You plugged in and the network is dead
You connect your laptop to the office wall jack or the campus Wi-Fi, and the status icon spins forever. NetworkManager reports "Supplicant state change: 4-way handshake failed" or simply refuses to bring up the link. Your IT department sent you a certificate file and a username, but Fedora does not have a wizard that matches the Windows Network Connections dialog. You need to configure 802.1X authentication manually so the switch or access point grants you access.
How 802.1X actually works
802.1X is port-based network access control. Think of the network switch as a door with a bouncer. Your machine is the patron trying to enter. The RADIUS server is the bouncer checking IDs. Before your machine gets an IP address, the switch blocks all traffic except authentication frames.
NetworkManager orchestrates the process. It configures wpa_supplicant dynamically to handle the handshake. wpa_supplicant presents credentials to the RADIUS server. If the server approves, the switch opens the port and allows DHCP traffic. If the server denies access, the port stays closed and you get no IP address.
Fedora does not use static configuration files for wpa_supplicant. NetworkManager writes the configuration and restarts the supplicant automatically. Editing /etc/wpa_supplicant/wpa_supplicant.conf manually breaks the integration. Use nmcli to manage the profiles. nmcli updates NetworkManager's internal database and ensures the settings persist across reboots.
Trust NetworkManager's database. Manual file edits drift, nmcli stays consistent.
Configure the connection
Install the backend tools if they are missing. Fedora splits network tools by interface type. The wpa_supplicant package provides the 802.1X logic.
sudo dnf install NetworkManager-wifi wpa_supplicant -y
# -y skips the confirmation prompt for speed
# NetworkManager-wifi adds Wi-Fi support if you are on a laptop
# wpa_supplicant handles the 802.1X handshake logic
Create a directory for your certificates if you are using EAP-TLS. Storing certificates in /etc/pki/ follows Fedora conventions and keeps secrets out of user home directories.
sudo mkdir -p /etc/pki/client
# Creates the directory for custom certificates if it does not exist
sudo chmod 700 /etc/pki/client
# Restricts access to root only for security
EAP-TLS with certificates
Use EAP-TLS when your organization issues client certificates. This method requires a CA bundle, a client certificate, and a private key. Create the connection profile for a wired interface.
sudo nmcli connection add type ethernet con-name corp-8021x ifname eth0 \
802-1x.eap tls \
802-1x.identity "user@company.com" \
802-1x.ca-cert "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" \
802-1x.client-cert "/etc/pki/client/user-cert.pem" \
802-1x.private-key "/etc/pki/client/user-key.pem" \
802-1x.private-key-password "" \
802-1x.phase2-auth none \
ipv4.method auto
# type ethernet sets the connection for a wired interface
# 802-1x.eap tls selects certificate-based authentication
# 802-1x.identity is the username embedded in the cert or required by the server
# 802-1x.ca-cert points to the certificate authority that signed the server cert
# 802-1x.client-cert is your machine's certificate presented to the network
# 802-1x.private-key is the secret key matching the client certificate
# 802-1x.private-key-password is empty here; add a password if the key is encrypted
# 802-1x.phase2-auth none disables inner tunnel authentication for pure TLS
# ipv4.method auto requests an IP address via DHCP after authentication succeeds
Activate the profile to start the handshake.
sudo nmcli connection up corp-8021x
# Activates the profile and triggers the 802.1X handshake
EAP-PEAP with password
Use EAP-PEAP when you authenticate with a username and password. This is common for university networks or organizations using MS-CHAPv2. Modify the existing profile to switch methods.
sudo nmcli connection modify corp-8021x \
802-1x.eap peap \
802-1x.phase2-auth mschapv2 \
802-1x.password "your_secure_password" \
802-1x.phase2-identity "user@company.com"
# 802-1x.eap peap switches to Protected EAP tunnel mode
# 802-1x.phase2-auth mschapv2 sets the inner authentication method
# 802-1x.password stores the credential securely in the keyring
# 802-1x.phase2-identity is the username sent inside the PEAP tunnel
NetworkManager stores the password in the system keyring. The connection will autoconnect on boot without prompting you. If you prefer to enter the password manually each time, use --ask instead of setting the password.
Verify the handshake
Check the connection status and confirm the IP address was assigned.
nmcli connection show corp-8021x
# Displays the full configuration and current state of the profile
nmcli device status
# Shows whether the interface has an IP address and is connected
Inspect the logs if the connection fails. journalctl with the -xe flags is the standard way to read logs on Fedora. The -x flag adds explanatory text, and -e jumps to the end.
journalctl -xeu NetworkManager | grep -i "802.1x"
# -x adds explanatory text to log lines for context
# -e jumps to the end of the journal
# -u NetworkManager filters to the NetworkManager unit
# grep isolates authentication-related messages
Run journalctl -xeu NetworkManager before you restart the machine. The log tells you exactly which certificate failed.
Common pitfalls and error messages
SELinux blocks certificate access
Fedora enforces SELinux policies. wpa_supplicant cannot read certificate files unless they have the correct security context. If authentication fails immediately, check the context.
ls -Z /etc/pki/client/
# Lists files with their SELinux security contexts
If the files show unconfined_u:object_r:user_home_t, wpa_supplicant is blocked. Fix the context.
sudo chcon -t cert_t /etc/pki/client/user-cert.pem
# Sets the certificate context so wpa_supplicant can read the public cert
sudo chcon -t private_t /etc/pki/client/user-key.pem
# Sets the private key context so wpa_supplicant can read the secret key
SELinux denials show up in journalctl -t setroubleshoot with a one-line summary. Read those before disabling SELinux. Disabling SELinux is never the right fix for a context issue.
Certificate format mismatch
Windows often exports certificates in DER format. wpa_supplicant requires PEM format. If you see Failed to read private key or Certificate verification failed, the format might be wrong. Convert the files.
openssl x509 -inform der -in user-cert.der -out /etc/pki/client/user-cert.pem
# Converts Windows DER format to PEM format required by wpa_supplicant
openssl rsa -inform der -in user-key.der -out /etc/pki/client/user-key.pem
# Converts the private key from DER to PEM format
Convert DER to PEM before you cry. wpa_supplicant does not read binary certificates.
Interface name mismatch
Fedora uses predictable network interface names like enp3s0 instead of eth0. If you created the profile with ifname eth0 but your interface is enp3s0, the connection will not activate.
ip link
# Lists all network interfaces and their current names
Check ifname against ip link. Predictable names break scripts that assume eth0.
Firewall confusion
802.1X operates at the link layer before IP routing. Firewall rules rarely block authentication traffic. If you suspect packet filtering, check the active zone.
sudo firewall-cmd --list-all
# Displays the active zone and allowed services
Run firewall-cmd --reload after every rule change. Otherwise the runtime config and the persistent config diverge.
Choose the right authentication method
Use EAP-TLS when your IT department provides a client certificate and private key, and the network requires mutual authentication.
Use EAP-PEAP when you log in with a username and password, and the network uses a standard RADIUS server with MS-CHAPv2.
Use EAP-TTLS when your organization supports flexible inner authentication methods, such as PAP or CHAP, inside a TLS tunnel.
Use nmcli when you need to script the configuration or manage connections on a headless server.
Use the NetworkManager GUI when you prefer visual feedback and are configuring a desktop workstation.
Use wpa_supplicant directly only when NetworkManager is unavailable or you are debugging a low-level driver issue.