diff --git a/config/automatrop/roles/system/templates/wpa_supplicant.conf.j2 b/config/automatrop/roles/system/templates/wpa_supplicant.conf.j2
index 1ba78c3..b380481 100644
--- a/config/automatrop/roles/system/templates/wpa_supplicant.conf.j2
+++ b/config/automatrop/roles/system/templates/wpa_supplicant.conf.j2
@@ -20,7 +20,11 @@ so we're using a `ssid` attribute, which default to the names for SSIDs without
 {% set suffixes = lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=suffixes') or [''] %}
 {% set ssid = lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=ssid') or name %}
 {% set type = lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=type') or 'wpa' %}
+{% if type in ('wpa', 'wep', 'wpa-eap') %}
 {% set pass = lookup('community.general.passwordstore', 'wifi/' + name) %}
+{% else %}
+{% set pass = 'Error, no pass for type ' + type %}
+{% endif %}
 # {{ name }}
 {% for suffix in suffixes %}
 network={
@@ -30,6 +34,14 @@ network={
 {% elif type == 'wep' %}
     key_mgmt=NONE
     wep_key0={{ pass }}
+{% elif type == 'wpa-eap' %}
+    key_mgmt=WPA-EAP
+    eap={{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=eap') }}
+    identity="{{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=identity') }}"
+    password="{{ pass }}"
+    ca_cert="{{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=ca_cert') }}"
+    altsubject_match="{{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=altsubject_match') }}"
+    phase2="{{ lookup('community.general.passwordstore', 'wifi/' + name + ' subkey=phase2') }}"
 {% elif type == 'open' %}
     key_mgmt=NONE
 {% else %}