How to Connect to Wi-Fi Using EAP-PEAP on Linux

EAP-PEAP (Protected Extensible Authentication Protocol) is a secure and common method for enterprise Wi-Fi authentication. It uses a TLS tunnel and then authenticates using a username and password (typically with MSCHAPv2).

Option 1: GUI Using NetworkManager

1. Click the network icon and select your Wi-Fi network.
2. Under “Security,” choose WPA & WPA2 Enterprise.
3. Set the following:

• Authentication: Protected EAP (PEAP)
• Anonymous identity: Optional (e.g., anonymous@example.com)
• CA certificate: Recommended — e.g., /etc/ssl/certs/ca-cert.pem
• PEAP version: Automatic or 0
• Inner authentication: MSCHAPv2
• Username (identity): Your network login (e.g., user@example.com)
• Password: Your Wi-Fi or directory service password

Click Connect.

Option 2: CLI Using wpa_supplicant

1. Create Config File

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

2. Add This Configuration:

network={
    ssid="YourNetworkSSID"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="your-username@example.com"
    anonymous_identity="anonymous@example.com"
    password="your-password"
    phase1="peapver=0"
    phase2="auth=MSCHAPV2"
    ca_cert="/etc/ssl/certs/ca-cert.pem"
}

3. Start the Connection:

sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

Then get a DHCP address:

sudo dhclient wlan0

Troubleshooting

• Use dmesg or journalctl -u NetworkManager for logs.
• Ensure ca_cert is correct and readable.
• Check that the RADIUS server presents a certificate trusted by your system.

Security Tip

Always validate the RADIUS server’s certificate using ca_cert. This protects you from man-in-the-middle attacks. Avoid using ca_cert="/etc/ssl/certs/ca-cert.pem" blindly — verify the correct CA with your administrator.