diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2
index 8f140f6cb..cd35d6d1e 100644
--- a/data/templates/ethernet/wpa_supplicant.conf.j2
+++ b/data/templates/ethernet/wpa_supplicant.conf.j2
@@ -1,72 +1,77 @@
 ### Autogenerated by interfaces-ethernet.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
 
 # For UNIX domain sockets (default on Linux and BSD): This is a directory that
 # will be created for UNIX domain sockets for listening to requests from
 # external programs (CLI/GUI, etc.) for status information and configuration.
 # The socket file will be named based on the interface name, so multiple
 # wpa_supplicant processes can be run at the same time if more than one
 # interface is used.
 # /var/run/wpa_supplicant is the recommended directory for sockets and by
 # default, wpa_cli will use it when trying to connect with wpa_supplicant.
 ctrl_interface=/run/wpa_supplicant
 
 # IEEE 802.1X/EAPOL version
 # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
 # EAPOL version 2. However, there are many APs that do not handle the new
 # version number correctly (they seem to drop the frames completely). In order
 # to make wpa_supplicant interoperate with these APs, the version number is set
 # to 1 by default. This configuration value can be used to set it to the new
 # version (2).
 # Note: When using MACsec, eapol_version shall be set to 3, which is
 # defined in IEEE Std 802.1X-2010.
 eapol_version=2
 
 # No need to scan for access points in EAPoL mode
 ap_scan=0
 
 # EAP fast re-authentication
 fast_reauth=1
 
 network={
 {% if eapol is vyos_defined %}
 {%     if eapol.ca_certificate is vyos_defined %}
     ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem"
 {%     endif %}
     client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem"
     private_key="/run/wpa_supplicant/{{ ifname }}_cert.key"
 {% endif %}
 
     # list of accepted authenticated key management protocols
     key_mgmt=IEEE8021X
     eap=TLS
 
 {% if mac is vyos_defined %}
     identity="{{ mac }}"
 {% else %}
     identity="{{ hw_id }}"
 {% endif %}
 
     # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
     # Dynamic WEP key required for non-WPA mode
     # bit0 (1): require dynamically generated unicast WEP key
     # bit1 (2): require dynamically generated broadcast WEP key
     #      (3) = require both keys; default)
     # Note: When using wired authentication (including MACsec drivers),
     # eapol_flags must be set to 0 for the authentication to be completed
     # successfully.
     eapol_flags=0
 
     # For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
     # used to configure a mode that allows EAP-Success (and EAP-Failure) without
     # going through authentication step. Some switches use such sequence when
     # forcing the port to be authorized/unauthorized or as a fallback option if
     # the authentication server is unreachable. By default, wpa_supplicant
     # discards such frames to protect against potential attacks by rogue
     # devices, but this option can be used to disable that protection for cases
     # where the server/authenticator does not need to be authenticated.
-    phase1="allow_canned_success=1"
+    #
+    # "tls_disable_tlsv1_0=0" is used to allow TLSv1 for compatibility with
+    # legacy networks. This follows the behavior of Debian's wpa_supplicant,
+    # which includes a custom patch for allowing TLSv1, but the patch currently
+    # does not work for VyOS' git builds of wpa_supplicant.
+    phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
 }