I am currently attempting to install Debian on my laptop computer. During the network configuration stage, I am prompted to "enter a passphrase for WPA/WPA2 PSK authentication". Unfortunately, I am on my school's network which requires both a username and a password, with the [MS-CHAPv2](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#MS-CHAPv2) authentication protocol. What should I enter at the prompt? I have an Ubuntu computer which can connect to this network. Here are the contents of /etc/NetworkManager/system-connections/NetworkName: [ipv6] method=auto [connection] id=NetworkName uuid=3e728a68-a877-4681-bc0e-1e64b2ff6434 type=802-11-wireless [802-11-wireless-security] key-mgmt=wpa-eap auth-alg=open [802-11-wireless] ssid=NetworkName mode=infrastructure mac-address=84:A6:C8:A9:67:DA security=802-11-wireless-security [802-1x] eap=ttls; identity=username phase2-auth=mschapv2 password-flags=1 [ipv4] method=auto Curiously enough, the password I enter to connect to NetworkName doesn't appear anywhere. EDIT 2: Screenshot of network connection process (in a live-boot Ubuntu)

##Background I'm using Ubuntu 18.04 server (on a laptop, for development) and am trying to get my wifi configured to work with an WPA-EAP network. - To enable Wifi I followed the guide [Wifi on Ubuntu 18 server](https://gist.github.com/austinjp/9b968c75c3e54004be7cd7a134881d85) - I looked at the [Netplan Examples](https://netplan.io/examples) (none with WPA-EAP ) - I've read the [Netplan Full Documentation](https://github.com/CanonicalLtd/netplan/blob/master/doc/netplan.md) . I've got netplan to work with an an open network, even with a password protected network, but haven't been able to get it to work with WPA-EAP where both an identity and password are required. ##Attempted Configuration I've tried this in my /etc/netplan/config.yaml file: network: wifis: wlp1s0: dhcp4: yes access-points: "My-Enterprise-Network": auth: key-management: eap identity: johndoe1 password: pass1234 But when I run netplan apply I get: Error in network definition /etc/netplan/config.yaml: unknown key auth ##From the Documentation From the [online netplan documentation](https://github.com/CanonicalLtd/netplan/blob/master/doc/netplan.md) : The `auth` block supports the following properties: `key-management` (scalar) : The supported key management modes are `none` (no key management); `psk (WPA with pre-shared key, common for home wifi); eap` (WPA with EAP, common for enterprise wifi); and `802.1x` (used primarily for wired Ethernet connections). `password` (scalar) : The password string for EAP, or the pre-shared key for WPA-PSK. The following properties can be used if `key-management is eap` or `802.1x`: `method` (scalar) : The EAP method to use. The supported EAP methods are `tls` (TLS), `peap (Protected EAP), and ttls` (Tunneled TLS). `identity` (scalar) : The identity to use for EAP. ## From man netplan access-points (mapping) This provides pre-configured connections to NetworkManager. Note that users can of course select other access points/SSIDs. The keys of the mapping are the SSIDs, and the values are mappings with the following supported properties: password (scalar) Enable WPA2 authentication and set the passphrase for it. If not given, the network is assumed to be open. **Other authentication modes are not currently supported.** Note the last line: Other authentication modes are not currently supported. ###Questions 1. What's the right way to use netplan with WPA-EAP? 1. Does Ubuntu 18.04 ship with an outdated version of netplan? ( netplan --version is not supported ) Hence perhaps why the online documentation has options that the man version does not? 1. If so, can I upgrade netplan to a more cutting edge release? 1. Or does netplan need to be used with something like a wpa_supplicant.conf to specify additional parameters?

I'm not able to solve this error

[  666.695694] wlan0: deauthenticating from xx:xx:xx:xx:xx:xx by local choice (Reason: 3=DEAUTH_LEAVING)

I obtain the error only when I'm trying to connect to a WPA2-Enterprise network (EAP-MSCHAP2). Other connections work well without any error. This error has been obtained after a Linux upgrade, currently I'm using

Linux root 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux

Lurking I've seen a possible cause to this problem: the TLSv1.2 support has been disabled. I've seen several solutions with wpa_supplicant, but I'm using NetworkManager. I've also tried to configure wpa_supplicant without any result. What can I do?

i have followed posts on Network Manager looping to connect to enterprise networks and coming back again and again asking for logon/password. the answer seems to be to use wpa_supplicant. i did a log file extract to confirm the process and got ...supplicant interface state: disconnected -> interface_disabled... there is a directory at /etc/wpa_supplicant, but there is no wpa_supplicant config file. the only files listed are action_wpa.sh functions.sh ifupdown.sh i guess that there are a few things i need to do? some perspective here: i am just trying to learn python, using an excellent on-line course from 'degreed' at work and doing the exercises on an old 32bit laptop running mx-linux and a compatible 32bit version of PyCharm Community Edition. my knowledge of network stuff can't fill the bottom of a thimble. so feel free to assume i haven't found the beginning of the string on this issue with logging in. any suggestions at starting points would be appreciated. thanks, ron ron@9-LPTOP:~ $ sudo journalctl -fu NetworkManager [sudo] password for ron: -- Journal begins at Tue 2023-01-24 14:43:06 EST. -- Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.0956] device (wlan0): supplicant interface state: disconnected -> interface_disabled Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.0957] modem-manager: ModemManager no longer available Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.1027] device (wlan0): supplicant interface state: interface_disabled -> disconnected Jan 24 14:55:54 9-LPTOP systemd: Stopping Network Manager... Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.5312] caught SIGTERM, shutting down normally. Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.5338] device (wlan0): state change: disconnected -> unmanaged (reason 'unmanaged', sys-iface-state: 'managed') Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.5468] device (wlan0): set-hw-addr: reset MAC address to 00:19:D2:05:A7:9D (unmanage) Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.6549] exiting (success) Jan 24 14:55:54 9-LPTOP systemd: NetworkManager.service: Succeeded. Jan 24 14:55:54 9-LPTOP systemd: Stopped Network Manager.

After a reinstall of Fedora Linux Asahi Remix 41, I am unable to connect to my school network (essentially EDUROAM but with different a username format, and it only supports TLS v1.0). wpa_supplicant says:

OpenSSL: Certificate Policy 2.16.840.1.114413.1.7.23.1
OpenSSL: Certificate Policy 2.23.140.1.2.1
wlp1s0f0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=*.ykpaoschool.cn' hash=50cf9ba1cb6ecb72b702a01c4a4cb44118d552c12c50fd973214e75404eec0ec
wlp1s0f0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:*.ykpaoschool.cn
wlp1s0f0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:ykpaoschool.cn
TLS: tls_verify_cb - preverify_ok=1 err=20 (unable to get local issuer certificate) ca_cert_verify=0 depth=0 buf='/CN=*.ykpaoschool.cn'
EAP: Status notification: remote certificate verification (param=success)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server certificate
OpenSSL: RX ver=0x301 content_type=22 (handshake/server key exchange)
OpenSSL: TX ver=0x301 content_type=256 (TLS header info/)
OpenSSL: TX ver=0x301 content_type=21 (alert/)
SSL: (where=0x4008 ret=0x250)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
EAP: Status notification: local TLS alert (param=internal error)
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in error
OpenSSL: openssl_handshake - SSL_connect error:03000098:digital envelope routines::invalid digest
OpenSSL: pending error: error:0A080006:SSL routines::EVP lib
SSL: 7 bytes pending from ssl_out
SSL: Using TLS version TLSv1
SSL: Failed - tls_out available to report error (len=7)
SSL: 7 bytes left to be sent out (of total 7 bytes)
EAP-PEAP: TLS processing failed
EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL eapRespData=0xaaab3fef3eb0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=94:9b:2c:f1:34:b1
EAPOL: SUPP_BE entering state RECEIVE
l2_packet_receive: src=94:9b:2c:f1:34:b1 len=8
wlp1s0f0: RX EAPOL from 94:9b:2c:f1:34:b1 (encrypted=-1)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Status notification: completion (param=failure)
EAP: EAP entering state FAILURE
wlp1s0f0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: Supplicant port status: Unauthorized
nl80211: Set supplicant port unauthorized for 94:9b:2c:f1:34:b1
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed - result=FAILURE
wlp1s0f0: Setting authentication timeout: 2 sec 0 usec
nl80211: Drv Event 48 (NL80211_CMD_DISCONNECT) received for wlp1s0f0
nl80211: Disconnect event
wlp1s0f0: Event DEAUTH (11) received
wlp1s0f0: Deauthentication notification
wlp1s0f0:  * reason 23 (IEEE_802_1X_AUTH_FAILED)
Deauthentication frame IE(s) - hexdump(len=0): [NULL]
wlp1s0f0: CTRL-EVENT-DISCONNECTED bssid=94:9b:2c:f1:34:b1 reason=23
wlp1s0f0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="STUWIRELESS" auth_failures=1 duration=10 reason=AUTH_FAILED
wlp1s0f0: Auto connect enabled: try to reconnect (wps=0/0 wpa_state=6)

dmesg:

[ 1533.442699] net_ratelimit: 125 callbacks suppressed
[ 1533.442708] ieee80211 phy0: brcmf_p2p_set_firmware: failed to update device address ret -52
[ 1533.443311] ieee80211 phy0: brcmf_p2p_create_p2pdev: set p2p_disc error
[ 1533.443316] ieee80211 phy0: brcmf_cfg80211_add_iface: add iface p2p-dev-wlp1s0f type 10 failed: err=-52
[ 1533.538847] brcmfmac: brcmf_msgbuf_delete_flowring: timed out waiting for txstatus
[ 1534.525047] ieee80211 phy0: brcmf_set_key_mgmt: get okc_enable failed (-52)
[ 1543.347249] brcmfmac: brcmf_msgbuf_delete_flowring: timed out waiting for txstatus
[ 1543.445268] brcmfmac: brcmf_msgbuf_delete_flowring: timed out waiting for txstatus
[ 1547.071226] ieee80211 phy0: brcmf_fweh_call_event_handler: no interface object
[ 1547.074547] ieee80211 phy0: brcmf_p2p_set_firmware: failed to update device address ret -52
[ 1547.074832] ieee80211 phy0: brcmf_p2p_create_p2pdev: set p2p_disc error
[ 1547.074835] ieee80211 phy0: brcmf_cfg80211_add_iface: add iface p2p-dev-wlp1s0f type 10 failed: err=-52
[ 1548.111938] ieee80211 phy0: brcmf_set_key_mgmt: get okc_enable failed (-52)
[ 1548.411429] brcmfmac: brcmf_msgbuf_delete_flowring: timed out waiting for txstatus
[ 1559.760149] ieee80211 phy0: brcmf_set_key_mgmt: get okc_enable failed (-52)
[ 1596.969459] ieee80211 phy0: brcmf_set_key_mgmt: get okc_enable failed (-52)

wpa_supplicant config:

ap_scan=1
mac_addr=0
# means use permanent mac address, as my school requires us to not use random mac addresses

network={
        ssid="STUWIRELESS"
        scan_ssid=1
        key_mgmt=WPA-EAP
        eap=PEAP
        anonymous_identity="s22537"
        identity="s22537"
        password="redacted"
        phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=1"
        # because they only support tls v1.0
        phase2="auth=MSCHAPV2"
        priority=10
}

