wpa_supplicant 后端无法连接 802.1x WiFi

记录 Linux 下无法连接 WPA2-EAP WiFi 的问题排查过程。

症状

添加好 WiFi 配置后点击连接，KDE 的 NetworkManager 会在“正在配置端口”后小概率获取 IP，随后又弹出重新输入密码的窗口。反复尝试后仍然连接失败。

排查

查看 NetworkManager 的 journal 并未发现有用信息：

journalctl -xeu NetworkManager

2026/3/5 16:45	NetworkManager	<info>  [1772700308.8622] Config: added 'ssid' value 'S'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8622] Config: added 'scan_ssid' value '1'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8622] Config: added 'bgscan' value 'simple:30:-65:300'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8622] Config: added 'key_mgmt' value 'WPA-EAP FT-EAP FT-EAP-SHA384 WPA-EAP-SHA256'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8622] Config: added 'auth_alg' value 'OPEN'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8623] Config: added 'password' value '<hidden>'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8623] Config: added 'eap' value 'PEAP'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8623] Config: added 'fragment_size' value '1266'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8623] Config: added 'phase2' value 'auth=MSCHAPV2'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8623] Config: added 'identity' value '28'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.8623] Config: added 'proactive_key_caching' value '1'
2026/3/5 16:45	NetworkManager	<info>  [1772700308.9515] device (wlp9s0): supplicant interface state: disconnected -> scanning
2026/3/5 16:45	NetworkManager	<info>  [1772700308.9515] device (p2p-dev-wlp9s0): supplicant management interface state: disconnected -> scanning
2026/3/5 16:45	NetworkManager	<info>  [1772700312.8392] device (wlp9s0): supplicant interface state: scanning -> authenticating
2026/3/5 16:45	NetworkManager	<info>  [1772700312.8392] device (p2p-dev-wlp9s0): supplicant management interface state: scanning -> authenticating
2026/3/5 16:45	NetworkManager	<info>  [1772700312.8454] device (wlp9s0): supplicant interface state: authenticating -> associating
2026/3/5 16:45	NetworkManager	<info>  [1772700312.8454] device (p2p-dev-wlp9s0): supplicant management interface state: authenticating -> associating
2026/3/5 16:45	NetworkManager	<info>  [1772700312.9626] device (wlp9s0): supplicant interface state: associating -> associated
2026/3/5 16:45	NetworkManager	<info>  [1772700312.9627] device (p2p-dev-wlp9s0): supplicant management interface state: associating -> associated
2026/3/5 16:45	NetworkManager	<info>  [1772700314.0445] device (wlp9s0): supplicant interface state: associated -> disconnected
2026/3/5 16:45	NetworkManager	<info>  [1772700314.0445] device (p2p-dev-wlp9s0): supplicant management interface state: associated -> disconnected
2026/3/5 16:45	NetworkManager	<info>  [1772700314.2286] device (wlp9s0): supplicant interface state: disconnected -> scanning
2026/3/5 16:45	NetworkManager	<info>  [1772700314.2286] device (p2p-dev-wlp9s0): supplicant management interface state: disconnected -> scanning
2026/3/5 16:45	NetworkManager	<info>  [1772700328.7202] device (wlp9s0): supplicant interface state: scanning -> authenticating
2026/3/5 16:45	NetworkManager	<info>  [1772700328.7203] device (p2p-dev-wlp9s0): supplicant management interface state: scanning -> authenticating
2026/3/5 16:45	NetworkManager	<info>  [1772700328.7253] device (wlp9s0): supplicant interface state: authenticating -> associating
2026/3/5 16:45	NetworkManager	<info>  [1772700328.7253] device (p2p-dev-wlp9s0): supplicant management interface state: authenticating -> associating
2026/3/5 16:45	NetworkManager	<info>  [1772700328.8425] device (wlp9s0): supplicant interface state: associating -> associated
2026/3/5 16:45	NetworkManager	<info>  [1772700328.8426] device (p2p-dev-wlp9s0): supplicant management interface state: associating -> associated
2026/3/5 16:45	NetworkManager	<info>  [1772700329.9175] device (wlp9s0): supplicant interface state: associated -> disconnected
2026/3/5 16:45	NetworkManager	<info>  [1772700329.9176] device (p2p-dev-wlp9s0): supplicant management interface state: associated -> disconnected
2026/3/5 16:45	NetworkManager	<info>  [1772700330.1012] device (wlp9s0): supplicant interface state: disconnected -> scanning
2026/3/5 16:45	NetworkManager	<info>  [1772700330.1012] device (p2p-dev-wlp9s0): supplicant management interface state: disconnected -> scanning
2026/3/5 16:45	NetworkManager	<warn>  [1772700333.9965] device (wlp9s0): Activation: (wifi) association took too long
2026/3/5 16:45	NetworkManager	<info>  [1772700333.9965] device (wlp9s0): state change: config -> need-auth (reason 'none', managed-type: 'full')
2026/3/5 16:45	NetworkManager	<warn>  [1772700333.9970] device (wlp9s0): Activation: (wifi) asking for new secrets
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9915] device (wlp9s0): state change: need-auth -> prepare (reason 'none', managed-type: 'full')
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9918] device (wlp9s0): state change: prepare -> config (reason 'none', managed-type: 'full')
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9920] device (wlp9s0): Activation: (wifi) connection '1X' has security, and secrets exist.  No new secrets needed.
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9920] Config: added 'ssid' value 'X'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9920] Config: added 'scan_ssid' value '1'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9920] Config: added 'bgscan' value 'simple:30:-65:300'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9920] Config: added 'key_mgmt' value 'WPA-EAP FT-EAP FT-EAP-SHA384 WPA-EAP-SHA256'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9920] Config: added 'auth_alg' value 'OPEN'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9920] Config: added 'password' value '<hidden>'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9920] Config: added 'eap' value 'PEAP'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9920] Config: added 'fragment_size' value '1266'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9921] Config: added 'phase2' value 'auth=MSCHAPV2'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9921] Config: added 'identity' value '8'
2026/3/5 16:45	NetworkManager	<info>  [1772700343.9921] Config: added 'proactive_key_caching' value '1'
2026/3/5 16:45	NetworkManager	<info>  [1772700347.9052] device (wlp9s0): supplicant interface state: scanning -> authenticating
2026/3/5 16:45	NetworkManager	<info>  [1772700347.9053] device (p2p-dev-wlp9s0): supplicant management interface state: scanning -> authenticating
2026/3/5 16:45	NetworkManager	<info>  [1772700347.9128] device (wlp9s0): supplicant interface state: authenticating -> associating
2026/3/5 16:45	NetworkManager	<info>  [1772700347.9129] device (p2p-dev-wlp9s0): supplicant management interface state: authenticating -> associating
2026/3/5 16:45	NetworkManager	<info>  [1772700348.0264] device (wlp9s0): supplicant interface state: associating -> associated
2026/3/5 16:45	NetworkManager	<info>  [1772700348.0265] device (p2p-dev-wlp9s0): supplicant management interface state: associating -> associated
2026/3/5 16:45	NetworkManager	<info>  [1772700349.1053] device (wlp9s0): supplicant interface state: associated -> disconnected
2026/3/5 16:45	NetworkManager	<info>  [1772700349.1054] device (p2p-dev-wlp9s0): supplicant management interface state: associated -> disconnected
2026/3/5 16:45	NetworkManager	<info>  [1772700349.2907] device (wlp9s0): supplicant interface state: disconnected -> scanning
2026/3/5 16:45	NetworkManager	<info>  [1772700349.2908] device (p2p-dev-wlp9s0): supplicant management interface state: disconnected -> scanning
2026/3/5 16:46	NetworkManager	<info>  [1772700363.7809] device (wlp9s0): supplicant interface state: scanning -> authenticating
2026/3/5 16:46	NetworkManager	<info>  [1772700363.7810] device (p2p-dev-wlp9s0): supplicant management interface state: scanning -> authenticating
2026/3/5 16:46	NetworkManager	<info>  [1772700363.7891] device (wlp9s0): supplicant interface state: authenticating -> associating
2026/3/5 16:46	NetworkManager	<info>  [1772700363.7891] device (p2p-dev-wlp9s0): supplicant management interface state: authenticating -> associating
2026/3/5 16:46	NetworkManager	<info>  [1772700363.8986] device (wlp9s0): supplicant interface state: associating -> associated
2026/3/5 16:46	NetworkManager	<info>  [1772700363.8987] device (p2p-dev-wlp9s0): supplicant management interface state: associating -> associated
2026/3/5 16:46	NetworkManager	<info>  [1772700364.9656] device (wlp9s0): supplicant interface state: associated -> disconnected
2026/3/5 16:46	NetworkManager	<info>  [1772700364.9657] device (p2p-dev-wlp9s0): supplicant management interface state: associated -> disconnected
2026/3/5 16:46	NetworkManager	<info>  [1772700365.1507] device (wlp9s0): supplicant interface state: disconnected -> scanning
2026/3/5 16:46	NetworkManager	<info>  [1772700365.1508] device (p2p-dev-wlp9s0): supplicant management interface state: disconnected -> scanning
2026/3/5 16:46	NetworkManager	<warn>  [1772700368.9965] device (wlp9s0): Activation: (wifi) association took too long
2026/3/5 16:46	NetworkManager	<info>  [1772700368.9965] device (wlp9s0): state change: config -> need-auth (reason 'none', managed-type: 'full')
2026/3/5 16:46	NetworkManager	<warn>  [1772700368.9970] device (wlp9s0): Activation: (wifi) asking for new secrets
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8897] device (wlp9s0): state change: need-auth -> prepare (reason 'none', managed-type: 'full')
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8903] device (wlp9s0): state change: prepare -> config (reason 'none', managed-type: 'full')
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8907] device (wlp9s0): Activation: (wifi) connection '1X' has security, and secrets exist.  No new secrets needed.
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8908] Config: added 'ssid' value ''
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8908] Config: added 'scan_ssid' value '1'
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8908] Config: added 'bgscan' value 'simple:30:-65:300'
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8908] Config: added 'key_mgmt' value 'WPA-EAP FT-EAP FT-EAP-SHA384 WPA-EAP-SHA256'
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8908] Config: added 'auth_alg' value 'OPEN'
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8909] Config: added 'password' value '<hidden>'
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8909] Config: added 'eap' value 'PEAP'
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8909] Config: added 'fragment_size' value '1266'
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8909] Config: added 'phase2' value 'auth=MSCHAPV2'
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8909] Config: added 'identity' value '208'
2026/3/5 16:46	NetworkManager	<info>  [1772700372.8910] Config: added 'proactive_key_caching' value '1'
2026/3/5 16:46	NetworkManager	<info>  [1772700376.8107] device (wlp9s0): supplicant interface state: scanning -> authenticating
2026/3/5 16:46	NetworkManager	<info>  [1772700376.8108] device (p2p-dev-wlp9s0): supplicant management interface state: scanning -> authenticating
2026/3/5 16:46	NetworkManager	<info>  [1772700376.8185] device (wlp9s0): supplicant interface state: authenticating -> associating
2026/3/5 16:46	NetworkManager	<info>  [1772700376.8186] device (p2p-dev-wlp9s0): supplicant management interface state: authenticating -> associating
2026/3/5 16:46	NetworkManager	<info>  [1772700376.9304] device (wlp9s0): supplicant interface state: associating -> associated
2026/3/5 16:46	NetworkManager	<info>  [1772700376.9304] device (p2p-dev-wlp9s0): supplicant management interface state: associating -> associated
2026/3/5 16:46	NetworkManager	<info>  [1772700378.0091] device (wlp9s0): supplicant interface state: associated -> disconnected
2026/3/5 16:46	NetworkManager	<info>  [1772700378.0091] device (p2p-dev-wlp9s0): supplicant management interface state: associated -> disconnected
2026/3/5 16:46	NetworkManager	<info>  [1772700378.1930] device (wlp9s0): supplicant interface state: disconnected -> scanning
2026/3/5 16:46	NetworkManager	<info>  [1772700378.1930] device (p2p-dev-wlp9s0): supplicant management interface state: disconnected -> scanning
2026/3/5 16:46	NetworkManager	<warn>  [1772700397.9964] device (wlp9s0): Activation: (wifi) association took too long
2026/3/5 16:46	NetworkManager	<info>  [1772700397.9965] device (wlp9s0): state change: config -> failed (reason 'no-secrets', managed-type: 'full')
2026/3/5 16:46	NetworkManager	<info>  [1772700397.9969] manager: NetworkManager state is now CONNECTED_LOCAL
2026/3/5 16:46	NetworkManager	<info>  [1772700398.0133] device (wlp9s0): set-hw-addr: set MAC address to AAAA (scanning)
2026/3/5 16:46	NetworkManager	<warn>  [1772700398.0976] device (wlp9s0): Activation: failed for connection 'X'

日志与前述症状一致，依然没有关键线索。
继续排查 NetworkManager 的无线后端 wpa_supplicant 的日志 journalctl -xeu wpa_supplicant：

2026/3/11 08:00	wpa_supplicant	nl80211: send_event_marker failed: Source based routing not supported
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-DISCONNECTED bssid=AAAA reason=3 locally_generated=1
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-DSCP-POLICY clear_all
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
2026/3/11 08:00	NetworkManager	<info>  [1773187200.7302] Config: added 'key_mgmt' value 'WPA-EAP FT-EAP FT-EAP-SHA384 WPA-EAP-SHA256'
2026/3/11 08:00	wpa_supplicant	wlp9s0: SME: Trying to authenticate with AAAA (SSID='X' freq=5745 MHz)
2026/3/11 08:00	wpa_supplicant	wlp9s0: Trying to associate with AAAA (SSID='X' freq=5745 MHz)
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-REGDOM-CHANGE init=BEACON_HINT type=UNKNOWN
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-REGDOM-BEACON-HINT before freq=5745 max_tx_power=2000 no_ir=1
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-REGDOM-BEACON-HINT after freq=5745 max_tx_power=2000
2026/3/11 08:00	wpa_supplicant	wlp9s0: Associated with AAAA
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-EAP-STARTED EAP authentication started
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
2026/3/11 08:00	wpa_supplicant	SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
2026/3/11 08:00	wpa_supplicant	OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
2026/3/11 08:00	wpa_supplicant	wlp9s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

最后发现 OpenSSL 的加密策略过于严格，而我要连的 WiFi 设备较旧，用的还是较旧的加密方式，导致认证失败。

解决

既然问题在 OpenSSL，且为了不修改全局配置，可以单独为 wpa_supplicant 指定配置文件，编辑 /etc/wpa_supplicant/openssl.cnf：

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=1

编辑 wpa_supplicant 的 service 文件：

### Editing /etc/systemd/system/wpa_supplicant.service.d/override.conf
### Anything between here and the comment below will become the contents of the drop-in file

+Environment="OPENSSL_CONF=/etc/wpa_supplicant/openssl.cnf"

### Edits below this comment will be discarded

重启 wpa_supplicant 即可。