Arch Linux

manitufunatu

Member

Registered: 2026-01-20

Posts: 8

Yet another iwd/eduroam issue

Hello,

I cannot connect to eduroam or 802-1x networks (WPA2 enterprise), but I can connect to psk personal WPA2 networks.

- Kernel arch 6.18.5.
- Mac address randomized disabled.
- tried nmtui.
- still prefer nmcli.
- can connect with same creds to eduroam w smartphone, GUI devices.
- 99.9% sure its not a certificate issue.

My config is Network Manager with iwd as backend.

I have seen on other posts that iwd should automatically be started by NetworkManager, that is not my case here, if I stop it, then I cannot connect to any network.

[Security]
EAP-Method=PEAP
EAP-Identity=12345@domain.ac 
EAP-PEAP-CACert=/var/lib/iwd/unicert-ca.pem
EAP-PEAP-ServerDomainMask=radius.domain.ac
# I tried both including in this conf and prompting password
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=12345@domain.ac

I'm getting this error for journalctl -u iwd (yet I am very sure of the "Identity" email I must use there):

Jan 22 12:46:09 arc iwd[146075]: event: state, old: autoconnect_full, new: connecting
Jan 22 12:46:09 arc iwd[146075]: PEAP: Tunnel has disconnected with alert: close_notify
Jan 22 12:46:09 arc iwd[146075]: Received Deauthentication event, reason: 1, from_ap: true
Jan 22 12:46:09 arc iwd[146075]: EAP negotiation stopped after the Identity exchange, this can happen when the EAP-PEAP-Phase2-Identity value is not what the authenticator expects
Jan 22 12:46:09 arc iwd[146075]: event: disconnect-info, reason: 1
Jan 22 12:46:09 arc iwd[146075]: event: state, old: connecting, new: disconnected

These are my running services

  bluetooth.service      
  dbus-broker.service       
  greetd.service          
  iwd.service              
  NetworkManager.service  
  polkit.service        
  rtkit-daemon.service   
  systemd-journald.service 
  systemd-logind.service  
  systemd-resolved.service 
  systemd-timesyncd.service
  systemd-udevd.service  
  systemd-userdbd.service  
  udisks2.service          
  upower.service           
  user@1000.service         

I do not believe this has to do with SHA-1 being pulled out, if this is related to kernel crypto and that I HAVE to switch to wpa_supplicant I will but I would like to understand why.

Anyone knows how to dig further here?

Thanks a lot

Last edited by manitufunatu (2026-01-22 16:55:37)

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 72,938

Re: Yet another iwd/eduroam issue

My config is Network Manager with iwd as backend. … I have seen on other posts that iwd should automatically be started by NetworkManager

  iwd.service              
  NetworkManager.service

find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

If you want to use iwd as NM backend see https://wiki.archlinux.org/title/Networ … Fi_backend - do not enable the iwd.service
Enabling both will absolutely not work.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

manitufunatu

Member

Registered: 2026-01-20

Posts: 8

Re: Yet another iwd/eduroam issue

Fair enough, (since it worked for WPA2-personal and open networks I thought it would do the trick for Entreprise).

I have now stopped NM and relying on iwd solely (also tried along systemd-networkd). I can here connect to WPA2 as previously.

cat /etc/iwd/main.conf
[General]
EnableNetworkConfiguration=true

Services:

bluetooth.service                        | bluetooth.target.wants
dbus-org.bluez.service                   | system
dbus-org.freedesktop.resolve1.service    | system
dbus-org.freedesktop.timesync1.service   | system
display-manager.service                  | system
getty@tty1.service                       | getty.target.wants
gnome-keyring-daemon.socket              | sockets.target.wants
iwd.service                              | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
pipewire-pulse.socket                    | sockets.target.wants
pipewire-session-manager.service         | user
pipewire.socket                          | sockets.target.wants
remote-fs.target                         | multi-user.target.wants
systemd-resolved-monitor.socket          | sockets.target.wants
systemd-resolved-varlink.socket          | sockets.target.wants
systemd-resolved.service                 | sysinit.target.wants
systemd-timesyncd.service                | sysinit.target.wants
systemd-userdbd.socket                   | sockets.target.wants
wireplumber.service                      | pipewire.service.wants

But not to eduroam:

[iwd]# station wlan0 connect eduroam
Operation failed

I am getting the same PEAP error in journalctl:

Jan 22 16:34:21 arc iwd[173267]: event: state, old: autoconnect_full, new: connecting (auto)
Jan 22 16:34:21 arc iwd[173267]: PEAP: Tunnel has disconnected with alert: close_notify
Jan 22 16:34:21 arc iwd[173267]: Received Deauthentication event, reason: 23, from_ap: true
Jan 22 16:34:21 arc iwd[173267]: EAP negotiation stopped after the Identity exchange, this can happen when the EAP-PEAP-Phase2-Identity value is not what the authenticator expects
Jan 22 16:34:21 arc iwd[173267]: event: disconnect-info, reason: 23
Jan 22 16:34:21 arc iwd[173267]: event: state, old: connecting (auto), new: disconnected
Jan 22 16:34:21 arc iwd[173267]: event: state, old: disconnected, new: autoconnect_full
Jan 22 16:34:24 arc iwd[173267]: event: connect-info, ssid: eduroam, bss: a8:3a:79:8b:ee:92, signal: -79, load: 50/255
Jan 22 16:34:24 arc iwd[173267]: event: state, old: autoconnect_full, new: connecting (auto)
Jan 22 16:34:25 arc iwd[173267]: PEAP: Tunnel has disconnected with alert: close_notify
Jan 22 16:34:25 arc iwd[173267]: Received Deauthentication event, reason: 23, from_ap: true
Jan 22 16:34:25 arc iwd[173267]: EAP negotiation stopped after the Identity exchange, this can happen when the EAP-PEAP-Phase2-Identity value is not what the authenticator expects
Jan 22 16:34:25 arc iwd[173267]: event: disconnect-info, reason: 23

Can unusual chars in the password (within the /var/lib/iwd/eduroam.8021x file) possibly break the config?

Last edited by manitufunatu (2026-01-22 16:10:18)

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 72,938

Re: Yet another iwd/eduroam issue

EAP-Identity=12345@domain.ac
EAP-PEAP-Phase2-Identity=12345@domain.ac

are probably neither the actual values and you might indeed have to escape characters in login and password.

String values, including file paths and hexstrings, are written as is except for five characters that may be backslash-escaped: space, \t, \r, \n and backslash itself. The latter three must be escaped. A space character must be escaped if it is the first character in the value string and is written as \s.

Are you sure it's PEAP and not TLS or TTLS?
Because of the subject, does NM+wpa_supplicant actually work (when configured w/ one of the main GUIs)?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

manitufunatu

Member

Registered: 2026-01-20

Posts: 8

Re: Yet another iwd/eduroam issue

It is PEAP, indeed it works with Gnome NM or wpa_supplicant (on Ubuntu) https://admin.kuleuven.be/icts/english/ … fig-ubuntu .

I did not try wpa_supplicant as NM backend though (I would rather use iwd).

Regarding the values they're not the actual ones but very close in terms or regex, and unfortunately for me, none of the unusual chars (in my password or email) are mentioned in the man. Therefore it seems, I do not have anything to escape.

Last edited by manitufunatu (2026-01-22 20:39:01)

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 72,938

Re: Yet another iwd/eduroam issue

I did not try wpa_supplicant as NM backend though (I would rather use iwd).

Setup iwd as NM backend following https://wiki.archlinux.org/title/Networ … Fi_backend and configure the connection through NM
If this works the autogenerated iwd config might highlight the critical difference and you can also just steal it to use iwd directly, if you want.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

manitufunatu

Member

Registered: 2026-01-20

Posts: 8

Re: Yet another iwd/eduroam issue

Setup iwd as NM backend following https://wiki.archlinux.org/title/Networ … Fi_backend and configure the connection through NM

When I do follow this (and stop/disable iwd service), my interface wlan0 disappears.

 ls /sys/class/net
lo

A firmware issue? If yes that is surprising as I do not have any other Wifi problem (than not connecting to WPA-2 Entreprise) when I run iwd alone or iwd + NM. (kernel driver iwlfifi loaded, firmware file exists, up to date, no error from dmesg).

Last edited by manitufunatu (2026-01-23 10:54:29)

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 72,938

Re: Yet another iwd/eduroam issue

Idk, but your journal will

sudo journalctl -b | curl -F 'file=@-' 0x0.st

Generally the userspace configuration would not affect the devices, but either the driver crashes or it's rfkill'd

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

manitufunatu

Member

Registered: 2026-01-20

Posts: 8

Re: Yet another iwd/eduroam issue

Here I started with iwd disabled and stopped, no wlan0 interface.

I restarted NM. Stopped NM (still no wlan0).

Started iwd (got wlan0 interface back and an IP on my WLAN).

Stopped iwd (lost both).

Started iwd and NM services (got back wlan0 and interface).

http://0x0.st/PP5p.txt

I am confused but probably missing something very obvious...

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 72,938

Re: Yet another iwd/eduroam issue

The journal - not random bits of it.
Nothing in that file explains devices missing, showing up or disappearing.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

manitufunatu

Member

Registered: 2026-01-20

Posts: 8

Re: Yet another iwd/eduroam issue

The journal - not random bits of it.
Nothing in that file explains devices missing, showing up or disappearing.

It was the journal, corresponding to when wlan0 interface was showing/disappearing though (I had it with -f option to add space/comments, yet no cuts)..

http://0x0.st/PPRt.txt

Anything else I could provide that would be helpful?

Last edited by manitufunatu (2026-01-23 20:40:10)

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 72,938

Re: Yet another iwd/eduroam issue

It was the journal, corresponding to…

That was the point.

The device shows up immediately, then you check/enable/start iwd (DON'T!), then you check and start NM,  then you stop iwd, then restart NM, stop NM, start iwd.

Stop flailing around.
1. What are the contents of /etc/NetworkManager/conf.d/iwd-unmanaged.conf ?

tail -n1000 /etc/NetworkManager/conf.d/{iwd-unmanaged.conf,wifi_backend.conf,wifi_rand_mac.conf} | curl -F 'file=@-' 0x0.st

2. Disable iwd.service, enable NM, make sure https://wiki.archlinux.org/title/Networ … Fi_backend is configured, reboot.
Dump the journal

sudo journalctl -b > /tmp/journal.txt

Then feel free to do whatever you want to get internet access and upload the journal.

cat /tmp/journal.txt | curl -F 'file=@-' 0x0.st

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

manitufunatu

Member

Registered: 2026-01-20

Posts: 8

Re: Yet another iwd/eduroam issue

My bad, got panicked for nothing over the interface, now iwd is properly running as NM's backend, fixed after reboot. cheers.

1. /etc/NetworkManager/conf.d/iwd-unmanaged.conf was a copy of wifi_backend I forgot to delete.
http://0x0.st/PP7h.txt
just did now.

2. Here is the journal's dump with iwd as NM's backend, just went to a uni building now to check eduroam but I'm still getting the PEAP error as previously.

http://0x0.st/PPho.txt

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 72,938

Re: Yet another iwd/eduroam issue

Jan 23 22:34:52 arc NetworkManager[677]: <info>  [1769204092.1598] IWD network config will send the same EAP Identity string in plaintext in phase 1 as in phase 2 (encrypted) to mimic legacy behavior, set [802-1x].anonymous-identity=anonymous to prevent exposing the value

Switching back to wpa_supplicant still works w/ the existing NM profile, though?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

manitufunatu

Member

Registered: 2026-01-20

Posts: 8

Re: Yet another iwd/eduroam issue

Yes wpa_supplicant as NM's backend works, so maybe iwd is just not compatible with this eduroam configuration as it seems that the university refuses the "anonymous" identity.

Thank you for your help.

In short the quick answer would be: iwd is "privacy-aware" by default, if the eduroam configuration is bad then iwd won't work?

Can I mark it as solved? Or should I dig dipper in iwd source and the uni's IT service?

Last edited by manitufunatu (2026-01-24 10:52:24)

progandy

Member

Registered: 2012-05-17

Posts: 5,303

Re: Yet another iwd/eduroam issue

The CAT tool provided by eduroam is able to create an IWD profile, have you tried that? If you want to keep using NM, wpa_supplicant is probably more reliable, though.

python eduroam-linux-KLA-eduroam.py --iwd_conf --gui tty 
cat eduroam.8021x
cat campusroam.8021x 

Last edited by progandy (2026-01-24 12:27:17)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |