Wifi WPA2 Enterprise "WiFi-UB.x" and "eduroam" got deauthenticated

My Device Properties

System:
  Kernel: 6.1.44-1-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 13.2.1
    clocksource: tsc available: hpet,acpi_pm
    parameters: BOOT_IMAGE=/vmlinuz-6.1-x86_64
    root=UUID=aa9cc6f8-1276-4378-ba63-b37524bc0e66 quiet splash
    udev.log_priority=3 kernel.sysrq=1
    rootflags=defaults,discard=async,ssd,subvol=timeshift-btrfs/snapshots/2023-08-19_09-09-43/@
  Desktop: KDE Plasma v: 5.27.7 tk: Qt v: 5.15.10 wm: kwin_x11 vt: 2
    dm: SDDM Distro: Manjaro Linux base: Arch Linux
Machine:
  Type: Portable System: Dell product: Inspiron N4050 v: N/A
    serial: <superuser required> Chassis: type: 8 serial: <superuser required>
  Mobo: Dell model: 0J6GG1 v: A08 serial: <superuser required> BIOS: Dell
    v: A08 date: 08/03/2012
Battery:
  ID-1: BAT0 charge: 7.9 Wh (100.0%) condition: 7.9/48.8 Wh (16.2%)
    volts: 12.5 min: 11.1 model: SMP DELL 8NH5525 type: Li-ion serial: <filter>
    status: full
CPU:
  Info: model: Intel Celeron B815 bits: 64 type: MCP arch: Sandy Bridge
    level: v2 built: 2010-12 process: Intel 32nm family: 6 model-id: 0x2A (42)
    stepping: 7 microcode: 0x2F
  Topology: cpus: 1x cores: 2 smt: <unsupported> cache: L1: 128 KiB
    desc: d-2x32 KiB; i-2x32 KiB L2: 512 KiB desc: 2x256 KiB L3: 2 MiB
    desc: 1x2 MiB
  Speed (MHz): avg: 1596 min/max: 800/1600 scaling: driver: intel_cpufreq
    governor: schedutil cores: 1: 1596 2: 1596 bogomips: 6387
  Flags: ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities:
  Type: gather_data_sampling status: Not affected
  Type: itlb_multihit status: KVM: VMX disabled
  Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT
    disabled
  Type: mds mitigation: Clear CPU buffers; SMT disabled
  Type: meltdown mitigation: PTI
  Type: mmio_stale_data status: Unknown: No mitigations
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Retpolines, IBPB: conditional, IBRS_FW,
    STIBP: disabled, RSB filling, PBRSB-eIBRS: Not affected
  Type: srbds status: Not affected
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: Intel 2nd Generation Core Processor Family Integrated Graphics
    vendor: Dell driver: i915 v: kernel arch: Gen-6 code: Sandybridge
    process: Intel 32nm built: 2011 ports: active: LVDS-1
    empty: DP-1,HDMI-A-1,VGA-1 bus-ID: 00:02.0 chip-ID: 8086:0106
    class-ID: 0300
  Device-2: Microdia Laptop_Integrated_Webcam_1.3M driver: uvcvideo
    type: USB rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-1.5:4
    chip-ID: 0c45:643e class-ID: 0e02
  Display: x11 server: X.Org v: 21.1.8 compositor: kwin_x11 driver: X:
    loaded: modesetting alternate: fbdev,vesa dri: crocus gpu: i915
    display-ID: :0 screens: 1
  Screen-1: 0 s-res: 1366x768 s-dpi: 96 s-size: 361x203mm (14.21x7.99")
    s-diag: 414mm (16.31")
  Monitor-1: LVDS-1 model: LG Display 0x02e9 built: 2010 res: 1366x768
    hz: 60 dpi: 112 gamma: 1.2 size: 309x174mm (12.17x6.85") diag: 355mm (14")
    ratio: 16:9 modes: 1366x768
  API: OpenGL v: 3.3 Mesa 23.1.5 renderer: Mesa Intel HD Graphics 2000 (SNB
    GT1) direct-render: Yes
Audio:
  Device-1: Intel 6 Series/C200 Series Family High Definition Audio
    vendor: Dell 6 driver: snd_hda_intel v: kernel bus-ID: 00:1b.0
    chip-ID: 8086:1c20 class-ID: 0403
  API: ALSA v: k6.1.44-1-MANJARO status: kernel-api with: aoss
    type: oss-emulator tools: alsactl,alsamixer,amixer
  Server-1: JACK v: 1.9.22 status: off tools: N/A
  Server-2: PipeWire v: 0.3.77 status: active with: 1: pipewire-pulse
    status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
    tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Realtek RTL810xE PCI Express Fast Ethernet vendor: Dell
    driver: r8169 v: kernel pcie: gen: 1 speed: 2.5 GT/s lanes: 1 port: e000
    bus-ID: 05:00.0 chip-ID: 10ec:8136 class-ID: 0200
  IF: enp5s0 state: down mac: <filter>
  Device-2: Qualcomm Atheros AR9287 Wireless Network Adapter
    vendor: Quanta Microsystems driver: ath9k v: kernel pcie: gen: 1
    speed: 2.5 GT/s lanes: 1 bus-ID: 09:00.0 chip-ID: 168c:002e class-ID: 0280
  IF: wlp9s0 state: up mac: <filter>
  IF-ID-1: docker0 state: down mac: <filter>
Drives:
  Local Storage: total: 536.57 GiB used: 121.63 GiB (22.7%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/sda maj-min: 8:0 model: VENTUZ SATA SSD 256GB size: 238.47 GiB
    block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s tech: SSD
    serial: <filter> fw-rev: 9B0 scheme: GPT
  ID-2: /dev/sdb maj-min: 8:16 vendor: Seagate model: ST320LT020-9YG142
    size: 298.09 GiB block-size: physical: 4096 B logical: 512 B speed: 3.0 Gb/s
    tech: HDD rpm: 5400 serial: <filter> fw-rev: DEM1 scheme: GPT
Partition:
  ID-1: / raw-size: 52.43 GiB size: 52.43 GiB (100.00%)
    used: 35.86 GiB (68.4%) fs: btrfs dev: /dev/sda4 maj-min: 8:4
  ID-2: /boot raw-size: 4.19 GiB size: 4.19 GiB (100.00%)
    used: 156 MiB (3.6%) fs: btrfs dev: /dev/sda3 maj-min: 8:3
  ID-3: /home raw-size: 104.86 GiB size: 102.65 GiB (97.90%)
    used: 85.62 GiB (83.4%) fs: ext4 dev: /dev/sda5 maj-min: 8:5
  ID-4: /var/log raw-size: 52.43 GiB size: 52.43 GiB (100.00%)
    used: 35.86 GiB (68.4%) fs: btrfs dev: /dev/sda4 maj-min: 8:4
Swap:
  Kernel: swappiness: 60 (default) cache-pressure: 100 (default) zswap: yes
    compressor: zstd max-pool: 20%
  ID-1: swap-1 type: zram size: 3.83 GiB used: 0 KiB (0.0%) priority: 100
    comp: zstd avail: lzo,lzo-rle,lz4,lz4hc,842 max-streams: 2 dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 76.0 C mobo: N/A
  Fan Speeds (rpm): cpu: 3988
Info:
  Processes: 214 Uptime: 47m wakeups: 1 Memory: total: 8 GiB
  available: 7.67 GiB used: 3.4 GiB (44.3%) Init: systemd v: 253
  default: graphical tool: systemctl Compilers: gcc: 13.2.1 clang: 15.0.7
  Packages: pm: pacman pkgs: 1433 libs: 374 tools: pamac,yay pm: flatpak
  pkgs: 0 Shell: fish v: 3.6.1 default: Bash v: 5.1.16 running-in: konsole
  inxi: 3.3.29

