmt' value 'IEEE8021X'
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6427] Config: added 'eapol_flags' value '0'
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6427] Config: added 'eap' value 'TLS'
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6427] Config: added 'fragment_size' value '1266'
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6427] Config: added 'ca_cert' value '/home/roman/Documents/certs/root.pem'
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6428] Config: added 'private_key' value '/home/roman/Documents/certs/user-qqmarian.pem'
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6428] Config: added 'private_key_passwd' value '<hidden>'
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6428] Config: added 'client_cert' value '/home/roman/Documents/certs/user-qqmarian.pem'
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6428] Config: added 'identity' value 'qqmarian@mendelu.cz'
Nov 19 22:38:24 fedora-ics NetworkManager[1215]: <info>  [1700429904.6486] device (enp5s0f4u1u2): supplicant interface state: disconnected -> associated

And here are wpa_supplicant logs

Nov 19 23:01:08 fedora-ics wpa_supplicant[1317]: dbus: fill_dict_with_properties dbus_interface=fi.w1.wpa_supplicant1.Interface.P2PDevice dbus_property=P2PDeviceConfig getter failed
Nov 19 23:01:08 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: Associated with 01:80:c2:00:00:03
Nov 19 23:01:08 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Nov 19 23:01:10 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-STARTED EAP authentication started
Nov 19 23:01:11 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Nov 19 23:01:11 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
Nov 19 23:01:11 fedora-ics wpa_supplicant[1317]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Nov 19 23:01:11 fedora-ics wpa_supplicant[1317]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Nov 19 23:01:12 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Nov 19 23:01:12 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-STARTED EAP authentication started
Nov 19 23:01:12 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Nov 19 23:01:12 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
Nov 19 23:01:12 fedora-ics wpa_supplicant[1317]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Nov 19 23:01:12 fedora-ics wpa_supplicant[1317]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Nov 19 23:01:13 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Nov 19 23:01:13 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-STARTED EAP authentication started
Nov 19 23:01:13 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Nov 19 23:01:13 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
Nov 19 23:01:13 fedora-ics wpa_supplicant[1317]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Nov 19 23:01:13 fedora-ics wpa_supplicant[1317]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Nov 19 23:01:14 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Nov 19 23:01:34 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
Nov 19 23:01:34 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1 duration=10 reason=AUTH_FAILED
Nov 19 23:01:34 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-DSCP-POLICY clear_all
Nov 19 23:01:34 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-DSCP-POLICY clear_all
Nov 19 23:01:34 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-DSCP-POLICY clear_all
Nov 19 23:01:34 fedora-ics wpa_supplicant[1317]: dbus: fill_dict_with_properties dbus_interface=fi.w1.wpa_supplicant1.Interface.P2PDevice dbus_property=P2PDeviceConfig getter failed
Nov 19 23:01:34 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: Associated with 01:80:c2:00:00:03
Nov 19 23:01:34 fedora-ics wpa_supplicant[1317]: enp5s0f4u1u2: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0

There are some errors regarding unsupported protocol versions. I’m just not sure if there is something I can do to fix it, or if it’s an issue in our dorm network or if it’s expected to work and therefore it’s a bug in Fedora 39.

I don’t know the exact command – probably a reference to it is somewhere on this forum – but this seems like a TLS issue. Fedora has by default blocked use of tls version 1 (ancient and insecure) and that must be re-enabled to allow connection to networks that use the older version of tls.

I think it’s done with sudo update-crypto-policies --set DEFAULT:FEDORA32
Or at least this command made it work on Fedora 37 and Fedora 38.
Unfortunately it does not help on Fedora 39. Neither does enabling legacy crypto policies
I tried DEFAULT, DEFAULT:FEDORA32 and LEGACY

sudo rm -f /etc/crypto-policies/back-ends/openssl.config 
sudo tee /etc/crypto-policies/back-ends/openssl.config << EOF > /dev/null
@SECLEVEL=0
EOF

Unfortunately I think the issue is with the old cryptography because I’m able to log into my company’s network perfectly well using Fedora Silverblue 39. Looking through the changeset I’m not seeing anything specifically which looks like it would break it. Try giving it a shot using nmcli if you were using the GUI, or if you were using nmcli try just using the GUI (that’s what I used).

I upgraded Fedora 38 to 39 last night. Existing Ethernet connection couldn’t succeed in 802.1x. I recreated the network connection and it worled fine.

I also had problem to connect on a fresh install. This is what I did to get it work

sudo update-crypto-policies --set LEGACY
nmcli con mod id XXXXXX 802-1x.phase1-auth-flags 32

(replace XXXXXX with the SSID name)