Connecting to WPA enterprise networks on Windows is straightforward: 1. Select the network 2. Enter your username and password 3. Confirm that, yes, the network is expected to be available at this location ...and you're good to go. Network Manager, on the other hand, requires a ton of manual configuration steps whose defaults often don't work, at least on Ubuntu flavors. It doesn't even default to using the system CA certificates and forces you to select one. Eduroam is a good example - it's so complex that Eduroam has to provide an app to connect to the network on new devices. Why is this the case? Is Windows just trying a bunch of things until they work, or is it privvy to some additional autoconfiguration protocol that Linux doesn't/can't use?

I have to connect to a WPA2 Enterprise network which only works if I don't verify the certificate. I would prefer not to do this, because this way anyone can see the MSCHAPv2 messages. The first step to fixing this would be looking at the certificate offered by the AP, then configuring wpa_supplicant to only trust that one. But I don't know how to get the certificate. The wpa_cli "status" command doesn't show it and it's not in any logs. I'm also curious about which SSL/TLS cipher suites are used. Is it possible to connect manually, maybe with openssl s_client?

I am using NetworkManager on arch to connect to my university WiFi. I used nm-connection-editor to create the connection. Here is the config:

[connection]
id=ESSID
uuid=b18a2b1c-02f6-48cd-a49d-a91e95cb80ed
type=wifi
interface-name=wlan0
timestamp=1694114242

[wifi]
bssid=80:8D:B7:57:E4:81
cloned-mac-address=random
mac-address=MAC_ADDRESS
mode=infrastructure
ssid=SSID

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
anonymous-identity=anon@SCHOOL.edu
domain-suffix-match=SCHOOL.edu
eap=peap;
identity=SCHOOL_EMAIL
password=PASSWORD
phase2-auth=mschapv2

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

When I use iwctl to connect to the network, I get Error: Failed to add/activate new connection: Failed to determine AP security information. I selected no CA certificate required, and I know I don't because my phone worked without one either. What am I doing wrong? Let me know what other information to put here if needed.

I'm on my new Debian Stretch system and I'd like to connect to my university eduroam network. I'm not using GNOME or any DM, so I manage my connections via nmcli. However, from what I gather, it seems that nmcli doesn't support this kind of connections. Too bad. Then I decided to try with just wpa_supplicant and I found this configuration file which supposedly should work out of the box in most cases. But not for me. After editing the relevant parts, I tried with sudo wpa_supplicant -i wlp5s0 -c eduroam.conf And the output is something along these lines: Successfully initialized wpa_supplicant wlp5s0: SME: Trying to authenticate with 64:f6:9d:6a:bd:00 (SSID='eduroam' freq=2412 MHz) wlp5s0: Trying to associate with 64:f6:9d:6a:bd:00 (SSID='eduroam' freq=2412 MHz) wlp5s0: Associated with 64:f6:9d:6a:bd:00 wlp5s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp5s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=ES wlp5s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 -> NAK wlp5s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp5s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp5s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA' hash=3e9099b5015e8f486c00bcea9d111ee721faba355a 89bcf1df69561e3dc6325c wlp5s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3' hash=beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7 b938d6fe8c5d8 wlp5s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=ES/ST=Granada/L=Granada/O=Universidad de Granada/OU=CSIRC/CN=radius.ugr.es' hash=828fbec918c62256ea67a9737ac44b578a6b fb39ff2ef1d6f7cdb3eeea4db8b5 wlp5s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:radius.ugr.es EAP-TLV: TLV Result - Failure wlp5s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed wlp5s0: Authentication with 64:f6:9d:6a:bd:00 timed out. wlp5s0: CTRL-EVENT-DISCONNECTED bssid=64:f6:9d:6a:bd:00 reason=3 locally_generated=1 wlp5s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1 duration=10 reason=AUTH_FAILED and then it goes all over again. I don't really know what the EAP-TLV: TLV Result - Failure message means. I've tried to Google for some troubleshooting to no avail. As per the common advices: * I'm disabling NetworkManager before testing the connection * I'm making sure there is only one wpa_supplicant instance running

I have a work network which is an EAP enterprise WiFi network using PEAP and MSCHAPv2. I unfortunately don't have the CA certificate for the network, which presumably makes it trivial to harvest my credentials by spoofing the network. Is there a way for me to fetch the CA presented by the WiFi network so I can set it as the CA certificate to prevent spoofing? --- **EDIT**: According to [Wikipedia on PEAP](https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol) , the WiFi server uses a CA for signing its server-side certificate for trust: > A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes. I need to get this CA certificate somehow from the server, as I'm sure it issues a certificate chain with the server public key certificate and the CA public key certificate. Presently it is configured without a CA certificate, allowing arbitrary spoofing:

I'm using a RaspberryPi 4 (4GB) and I was able to set up /etc/wpa_supplicant/wpa_supplicant.conf with all needed certificates properly, to authenticate at our companys wifi: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 country=US fast_reauth=1 network={ ssid="WIFI-Com" scan_ssid=1 key_mgmt=WPA-EAP IEEE8021X pairwise=CCMP group=CCMP eap=TLS identity="user@domain.com" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/client.pem" private_key="/etc/cert/clientkey.pem" }
Using wpa_supplicant -i wlan0 -D wext -c /etc/wpa_supplicant/wpa_supplicant.conf for testing, it's authenticating perfectly and obtaining a vaild IP: Successfully initialized wpa_supplicant ioctl[SIOCSIWENCODEEXT]: Invalid argument ioctl[SIOCSIWENCODEEXT]: Invalid argument wlan0: Trying to associate with 00:5d:71:c9:4d:ef (SSID='WIFI-Com' freq=5320 MHz) FT: Invalid group cipher (0) Failed to add supported operating classes IE wlan0: Associated with 00:5d:71:c9:4d:ef wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 tls_connection_set_params: Clearing pending SSL error: error:14187180:SSL routines:ssl_do_config:bad value tls_connection_set_params: Clearing pending SSL error: error:14187180:SSL routines:ssl_do_config:bad value wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/DC=com/DC=company/CN=Company Certification Authority' hash=53e1f7164f972fccfa24dc5dee64e362bed56ea014995fd990c760dd873760a7 wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=COM/L=NewYork/O=Company/CN=eap.comp.com' hash=d586970276d8076bd01cdbd4258452ea291d72af282fefa80fd8f8ef55e0c471 wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully wlan0: PMKSA-CACHE-ADDED 00:5d:71:c9:4d:ef 0 wlan0: WPA: Key negotiation completed with 00:5d:71:c9:4d:ef [PTK=CCMP GTK=CCMP] wlan0: CTRL-EVENT-CONNECTED - Connection to 00:5d:71:c9:4d:ef completed [id=0 id_str=] $ ifconfig wlan0: flags=4163 mtu 1500 inet 10.128.131.109 netmask 255.255.255.0 broadcast 10.188.139.255 inet6 fe80::4665:3320:1509:a176 prefixlen 64 scopeid 0x20 ether dc:a6:32:2d:3e:e2 txqueuelen 1000 (Ethernet) RX packets 4329 bytes 1559945 (1.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5734 bytes 2019622 (1.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
If I reboot the Pi and run ps auxwww | grep wpa its supposed to connect to my wifi, as it is using the command given above. But it's not, instead it used driver nl80211. From what I experienced, it's only authenticating properly using exclusively -D wext. Where can I edit the -D parameters, that are used while booting? root 334 .. 0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant root 440 .. 0:00 wpa_supplicant -B -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0 -Dnl80211,wext pi 721 .. 0:00 grep --color=auto wpa

I am using Kali Linux 2019.4, kernel version 5.3.0-kali2-amd64 and I have trouble connecting to my school wifi, which uses WPA2 Enterprise and uses PEAP (Protected Extensible Authentication Protocol). I tried to connect with correct credentials but it showed that Linux can't scan the access point and I cannot connect to the wifi. The IT department in my school told me to use Ubuntu instead but I do not want to do that unless it is the only way.

I am trying to connect to this WPA2 Enterprise network but it is not working. I am able to connect with my android (on my mobile I put certificate as Do not validate) phone but not with the computer, using same credentials. I am using Debian 9 with Network Manager 1.4.2. My Android phone recognize the network as [WPA-EAP-CCMP][WPA2-EAP-CCMP+TKIP][ESS]. This is the configuration I am using on my debian laptop: [connection] id=myid uuid=uid generated by the system type=wifi permissions= secondaries= [wifi] mac-address-blacklist= mac-address-randomization=0 mode=infrastructure seen-bssids= ssid=network-ssd [wifi-security] group= key-mgmt=wpa-eap pairwise= proto= [802-1x] altsubject-matches= anonymous-identity=username (same that is working on android) eap=peap; identity=username password=password (same that is working on android) phase2-altsubject-matches= phase2-auth=mschapv2 [ipv4] dns-search= method=auto [ipv6] addr-gen-mode=stable-privacy dns-search= ip6-privacy=0 method=auto This is the error I gen in syslog: Nov 2 17:51:56 debian wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started Nov 2 17:51:56 debian NetworkManager: [1478105516.3576] device (wlan0): supplicant interface state: associating -> associated Nov 2 17:51:56 debian wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 Nov 2 17:51:56 debian wpa_supplicant: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected Nov 2 17:51:56 debian wpa_supplicant: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed cat /usr/share/dbus-1/system-service/fi.epitest.hostap.WPASupplicant.service output: [D-BUS Service] Name=fi.epitest.hostap.WPASupplicant Exec=/sbin/wpa_supplicant -u -s -O /run/wpa_supplicant User=root SystemdService=wpa_supplicant.service UPDATE: I have tried also TTLS instead of PEAP but nothing, in this case the only meaningful log I get is Nov 3 11:04:47 debian wpa_supplicant: wlan0: SME: Trying to authenticate with 6c:XX:XX:XX:XX:XX (SSID='my-ssid' freq=2437 MHz) Nov 3 11:04:47 debian kernel: [ 5587.074393] wlan0: authenticate with 6c:XX:XX:XX:XX:XX Nov 3 11:04:47 debian kernel: [ 5587.090537] wlan0: send auth to 6c:XX:XX:XX:XX:XX (try 1/3) Nov 3 11:04:47 debian kernel: [ 5587.093252] wlan0: authenticated Nov 3 11:04:47 debian NetworkManager: [1478167487.1252] device (wlan0): supplicant interface state: scanning -> authenticating Nov 3 11:04:52 debian kernel: [ 5592.093412] wlan0: aborting authentication with 6c:XX:XX:XX:XX:XX by local choice (Reason: 3=DEAUTH_LEAVING) Nov 3 11:04:52 debian NetworkManager: [1478167492.1457] device (wlan0): supplicant interface state: authenticating -> disconnected UPDATE 2: since Network Manager is installed, there is no wpa_supplicant.conf file configuration. Any ideas?

Connect to my private WPA2 Wifi with connman works like a charm (followed this instructions). But when I try to connect to ieee8021x Network, i always get this error: >Error /net/connman/service/wifi_801f024ae577_556e6974796d65646961205769666953706f74_managed_ieee8021x: Invalid arguments I suppose something is wrong with my config file placed in /var/lib/connman : [global] Name = UnityMedia [service_umWifiSpot] Type = wifi SSID = 556e6974796d65646961205769666953706f74 EAP = peap Phase2 = MSCHAPV2 Iddentit=unitymedia/myUsername #AnonymousIdentity=anonymous@foo.edu Passphrase=myPassword This is how i try to connect: connmanctl> agent on Agent registered connmanctl> scan wifi connmanctl> services *AO Wired ethernet_b827eb8920a9_cable *AR ¯\_(ツ)_/¯ wifi_801f024ae577_c2af5c5f28e38384295f2fc2af_managed_psk furb wifi_801f024ae577_66757262_managed_psk Unitymedia WifiSpot wifi_801f024ae577_556e6974796d65646961205769666953706f74_managed_ieee8021x :o) wifi_801f024ae577_3a6f29_managed_psk ʕ•ᴥ•ʔ wifi_801f024ae577_ca95e280a2e1b4a5e280a2ca94_managed_psk DIRECT-eE-Sonja's Fire TV wifi_801f024ae577_4449524543542d65452d536f6e6a6127732046697265205456_managed_psk DIRECT-B9-HP ENVY 4520 series wifi_801f024ae577_4449524543542d42392d485020454e5659203435323020736572696573_managed_psk SoHigh-WG wifi_801f024ae577_536f486967682d5747_managed_psk o2-WLAN42 wifi_801f024ae577_6f322d574c414e3432_managed_psk wifi_801f024ae577_hidden_managed_psk UPC1989729 wifi_801f024ae577_55504331393839373239_managed_psk wildline wifi_801f024ae577_77696c646c696e65_managed_psk Internet wifi_801f024ae577_496e7465726e6574_managed_psk UPC317EB59 wifi_801f024ae577_55504333313745423539_managed_psk HP-Print-BE-Officejet Pro 8610 wifi_801f024ae577_48502d5072696e742d42452d4f66666963656a65742050726f2038363130_managed_none UPC1BD68AB wifi_801f024ae577_55504331424436384142_managed_psk Scan completed for wifi connmanctl> connect wifi_801f024ae577_556e6974796d65646961205769666953706f74_managed_ieee8021x Error /net/connman/service/wifi_801f024ae577_556e6974796d65646961205769666953706f74_managed_ieee8021x: Invalid arguments Connections via this wpa_supplicant.conf works: network={ ssid=”Unitymedia WifiSpot” key_mgmt=WPA-EAP eap=PEAP identity=”unitymedia/myUsername” password=”myPassword” } Hope someone have an idea what i´m doing wrong?

For a long time, I have been able to use NetworkManager + wpa_supplicant as configured in Debian 7 to connect to a secure wireless at work (which is WPA2 Enterprise, with PEAP + MSCHAPv2 authentication). Recently I want to increase the security of the connection by incorporating the server's certificate into my Network Manager connection setting. I received two PEM keys from the network administrator: - radius1.pem -- the RADIUS certificate - globalsign_intermediary.pem -- the intermediary certificate The RADIUS cert depends on the intermediary cert for its authenticity; and the intermediary cert depends on the ultimate root CA from GlobalSign. **Here's my goal**: I want to have my laptop check the authenticity of the wifi access point whenever I connect to the wifi network. How do I put these certs in the connection setting (/etc/NetworkManager/system-connections/THE-AP-NAME file) so that I can accomplish this goal? To be specific: which file should be listed where (e.g., what config file), and what additional steps are needed to get the server certificate(s) verified? I am asking this here since all that I found elsewhere are 1-step certificate check, in which the certificate probably depends on a well-established root CA rather than an intermediary CA like in my case. Currently this is the content of my connection setting file (XXXX and YYYY denoted obscured info): [ipv6] method=ignore [connection] id=XXXXXXXXX uuid=XXXXXXXXX type=802-11-wireless timestamp=1436377448 [802-11-wireless-security] key-mgmt=wpa-eap [802-11-wireless] ssid=XXXXXXXXX mode=infrastructure seen-bssids=XXXXXXXXX security=802-11-wireless-security [802-1x] eap=peap; identity=XXXXXXXXX password=YYYYYYYYY ca-cert=/etc/NetworkManager/certs/work/globalsign_intermediary.pem phase2-auth=mschapv2 [ipv4] method=auto As you see, I was using the intermediary cert file. But this was not right. Neither was it right to use only the RADIUS cert file. In either case, I got the following error in syslog: Jul 8 12:02:37 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started Jul 8 12:02:37 wirawan1 kernel: [3880972.051159] wlan0: Limiting TX power to 20 (20 - 0) dBm as advertised by xx:xx:xx:xx:xx Jul 8 12:02:37 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 Jul 8 12:02:37 wirawan1 wpa_supplicant: OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) Jul 8 12:02:37 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected Jul 8 12:02:37 wirawan1 wpa_supplicant: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2' Jul 8 12:02:37 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2' err='unable to get local issuer certificate' Jul 8 12:02:37 wirawan1 wpa_supplicant: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA Jul 8 12:02:37 wirawan1 wpa_supplicant: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Jul 8 12:02:38 wirawan1 wpa_supplicant: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed Jul 8 12:02:40 wirawan1 wpa_supplicant: wlan0: Authentication with xx:xx:xx:xx:xx timed out. Apparently the trust chain cannot be established. The hardware is (lspci): 03:00.0 Network controller: Intel Corporation PRO/Wireless 5100 AGN [Shiloh] Network Connection It uses iwlwifi+iwldvm driver. Kernel version 3.12.9-1~bpo70+1 (2014-02-07), from debian backport package linux-image-3.12-0.bpo.1-amd64. I am not new to Linux, but really don't know how to deal with x509 and/or SSL/TLS security in Linux, so please answer with step-by-step instruction. Googling around to find the answer to this problem has left me frustrated. The WPA supplicant documentation is very terse in discussing the use certificates in the conjunction with WPA2 Enterprise. And the NetworkManager has even poorer documentation.

I'm trying to change the default EAP type in hostapd but I am not able to understand how to do that. Here's what I've found reading the hostapd.conf file: # NAI Realm information # One or more realm can be advertised. Each nai_realm line adds a new realm to # the set. These parameters provide information for stations using Interworking # network selection to allow automatic connection to a network based on # credentials. # format: ,[,][,][,...] # encoding: # 0 = Realm formatted in accordance with IETF RFC 4282 # 1 = UTF-8 formatted character string that is not formatted in # accordance with IETF RFC 4282 # NAI Realm(s): Semi-colon delimited NAI Realm(s) # EAP Method: [:][][...] # EAP Method types, see: # http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4 # AuthParam (Table 8-188 in IEEE Std 802.11-2012): # ID 2 = Non-EAP Inner Authentication Type # 1 = PAP, 2 = CHAP, 3 = MSCHAP, 4 = MSCHAPV2 # ID 3 = Inner authentication EAP Method Type # ID 5 = Credential Type # 1 = SIM, 2 = USIM, 3 = NFC Secure Element, 4 = Hardware Token, # 5 = Softoken, 6 = Certificate, 7 = username/password, 9 = Anonymous, # 10 = Vendor Specific #nai_realm=0,example.com;example.net # EAP methods EAP-TLS with certificate and EAP-TTLS/MSCHAPv2 with # username/password #nai_realm=0,example.org,13[5:6],21[2:4][5:7]

I have an embedded Linux system, kernel 4.1.18, running wpa_supplicant v2.5, trying to connect to a PEAP network. My PC can connect fine but the Linux system cannot and I'm stuck figuring out what I'm missing. My wpa_supplicant.conf file network={ ssid="prod" scan_ssid=1 mode=0 key_mgmt=WPA-EAP eap=PEAP password="blah" identity="blah" } Some log output: > scan OK CTRL-EVENT-SCAN-STARTED CTRL-EVENT-SCAN-RESULTS SME: Trying to authenticate with 64:a0:e7:da:f1:a5 (SSID='prod' freq=2412 MHz) Trying to associate with 64:a0:e7:da:f1:a5 (SSID='prod' freq=2412 MHz) Associated with 64:a0:e7:da:f1:a5 CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-STATUS status='started' parameter='' CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='PEAP' CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected CTRL-EVENT-EAP-STATUS status='completion' parameter='failure' CTRL-EVENT-EAP-FAILURE EAP authentication failed Authentication with 64:a0:e7:da:f1:a5 timed out. CTRL-EVENT-DISCONNECTED bssid=64:a0:e7:da:f1:a5 reason=3 locally_generated=1 CTRL-EVENT-SSID-TEMP-DISABLED id=7 ssid="prod" auth_failures=1 duration=10 reason=AUTH_FAILED scan_results output: 64:a0:e7:da:f1:a5 2412 -55 [WPA2-EAP-CCMP][ESS] prod Looking at a verbose output from wpa_supplicant it looks like I'm timing out during authentication. Any way to increase the timeout? 21973.688487: nl80211: Association request send successfully 21974.032784: nl80211: Event message available 21974.033152: nl80211: Drv Event 20 (NL80211_CMD_DEL_STATION) received for wlan0 21974.033240: nl80211: Delete station 64:a0:e7:da:f1:a5 21974.062289: nl80211: Event message available 21974.062594: nl80211: Drv Event 38 (NL80211_CMD_ASSOCIATE) received for wlan0 21974.062683: nl80211: MLME event 38; timeout with 64:a0:e7:da:f1:a5 21974.062776: wlan0: Event ASSOC_TIMED_OUT (15) received 21974.062845: wlan0: SME: Association timed out 21974.062927: wlan0: Radio work 'sme-connect'@0xb8960 done in 0.438536 seconds 21974.062984: Added BSSID 64:a0:e7:da:f1:a5 into blacklist 21974.063102: wlan0: Another BSS in this ESS has been seen; try it next 21974.063159: BSSID 64:a0:e7:da:f1:a5 blacklist count incremented to 2 21974.063223: wlan0: Blacklist count 1 --> request scan in 100 ms 21974.063284: wlan0: Setting scan request: 0.100000 sec 21974.063353: wlan0: State: ASSOCIATING -> DISCONNECTED 21974.063404: nl80211: Set wlan0 operstate 0->0 (DORMANT)

I'm trying to connect to a WiFi with WPA-EAP, but it always fails with error: failure to add network: invalid message format Full log from journalctl: NetworkManager: device (wlp5s0): Activation: starting connection 'eduroam' (1ed02f15-9f55-452c-9b1c-4b2670bb2eac) NetworkManager: audit: op="connection-activate" uuid="1ed02f15-9f55-452c-9b1c-4b2670bb2eac" name="eduroam" pid=3216 uid=1000 result="success" NetworkManager: device (wlp5s0): state change: disconnected -> prepare (reason 'none') [30 40 0] NetworkManager: manager: NetworkManager state is now CONNECTING NetworkManager: device (wlp5s0): set-hw-addr: reset MAC address to 80:86:F2:1D:79:41 (preserve) NetworkManager: device (wlp5s0): state change: prepare -> config (reason 'none') [40 50 0] NetworkManager: device (wlp5s0): Activation: (wifi) access point 'eduroam' has security, but secrets are required. NetworkManager: device (wlp5s0): state change: config -> need-auth (reason 'none') [50 60 0] kernel: IPv6: ADDRCONF(NETDEV_UP): wlp5s0: link is not ready NetworkManager: device (wlp5s0): state change: need-auth -> prepare (reason 'none') [60 40 0] NetworkManager: device (wlp5s0): state change: prepare -> config (reason 'none') [40 50 0] NetworkManager: device (wlp5s0): Activation: (wifi) connection 'eduroam' has security, and secrets exist. No new secrets needed. NetworkManager: Config: added 'ssid' value 'eduroam' NetworkManager: Config: added 'scan_ssid' value '1' NetworkManager: Config: added 'key_mgmt' value 'WPA-EAP' NetworkManager: Config: added 'proto' value 'RSN' NetworkManager: Config: added 'pairwise' value 'CCMP' NetworkManager: Config: added 'group' value 'CCMP TKIP' NetworkManager: Config: added 'password' value '' NetworkManager: Config: added 'eap' value 'PEAP' NetworkManager: Config: added 'fragment_size' value '1266' NetworkManager: Config: added 'phase2' value 'auth=MSCHAPV2' NetworkManager: Config: added 'ca_cert' value '/ca.pem' NetworkManager: Config: added 'altsubject_match' value 'DNS:' NetworkManager: Config: added 'identity' value '' NetworkManager: Config: added 'anonymous_identity' value '' NetworkManager: Config: added 'bgscan' value 'simple:30:-65:300' NetworkManager: Config: added 'proactive_key_caching' value '1' NetworkManager: sup-iface[0x5609a63bf980,wlp5s0]: assoc[0x5609a63c8f40]: failure to add network: invalid message format NetworkManager: device (wlp5s0): state change: config -> failed (reason 'supplicant-failed') [50 120 10] NetworkManager: manager: NetworkManager state is now DISCONNECTED NetworkManager: device (wlp5s0): Activation: failed for connection 'eduroam' NetworkManager: device (wlp5s0): state change: failed -> disconnected (reason 'none') [120 30 0] kernel: IPv6: ADDRCONF(NETDEV_UP): wlp5s0: link is not ready NetworkManager: device (wlp5s0): set-hw-addr: set MAC address to 16:09:73:46:D9:3E (scanning) kernel: IPv6: ADDRCONF(NETDEV_UP): wlp5s0: link is not ready What I am doing wrong?

When trying to connect to a network (specifically a WPA2 enterprise network for a university) with wpa_supplicant on Gentoo Linux, the network is shown as disabled when the flag is not set. My wpa_supplicant.conf : ctrl_interface=/var/run/wpa_supplicant network={ ssid="TheNetwork" eap=PEAP identity="redacted" password="redacted" ca_cert="/etc/ssl/certs/AddTrust_External_Root.pem" ca_path="/etc/ssl/certs/" phase1="peapver=0" phase2="auth=MSCHAPV2" } network={ ssid="Another network that works" key_mgmt=NONE disabled=1 # This is obviously not normally disabled } network={ ssid="Yet another working network" psk="redacted" disabled=1 # Likewise } Output of sudo wpa_supplicant -iwlp3s0 -c/etc/wpa_supplicant/wpa_supplicant.conf -d, with repetitive lines removed: wpa_supplicant v2.6 random: Trying to read entropy from /dev/random Successfully initialized wpa_supplicant Initializing interface 'wlp3s0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'default' ctrl_interface 'N/A' bridge 'N/A' Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf' Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' ctrl_interface='/var/run/wpa_supplicant' Priority group 0 id=0 ssid='TheNetwork' id=1 ssid='Another network that works' id=2 ssid='Yet another working network' nl80211: Supported cipher 00-0f-ac:1 ... nl80211: Supported cipher 00-0f-ac:9 nl80211: Using driver-based off-channel TX nl80211: Driver-advertised extended capabilities (default) - hexdump(len=8): 00 00 00 00 00 00 00 40 nl80211: Driver-advertised extended capabilities mask (default) - hexdump(len=8): 00 00 00 00 00 00 00 40 nl80211: interface wlp3s0 in phy phy0 nl80211: Set mode ifindex 4 iftype 2 (STATION) nl80211: Subscribe to mgmt frames with non-AP handle 0x55701974e5f0 nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55701974e5f0 match=0104 nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55701974e5f0 match=040a nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x55701974e5f0 match=040b ... rfkill: initial event: idx=1 type=1 op=0 soft=0 hard=0 netlink: Operstate: ifindex=4 linkmode=1 (userspace-control), operstate=5 (IF_OPER_DORMANT) Add interface wlp3s0 to a new radio phy0 nl80211: Regulatory information - country=US (DFS-FCC) nl80211: 2402-2472 @ 40 MHz 30 mBm nl80211: 5170-5250 @ 80 MHz 23 mBm nl80211: 5250-5330 @ 80 MHz 23 mBm (DFS) nl80211: 5490-5730 @ 160 MHz 23 mBm (DFS) nl80211: 5735-5835 @ 80 MHz 30 mBm nl80211: 57240-63720 @ 2160 MHz 40 mBm nl80211: Added 802.11b mode based on 802.11g information wlp3s0: Own MAC address: [redacted] wpa_driver_nl80211_set_key: ifindex=4 (wlp3s0) alg=0 addr=(nil) key_idx=0 set_tx=0 seq_len=0 key_len=0 ... wpa_driver_nl80211_set_key: ifindex=4 (wlp3s0) alg=0 addr=(nil) key_idx=5 set_tx=0 seq_len=0 key_len=0 wlp3s0: RSN: flushing PMKID list in the driver nl80211: Flush PMKIDs wlp3s0: No enabled networks (3 disabled networks) wlp3s0: State: DISCONNECTED -> INACTIVE ENGINE: Loading dynamic engine ENGINE: Loading dynamic engine EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: Supplicant port status: Unauthorized nl80211: Skip set_supp_port(unauthorized) while not associated EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED Using existing control interface directory. ctrl_iface bind(PF_UNIX) failed: Address already in use ctrl_iface exists, but does not allow connections - assuming it was leftover from forced program termination Successfully replaced leftover ctrl_iface socket '/var/run/wpa_supplicant/wlp3s0' wlp3s0: Added interface wlp3s0 wlp3s0: State: INACTIVE -> DISCONNECTED nl80211: Set wlp3s0 operstate 0->0 (DORMANT) netlink: Operstate: ifindex=4 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT) random: Got 20/20 bytes from /dev/random EAPOL: disable timer tick What sticks out to me is the line wlp3s0: No enabled networks (3 disabled networks). This appears despite the fact that there are clearly only two disabled networks. Further evidence that the first network is being disabled despite the lack of a disabled=1 flag is that when running the wpa_supplement command with the other two networks *enabled*, a scan is performed and output, but all relevant APs are skipped as "disabled", "SSID mismatch", and "SSID mismatch", even though the SSIDs clearly do match. When running wpa_supplicant with the other two networks removed, the line wlp3s0: No enabled networks (1 disabled networks) appears. What in the configuration is causing this to occur?

I'm looking for help trying to connect to my work's wifi. I'm currently on Kubuntu 18.04 and cannot connect to my work's WPA2 enterprise wifi on my laptop but my android phone works just fine. The android settings are EAP method PEAP, Phase 2 authentication none, no CA certificate. I don't think the issue is specific to Kubuntu though. Here's what I've done so far. I've disabled network-manager and have been using wpa_supplicant as root for testing various configurations in the /etc/wpa_supplicant.conf file. I can connect to my home wifi just fine using this method so the card and driver work. When I scan my work's wifi using: ip link set wlp3s0 up iw wlp3s0 scan I get the following output: ERP: RSN: *Version: 1 *Group cipher: TKIP *Pairwise ciphers: CCMP *Authentication suites: IEEE 802.1X *Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000) WPA: *Version 1 *Group cipher: TKIP *Pairwise ciphers: TKIP *Authentication suites: IEEE 802.1X So I've tried a number of different configuration parameters to try to get it to work. Here is my /etc/wpa_supplicant.conf file ctrl_interface=/run/wpa_supplicant ctrl_interface_group=root update_config=1 network={ ssid="MYWORK" scan_ssid=1 proto=RSN #Have also tried WPA here, as well as leaving blank key_mgmt=WPA-EAP #Have also tried IEEE8021X here as well as leaving blank pairwise=CCMP #when trying proto=WPA, changed this to TKIP, have also left blank before group=TKIP #have tried leaving blank eap=PEAP #have tried leaving blank phase1="peaplabel=auto tls_disable_tlsv1_2=1" #tried this after reading another article on this site where some people's work's wifis were not tls 1.2. Neither blank nor disabled works. phase2="autheap=MSCHAPV2" #have tried leaving this out identity="MYID" password="MYPASSWORD" } I've tried a number of combinations of the above to no avail. Here is the output from wpa_supplicant -Dnl80211 -i wlp3s0 -c /etc/wpa_supplicant.conf when I tried first with key_mgmt=WPA-EAP: Successfully initialized wpa_supplicant wlp3s0: SME: Trying to authenticate with XX:XX:XX:XX:XX:XX (SSID='MYWORK' freq=2462 MHz) wlp3s0: Trying to associate with XX:XX:XX:XX:XX:XX (SSID='MYWORK' freq=2462 MHz) wlp3s0: Associated with XX:XX:XX:XX:XX:XX wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp3s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed wlp3s0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:0a:b8:c1 reason=3 wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="MWORK" auth_failures=1 duration=10 reason=AUTH_FAILED nl80211: deinit ifname=p2p-dev-wlp3s0 disabled_11b_rates=0 p2p-dev-wlp3s0: CTRL-EVENT-TERMINATING nl80211: deinit ifname=wlp3s0 disabled_11b_rates=0 wlp3s0: CTRL-EVENT-TERMINATING When trying with key-mgmt=IEEE8021X the output is a little different: Successfully initialized wpa_supplicant wlp3s0: SME: Trying to authenticate with XX:XX:XX:XX:XX:XX (SSID='MYWORK' freq=2462 MHz) wlp3s0: Trying to associate with XX:XX:XX:XX:XX:XX (SSID='MWORK' freq=2462 MHz) wlp3s0: CTRL-EVENT-ASSOC-REJECT bssid=XX:XX:XX:XX:XX:XX status_code=10 wlp3s0: SME: Deauth request to the driver failed I have also tried using the -Dwext driver but didn't work either. Any ideas what I'm missing or things I should try? Is there a compatibility mode that both windows and android are using that linux isn't by default? I was not given any certificates nor do i need to specify them on either windows or android for it to connect. I appreciate any help!