Cannot connect to eduroam after NetworkManager update

On February 6th, I updated my Tumbleweed system which included an update of NetworkManager to 1.40-.12-1.1 and wpa_supplicant to 2.10-4.2. After that, I was not able to connect to he eduroam network both at my library and school. Booting into a snapshot prior to the upgrade worked flawlessly. Unfortunately, that snapshot as deleted since I kept updating the system.

I captured the following log related to the problem:

[   11.540295] Intel(R) Wireless WiFi driver for Linux
[   11.540564] iwlwifi 0000:02:00.0: can't disable ASPM; OS doesn't have ASPM control
[   11.575916] iwlwifi 0000:02:00.0: loaded firmware version 18.168.6.1 6000g2b-6.ucode op_mode iwldvm
[   11.891683] iwlwifi 0000:02:00.0 wlp2s0: renamed from wlan0
[   18.155163] iwlwifi 0000:02:00.0: Radio type=0x2-0x1-0x0
[   18.458785] iwlwifi 0000:02:00.0: Radio type=0x2-0x1-0x0
[   18.594006] iwlwifi 0000:02:00.0: Radio type=0x2-0x1-0x0
[   18.905098] iwlwifi 0000:02:00.0: Radio type=0x2-0x1-0x0
[   22.531238] iwlwifi 0000:02:00.0: Radio type=0x2-0x1-0x0
[   22.835375] iwlwifi 0000:02:00.0: Radio type=0x2-0x1-0x0
[   22.940674] wlp2s0: authenticate with xxxxxxxxxxxxxxx
[   22.944431] wlp2s0: send auth to xxxxxxxxxxxxxxx (try 1/3)
[   22.958287] wlp2s0: authenticated
[   22.958457] wlp2s0: waiting for beacon from xxxxxxxxxxxxxxx
[   23.062412] wlp2s0: associate with xxxxxxxxxxxxxxx (try 1/3)
[   23.065556] wlp2s0: RX AssocResp from xxxxxxxxxxxxxxx (capab=0x1111 status=0 aid=2)
[   23.067995] wlp2s0: associated
[   23.163515] wlp2s0: deauthenticated from xxxxxxxxxxxxxxx (Reason: 23=IEEE8021X_FAILED)
[   36.851151] wlp2s0: authenticate with xxxxxxxxxxxxxxx
[   36.854572] wlp2s0: send auth to xxxxxxxxxxxxxxx (try 1/3)
[   36.884660] wlp2s0: authenticated
[   36.884944] wlp2s0: waiting for beacon from xxxxxxxxxxxxxxx
[   36.988044] wlp2s0: associate with xxxxxxxxxxxxxxx (try 1/3)
[   36.991750] wlp2s0: RX AssocResp from xxxxxxxxxxxxxxx (capab=0x1111 status=0 aid=2)
[   36.995328] wlp2s0: associated
[   37.093102] wlp2s0: deauthenticated from xxxxxxxxxxxxxxx (Reason: 23=IEEE8021X_FAILED)
[   51.178857] wlp2s0: authenticate with xxxxxxxxxxxxxxx
[   51.181823] wlp2s0: send auth to xxxxxxxxxxxxxxx (try 1/3)
[   51.220530] wlp2s0: authenticated
[   51.220715] wlp2s0: waiting for beacon from xxxxxxxxxxxxxxx
[   51.323832] wlp2s0: associate with xxxxxxxxxxxxxxx (try 1/3)
[   51.326792] wlp2s0: RX AssocResp from xxxxxxxxxxxxxxx (capab=0x1111 status=0 aid=2)
[   51.329744] wlp2s0: associated
[   51.423147] wlp2s0: deauthenticated from xxxxxxxxxxxxxxx (Reason: 23=IEEE8021X_FAILED)
[   65.108953] wlp2s0: authenticate with xxxxxxxxxxxxxxx
[   65.111249] wlp2s0: send auth to xxxxxxxxxxxxxxx (try 1/3)
[   65.146827] wlp2s0: authenticated
[   65.146986] wlp2s0: waiting for beacon from xxxxxxxxxxxxxxx
[   65.251066] wlp2s0: associate with xxxxxxxxxxxxxxx (try 1/3)
[   65.254520] wlp2s0: RX AssocResp from xxxxxxxxxxxxxxx (capab=0x1111 status=0 aid=2)
[   65.257709] wlp2s0: associated
[   65.352726] wlp2s0: deauthenticated from xxxxxxxxxxxxxxx (Reason: 23=IEEE8021X_FAILED)
[   73.013367] wlp2s0: authenticate with xxxxxxxxxxxxxxx
[   73.016100] wlp2s0: send auth to xxxxxxxxxxxxxxx (try 1/3)
[   73.031482] wlp2s0: authenticated
[   73.031674] wlp2s0: waiting for beacon from xxxxxxxxxxxxxxx
[   73.135553] wlp2s0: associate with xxxxxxxxxxxxxxx (try 1/3)
[   73.138790] wlp2s0: RX AssocResp from xxxxxxxxxxxxxxx (capab=0x1111 status=0 aid=2)
[   73.142358] wlp2s0: associated
[   73.232600] wlp2s0: deauthenticated from xxxxxxxxxxxxxxx (Reason: 23=IEEE8021X_FAILED)
[   97.978070] wlp2s0: authenticate with xxxxxxxxxxxxxxx
[   97.981818] wlp2s0: send auth to xxxxxxxxxxxxxxx (try 1/3)
[   98.000036] wlp2s0: aborting authentication with xxxxxxxxxxxxxxx by local choice (Reason: 3=DEAUTH_LEAVING)
[   98.057181] iwlwifi 0000:02:00.0: Radio type=0x2-0x1-0x0
[   98.358338] iwlwifi 0000:02:00.0: Radio type=0x2-0x1-0x0

Any ideas?

FWIW, the network settings for eduroam:
Security: WPA/WPA2 enterprise
Authentication: PEAP
No certificate
PEAP version: automatic
Inner authentication: MSCHAPV2
And, of course, username and password.

The secrets need to access WLAN (WiFi) networks are usually kept on a per-User basis and not, as System secrets.

Which Desktop are you using – KDE Plasma or, GNOME or, something else?

Both KDE Plasma and GNOME use encrypted User Wallets to manage the passwords needed to access WLAN Access Points.

  • Please indicate if, you’re aware of these methods to access WLAN Access Points.

I’m using XFCE; not aware of what you’re describing and certainly not aware of the relevancy to my problem. Please enlighten me.

AFAICS, you should be able to use “Network Manager” with an XFCE Desktop.


Looking at the XFCE documentation, I can’t see anything related to Network Management – possibly because the Network Manager applet should be used to manage network connections …

For specific openSUSE support for the XFCE Desktop you’ll possibly need to use the XFCE Portal: <https://en.opensuse.org/Portal:Xfce>

Thank you, sir. I do have the feeling that there is some miscommunication going on. The core of my problem is that eduroam worked perfectly for a long time, but stopped working after a Tumbleweed update in early February.

Edit: To confirm, yes, I am using NetworkManager.

Yes, but the only information provided so far just says that authentication failed. You may try to enable trace level logging in NetworkManager, it may give some more information why it fails.

Have you included the user directories in the system snapshot?

  • If so, then, the changes to your user files were also deleted when the snapshot was deleted.

Please be aware that, the snapshot mechanism is mainly useful for rolling back system files to a previous (working) state.

  • For the case of user directories and files, snapshots are really only useful for recovering files and directories which were accidentally deleted.
    Meaning, for the case of user directories and files, a regular Backup is, and remains, the prime choice.

Fair enough. I’ll try this out to capture some more information: Chapter 43. Introduction to NetworkManager Debugging Red Hat Enterprise Linux 8 | Red Hat Customer Portal.

I gathered some more information.

  • Connecting to eduroam under Windows 10 on the same laptop also does not work
  • Connecting to eduroam on my phone works
  • Network adapter: Intel(R) Centrino(R) Advanced-N 6235 AGN

Some additional info from dmesg:

wlp2s0: authenticate with wlp2s0: authenticate with xxxxxxxxxxxxxxx
[   63.237186] wlp2s0: send auth to xxxxxxxxxxxxxxx (try 1/3)
[   63.248771] wlp2s0: authenticated
[   63.251214] wlp2s0: associate with xxxxxxxxxxxxxxx (try 1/3)
[   63.254049] wlp2s0: RX AssocResp from xxxxxxxxxxxxxxx (capab=0x1111 status=0 aid=1)
[   63.256493] wlp2s0: associated
[   64.349336] wlp2s0: deauthenticated from xxxxxxxxxxxxxxx (Reason: 6=CLASS2_FRAME_FROM_NONAUTH_STA)
[   78.064763] wlp2s0: authenticate with xxxxxxxxxxxxxxx
[   78.067425] wlp2s0: send auth to xxxxxxxxxxxxxxx (try 1/3)
[   78.095464] wlp2s0: authenticated
[   78.095641] wlp2s0: waiting for beacon from xxxxxxxxxxxxxxx
[   78.199158] wlp2s0: associate with xxxxxxxxxxxxxxx (try 1/3)

I also capture the journalctl log, but there does not seem to be anything interesting there. Retrieval of secrets seems to go smooth (except for some lines with user cancelled secret requests).

It could be that, the network you’re trying to connect to has enabled an additional security level –

  • Only clients with know MAC addresses are allowed to connect – even if, they have correct credentials for connecting to the WLAN/WiFi.
    The rejection reason supplied by the WLAN Access Point means:

Client attempted to transfer data before it was authenticated.

Alternatively, the reason could be the way you’re using the IEEE Standard 802.11 –


Are you sure that, you’re using the correct Security Algorithm to access the WLAN?

  • Could it be that, you’ve enabled the WEP algorithm?
    ( Rather than WPA/WPA2 … )

BTW, I just love (not really) the abbreviations used by IEEE 802.11 discussions: :face_with_spiral_eyes:

  1. STA – there are at least 128 meanings for this abbreviation – “Special Temporary Authority”; “Surface to Air”; “Students Take Action” …
    But, I suspect that it means “STATION” …

  2. AP – there are at least 264 meanings for this abbreviation – “Air Pollution”; “Atmospheric Pressure”; “Applied Physics” …
    But, I suspect that, it means “Access Point” …

Thanks for the reply. I’ll have a look at school tomorrow if I can connect to the eduroam network there.

I’m using the settings as described in the OP; configuration has not changed after updating wpa_supplicant, etc.

At school, I was able to connect to eduroam via Windows 10. TW is still giving me problems. Therefore, it must be a bug or a config file that has changed when updating wpa_supplicant, NetworkManager, etc at the beginning of February. Any suggestions for gathering more information to debug/troubleshoot?

Searching for CLASS2_FRAME_FROM_NONAUTH_STA I see at least two things to try:

  1. Run something like ‘iwconfig wlp3s0 power off’, see 1904798 – iwlwifi 8265 Frequent Wifi disconnections
  2. Run with ‘swcrypto=1’, see [SOLVED] Can't connect to protected wifi - connection timed out / Networking, Server, and Protection / Arch Linux Forums

I’ll try that out when I get the chance…

None of the above suggestions work… I’m now getting Reason: 23=IEEE8021X_FAILED again, just as I originally did. I’m still convinced that something went wrong with the NetworkManager/wpa_supplicant update in early February (be it a bug, or configuration change), since before that everything worked fine. For now, I’m using USB tethering via my phone as a workaround (am able to connect via Android).

I don’t know what to do now besides filing a bug.

There already appears to be a bug: Bug 1207913 – wpa_supplicant 2.10-4.2 does not authenticate WPA PEAP MSCHAPv2 connections with no certificate

Fine, yes, but –

  • Can you connect to the offending WLAN with either an Android or Apple Pocket Telephone?

Further explanation is here: <https://security.stackexchange.com/questions/193450/your-connection-will-not-be-private-wi-fi-ca-certificate-warning-message-on-an>

Not sure what you’re getting at, but I can connect via my Android phone no matter if I set the CA-certificate to ‘Do not validate’ or ‘Use system certificates’

In other words, there is a certificate but, the WPA Supplicant isn’t recognising it –

  • Is the systemd wpa_supplicant.service enabled?

Please check ‘/usr/share/doc/packages/wpa_supplicant/examples/*’ for examples which may be relevant for your situation.

Stupid question: is the “wpa_supplicant” package correctly installed?

 # rpm --verify wpa_supplicant
 # zypper verify

What do you mean? I’m not specifying using any certificates to connect to eduroam on TW.

The wpa_supplicant service is running and installed correctly.