Connecting to WPA2 Enterprise (MSCHAPv2) on Linux with NetworkManager
Short guide detailing how to connect to a MSCHAPv2 network on Linux with some troubleshooting tips.
Connecting to a WPA2-Enterprise network on Linux is sometimes not straightforward, especially when using more minimal Linux distros like Arch, Void or Manjaro. Often times this is because of missing packages or because the necessary packages are too new.
This quick guide will show you how to setup a WPA2-Enterprise connection using “MS-CHAPv2” as the inner authentication protocol. In particular, it will showcase some troubleshooting steps you can take in order to get it working.
This guide deals only with a NetworkManager setup. I may add other network software to this guide eventually. Most links provided in this guide will be Arch Linux specific. If you are using another distro or package manager, you should be able to find the necessary packages under a similar name.
Initial Setup
If you have not set up your connection already, you can do so either via nmcli, nmtui or the nm-connection-editor. The latter two programs come with a graphical interface which is great for avoiding any mistakes in your setup. I recommend using those over a manual setup.
Inside the “Wi-Fi Security” section, add all your credentials given to you by your institution. Important are domain, username, password and the CA certificate. Remember to tick the box “No CA certificate is required” in case your institution does not use one.
Provided you have set up everything correctly, your connection should work. You can check this by running:
nmcli con up [connection_name]If you are receiving some errors or are repeatedly prompted for a password, then check the following section for troubleshooting.
Troubleshooting
Install Point-To-Point Tunneling packages (PPP, PPTP)
Some MSCHAPv2 networks require that you have installed software related to Microsoft’s Point-To-Point Tunneling Protocol. You will want to install ppp and the pptpclient.
Restart NetworkManager with systemctl restart NetworkManager and try connecting again.
Add phase1-auth flags for outdated networks
Because of security updates to OpenSSL, certain older / outdated networks require that different authentication flags are set. These flags cannot be set via software, but by manually editing the NM connection files.
Open the following file as root: /etc/NetworkManager/system-connections/[connection-name].nmconnection. Find the section [802-1x] and add the following value:
[802-1x]
...
phase1-auth-flags=32
...Restart NetworkManager with systemctl restart NetworkManager and try connecting again.
Add auth-alg flag
Sometimes setting the authentication flag to open can also help connection issues with MSCHAPv2. This flag is not set by default, so it has to be edited in manually.
Open the following file as root: /etc/NetworkManager/system-connections/[connection-name].nmconnection. Find the section [wifi-security] and add the following value:
[wifi-security]
...
auth-alg=open
...Deactivate random MAC address
Some networks may have an issue with NetworkManager’s automatic MAC address randomization. You can disable it by adding the following to /etc/NetworkManager/NetworkManager.conf:
[device]
wifi.scan-rand-mac-address=noCheck for incorrect configurations
You can open the config file of your connection under /etc/NetworkManager/system-connections/[connection-name].nmconnection. In case you have not set up your connection properly, you can double-check the values in your config files with the one provided here:
;; Example of (potentially) working nmconnection file for MSCHAPv2
[connection]
id=[YOUR_CONNECTION_NAME]
uuid=[UUID]
type=wifi
[wifi]
mode=infrastructure
ssid=[SSID_OF_NETWORK]
[wifi-security]
key-mgmt=wpa-eap
;; This is a manual option you might need:
auth-alg=open
[802-1x]
domain-suffix-match=[YOUR_DOMAIN]
eap=peap;
identity=[YOUR_IDENTITY]
password=[YOUR_PASSWORD]
phase2-auth=mschapv2
;; This is a manual option you might need:
phase1-auth-flags=32
[ipv4]
method=auto
[ipv6]
addr-gen-mode=stable-privacy
method=auto
[proxy]Sources
Most of the information compiled here has been provided by the Arch Community on the Arch Wiki and the Arch Forums. If none of the steps provided in this article helped you, you may wish to dig deeper into these sources: