802.1X Auth in proxmox (linux networking)


Renowned Member
Mar 10, 2014
Kingsclere, United Kingdom
Hi all,

I have been trying to implement 802.1X auth on my Proxmox host via wpa_supplicant with EAP-TLS using certificates issued by this particular sites network team.

However.... No matter what I try, or how many times I get a new set of certs, I am failing on auth due to an 'openssl wrong version' or decrypt error.

I have followed just about every generic guide to configuring .1x on Debian via the wpa_supplicant but am having no luck.

Exceprt of a typical error below:

root@DB-PROX21MF:/# wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i vmbr0 Successfully initialized wpa_supplicant vmbr0: Associated with 01:80:c2:00:00:03 vmbr0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 vmbr0: CTRL-EVENT-EAP-STARTED EAP authentication started vmbr0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 vmbr0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected vmbr0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/DC=com/DC=21mbmn/Cxxxx' hash=xxxxxxx vmbr0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='xxxx' hash=xxxx vmbr0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:xxxxx SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version OpenSSL: openssl_handshake - SSL_connect error:0A00010B:SSL routines::wrong version number vmbr0: CTRL-EVENT-EAP-FAILURE EAP authentication failed ^Cvmbr0: CTRL-EVENT-DISCONNECTED bssid=xxxxx3 reason=3 locally_generated=1 vmbr0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1 duration=10 reason=AUTH_FAILED vmbr0: CTRL-EVENT-DSCP-POLICY clear_all vmbr0: CTRL-EVENT-DSCP-POLICY clear_all vmbr0: CTRL-EVENT-TERMINATING

Has anyone done this successfully and could share their conf/experiences? I am using standard linux networking, 1 ethernet adapter into 1 bridge. Plugged into an access port.

Are you using Microsoft NPS as RADIUS server?
If yes, check the event log for rejected authentications with reason code 16 and follow https://support.microsoft.com/en-us...trollers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 .

Ran into the same problem yesterday and ended up setting "altSecurityIdentities" for all AD computer accounts, which need to be mapped to manually issued computer certificates.

The error message from OpenSSL is completely misleading here. Looks like the reply from NPS doesn't contain a TLS version number at a payload offset, where OpenSSL expects one.
clsa wrote on Jan 17, 2024
Are you using Microsoft NPS as RADIUS server?

Hello there! I am having a very similar (the same?) issue, and yes, with MS NPS as Radius server... no success so far with clsa's suggestion, but that does not mean very much: I am (still) not a Windows guy. All the more, I'd be glad to hear, if this is a promising pile to dig through, or rather not...!
Last edited:


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!