Hello, my name is Nauval. I’am new to Manjaro OS.

I cant connect to my University Wifi, its using WPA2 Enterprise. But my phone based on Android 13 has TOFU (Trust On First Use) which retrieve CA from wifi server first, so my phone could connect to it

But when on Manjaro or Arch Based linux, i cant connect to my University Wifi. Even with using Wifi dongle, It always wants me to enter password every time.

Configuration using PEAP-MSCHAPv2, No Certs.
Username and Password Only

Dmesg log using device wifi:

[ 3488.001192] wlp9s0: RX AssocResp from a0:3d:6f:89:1f:41 (capab=0x1431 status=0 aid=109)
[ 3488.001401] wlp9s0: associated
[ 3488.001523] ath: EEPROM regdomain: 0x8168
[ 3488.001527] ath: EEPROM indicates we should expect a country code
[ 3488.001528] ath: doing EEPROM country->regdmn map search
[ 3488.001530] ath: country maps to regdmn code: 0x3
[ 3488.001531] ath: Country alpha2 being used: ID
[ 3488.001533] ath: Regpair used: 0x3
[ 3488.001535] ath: regdomain 0x8168 dynamically updated by country element
[ 3488.057240] wlp9s0: Limiting TX power to 20 (20 - 0) dBm as advertised by a0:3d:6f:89:1f:41
[ 3491.124022] wlp9s0: deauthenticating from a0:3d:6f:89:1f:41 by local choice (Reason: 3=DEAUTH_LEAVING)
[ 3507.077805] wlp9s0: authenticate with a0:3d:6f:89:1f:41
[ 3507.077830] wlp9s0: 80 MHz not supported, disabling VHT
[ 3507.105152] wlp9s0: send auth to a0:3d:6f:89:1f:41 (try 1/3)
[ 3507.107179] wlp9s0: authenticated
[ 3507.109799] wlp9s0: associate with a0:3d:6f:89:1f:41 (try 1/3)
[ 3507.133527] wlp9s0: RX AssocResp from a0:3d:6f:89:1f:41 (capab=0x1431 status=0 aid=109)
[ 3507.133703] wlp9s0: associated
[ 3507.133832] ath: EEPROM regdomain: 0x8168
[ 3507.133836] ath: EEPROM indicates we should expect a country code
[ 3507.133838] ath: doing EEPROM country->regdmn map search
[ 3507.133839] ath: country maps to regdmn code: 0x3
[ 3507.133841] ath: Country alpha2 being used: ID
[ 3507.133842] ath: Regpair used: 0x3
[ 3507.133844] ath: regdomain 0x8168 dynamically updated by country element
[ 3507.201538] wlp9s0: Limiting TX power to 20 (20 - 0) dBm as advertised by a0:3d:6f:89:1f:41
[ 3510.236015] wlp9s0: deauthenticating from a0:3d:6f:89:1f:41 by local choice (Reason: 3=DEAUTH_LEAVING)
[ 3521.344236] wlp9s0: authenticate with a0:3d:6f:89:1f:41
[ 3521.344262] wlp9s0: 80 MHz not supported, disabling VHT
[ 3521.370546] wlp9s0: send auth to a0:3d:6f:89:1f:41 (try 1/3)
[ 3521.386156] wlp9s0: authenticated
[ 3521.389808] wlp9s0: associate with a0:3d:6f:89:1f:41 (try 1/3)
[ 3521.493139] wlp9s0: associate with a0:3d:6f:89:1f:41 (try 2/3)
[ 3521.606767] wlp9s0: associate with a0:3d:6f:89:1f:41 (try 3/3)
[ 3521.713135] wlp9s0: association with a0:3d:6f:89:1f:41 timed out

Using dongle :

[ 3748.877435] wlan0: authenticated
[ 3748.883066] wlan0: associate with a0:3d:6f:89:1f:42 (try 1/3)
[ 3748.886535] wlan0: RX AssocResp from a0:3d:6f:89:1f:42 (capab=0x1431 status=0 aid=137)
[ 3748.894633] wlan0: associated
[ 3748.894809] ath: EEPROM regdomain: 0x8168
[ 3748.894813] ath: EEPROM indicates we should expect a country code
[ 3748.894815] ath: doing EEPROM country->regdmn map search
[ 3748.894816] ath: country maps to regdmn code: 0x3
[ 3748.894818] ath: Country alpha2 being used: ID
[ 3748.894820] ath: Regpair used: 0x3
[ 3748.894822] ath: regdomain 0x8168 dynamically updated by country element
[ 3748.974467] wlan0: Limiting TX power to 20 (20 - 0) dBm as advertised by a0:3d:6f:89:1f:42
[ 3751.903106] wlan0: deauthenticating from a0:3d:6f:89:1f:42 by local choice (Reason: 3=DEAUTH_LEAVING)
[ 3767.342044] wlan0: authenticate with a0:3d:6f:89:1f:42
[ 3767.375202] wlan0: send auth to a0:3d:6f:89:1f:42 (try 1/3)
[ 3767.378423] wlan0: authenticated
[ 3767.396416] wlan0: associate with a0:3d:6f:89:1f:42 (try 1/3)
[ 3767.402539] wlan0: RX AssocResp from a0:3d:6f:89:1f:42 (capab=0x1431 status=0 aid=137)
[ 3767.409512] wlan0: associated
[ 3767.409585] wlan0: Limiting TX power to 20 (20 - 0) dBm as advertised by a0:3d:6f:89:1f:42
[ 3767.409686] ath: EEPROM regdomain: 0x8168
[ 3767.409690] ath: EEPROM indicates we should expect a country code
[ 3767.409691] ath: doing EEPROM country->regdmn map search
[ 3767.409693] ath: country maps to regdmn code: 0x3
[ 3767.409694] ath: Country alpha2 being used: ID
[ 3767.409696] ath: Regpair used: 0x3
[ 3767.409698] ath: regdomain 0x8168 dynamically updated by country element
[ 3770.439994] wlan0: deauthenticating from a0:3d:6f:89:1f:42 by local choice (Reason: 3=DEAUTH_LEAVING)
[ 3782.218623] wlan0: authenticate with a0:3d:6f:89:1f:42
[ 3782.251854] wlan0: send auth to a0:3d:6f:89:1f:42 (try 1/3)
[ 3782.253723] wlan0: authenticated
[ 3782.256414] wlan0: associate with a0:3d:6f:89:1f:42 (try 1/3)
[ 3782.359759] wlan0: associate with a0:3d:6f:89:1f:42 (try 2/3)
[ 3782.463382] wlan0: associate with a0:3d:6f:89:1f:42 (try 3/3)
[ 3782.569734] wlan0: association with a0:3d:6f:89:1f:42 timed out

There is a difference between no certs and accepting all certs.

Do you use NetworkManager or something else?
Maybe your university IT can give you help? Sometimes, you could derive the needed information from the Apple instructions.

Also, my university blocks my account for a few minutes after too many failed attempts. If your laptop constantly tries to login and fails, you should turn off your WiFi, make sure you set it up correctly, wait a few minutes, and then try again.

usually your university-it gives advice how to access.

Also from experience, if you say you use Linux, they look at you as if you suggested something weird with their mother.
But some might give you actual support.
As said before, the Apple instructions usually match relatively closely to the NM options.

Arch networking has a small entry on the wiki:
https://wiki.archlinux.org/title/Network_configuration/Wireless#eduroam

It links to
https://cat.eduroam.org/

I’ve gone no further, maybe this helps.

My eduroam arent include on it, i cant connect anyway.
Still searching for fix, by asking helpdesk of my university

however, for android 13 has TOFU, but on android 10 or 9. It has default to use No Certs to access eduroam or WiFi-UB.x at my university. I dont have apple product, but will see the tutorials if it works.

Btw, using iwd needs t create manual configs, i have create a config by imitate arch wiki, without certs pwd, because the wifi has no certs to retrive by hand.
As the result, i still cant connect using iwctl > station wlan0 connect WiFi-UB.x or maybe im missing some configs? idk

Does your university actually use a custom certificate or do they have a trusted certificate?

This way, you can add the chain /etc/ssl/cert.pem as a certificate.

An example IWD config:

[Security]
EAP-Method=PEAP
EAP-PEAP-CACert=/etc/ssl/cert.pem
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=your-email@your.uni
EAP-PEAP-Phase2-Password=your-password

I can’t get the cert, it should be automatically gathered when connected.

Today i could connect, but using Ubuntu 22.04 LTS. With Gnome NM easily

[  112.144951] rfkill: input handler disabled
[  156.822000] wlp9s0: authenticate with a0:3d:6f:8b:0f:21
[  156.822029] wlp9s0: 80 MHz not supported, disabling VHT
[  156.845320] wlp9s0: send auth to a0:3d:6f:8b:0f:21 (try 1/3)
[  156.851719] wlp9s0: authenticated
[  156.856147] wlp9s0: associate with a0:3d:6f:8b:0f:21 (try 1/3)
[  156.882816] wlp9s0: RX AssocResp from a0:3d:6f:8b:0f:21 (capab=0x1431 status=0 aid=180)
[  156.883003] wlp9s0: associated
[  156.883226] ath: EEPROM regdomain: 0x8168
[  156.883231] ath: EEPROM indicates we should expect a country code
[  156.883233] ath: doing EEPROM country->regdmn map search
[  156.883235] ath: country maps to regdmn code: 0x3
[  156.883236] ath: Country alpha2 being used: ID
[  156.883238] ath: Regpair used: 0x3
[  156.883240] ath: regdomain 0x8168 dynamically updated by country element
[  156.966180] wlp9s0: Limiting TX power to 20 (20 - 0) dBm as advertised by a0:3d:6f:8b:0f:21
[  157.252023] IPv6: ADDRCONF(NETDEV_CHANGE): wlp9s0: link becomes ready
[  259.938936] EXT4-fs (sda5): mounted filesystem fe061892-e6ef-4b41-8602-a53dacff7378 with ordered data mode. Quota mode: none.

Then copy the same config.

After searching for 3-5 days, it says that it was openssl failure, i have check it and Ubuntu has some other config provided. Will see next day if it could solved or not

Here left are the Ubuntu cnf and the right side are Manjaro cnf : www diffchecker com/17SfFCwU/

Sorry it says, i cant push links here

I think you’re on the wrong track here.

Revert all your changes you did to this file. If NetworkManager works, then I recommend dropping iwd and use NM instead.

Using same config with ubuntu for openssl changes, hopefully got associated after authenticated. But still got DEAUTH.

Btw, i have try o use iwd but no hopes. so revert to use NM and using changed config from Ubuntu.

[  544.602711] ath: country maps to regdmn code: 0x3
[  544.602713] ath: Country alpha2 being used: ID
[  544.602715] ath: Regpair used: 0x3
[  544.602716] ath: regdomain 0x8168 dynamically updated by country element
[  544.643252] wlan0: Limiting TX power to 14 dBm as advertised by 04:62:73:13:86:b0
[  570.002519] wlan0: deauthenticating from 04:62:73:13:86:b0 by local choice (Reason: 3=DEAUTH_LEAVING)
[  579.991372] wlan0: authenticate with 04:62:73:13:86:b0
[  579.991398] wlan0: 80 MHz not supported, disabling VHT
[  580.016190] wlan0: send auth to 04:62:73:13:86:b0 (try 1/3)
[  580.017110] wlan0: authenticated
[  580.020425] wlan0: associate with 04:62:73:13:86:b0 (try 1/3)
[  580.022937] wlan0: RX AssocResp from 04:62:73:13:86:b0 (capab=0x1431 status=0 aid=13)
[  580.023105] wlan0: associated
[  580.023205] ath: EEPROM regdomain: 0x8168
[  580.023209] ath: EEPROM indicates we should expect a country code
[  580.023210] ath: doing EEPROM country->regdmn map search
[  580.023212] ath: country maps to regdmn code: 0x3
[  580.023213] ath: Country alpha2 being used: ID
[  580.023215] ath: Regpair used: 0x3
[  580.023217] ath: regdomain 0x8168 dynamically updated by country element
[  580.155199] wlan0: Limiting TX power to 14 dBm as advertised by 04:62:73:13:86:b0
[  604.007014] wlan0: deauthenticating from 04:62:73:13:86:b0 by local choice (Reason: 3=DEAUTH_LEAVING)

your last log indicates a possible trouble with the country-settings of your wifi. what’s the output of

 iw reg get

https://wiki.archlinux.org/title/Network_configuration/Wireless#Respecting_the_regulatory_domain

second:
are you really sure that you have to use wpa2enterprise or do you have to use wpa2personal instead ? i doubt that wpa2enterprise is the right one. never heard that android takes care for security and uses extended security-features provided with wpa2enterprise.

Eduroam is usually WPA enterprise, that part should be correct.

iw reg get got this output.

global
country 00: DFS-UNSET
	(2402 - 2472 @ 40), (6, 20), (N/A)
	(2457 - 2482 @ 20), (6, 20), (N/A), AUTO-BW, PASSIVE-SCAN
	(2474 - 2494 @ 20), (6, 20), (N/A), NO-OFDM, PASSIVE-SCAN
	(5170 - 5250 @ 80), (6, 20), (N/A), AUTO-BW, PASSIVE-SCAN
	(5250 - 5330 @ 80), (6, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
	(5490 - 5730 @ 160), (6, 20), (0 ms), DFS, PASSIVE-SCAN
	(5735 - 5835 @ 80), (6, 20), (N/A), PASSIVE-SCAN
	(57240 - 63720 @ 2160), (N/A, 0), (N/A)

phy#0
country 99: DFS-UNSET
	(2402 - 2472 @ 40), (N/A, 20), (N/A)
	(2457 - 2482 @ 40), (N/A, 20), (N/A), PASSIVE-SCAN
	(5140 - 5360 @ 80), (N/A, 30), (N/A), PASSIVE-SCAN
	(5715 - 5860 @ 80), (N/A, 30), (N/A), PASSIVE-SCAN

Second : I’m sure using WPA2Enterprise, and my phone using Android 13 with TOFU support https:// source android com/docs/core/connect/wifi-tofu which could connect and trust CA before connected.

NM Configuration :

[connection]
id=WiFi-UB.x
uuid=52ffea27-3119-4e55-904d-5491940ab577
type=wifi
interface-name=wlan0

[wifi]
mode=infrastructure
ssid=WiFi-UB.x

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
eap=peap;
identity=*my identityt*
password=*my password*
phase2-auth=mschapv2

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

it’s a wpa_supplicant issue afaik.
here’s the reference: bbs [dot] archlinux [dot] org/viewtopic.php?id=286417

here’s my version of the fix if anyone is interested.

echo "openssl_ciphers=DEFAULT@SECLEVEL=5" | sudo tee -a /etc/wpa_supplicant/wpa_supplicant.conf
sudo sed -i 's/ExecStart=\/usr\/bin\/wpa_supplicant -u -s -O \/run\/wpa_supplicant/ExecStart=\/usr\/bin\/wpa_supplicant -u -s -O \/run\/wpa_supplicant -c \/etc\/wpa_supplicant\/wpa_supplicant.conf/' /etc/systemd/system/wpa_supplicant.service
sudo systemctl daemon-reload
sudo systemctl restart wpa_supplicant

it should work normally after reboot

update: it should work with security level 5

Please understand what you’re changing here. You disable any security that TLS usually provides.
If this is really necessary, you should leave your uni because they don’t understand security.

Also, you should use a drop-in file rather than changing the service file directly.

The lowering security TLS doesnt works, but i found interesting article from Fedora.
Here https :// discussion fedoraproject org/t/cannot-connect-to-eduroam-on-f36-due-to-openssl-error/70534/4

Have you tried doing it this way;

https://wiki.archlinux.org/title/NetworkManager#WPA_Enterprise_connections_fail_to_authenticate_with_OpenSSL_"unsupported_protocol"_error

EDIT That method worked for this person who was having a similar problem with eduroam.