diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c
index a4e5cc4d4c5e45f75c6083588213871ba2af84e4..3b67c86bd4135691309f89e7a8c227b5744b536e 100644
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@@ -1367,6 +1367,9 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
         g_string_append_printf(phase1, "%stls_disable_tlsv1_1=1", (phase1->len ? " " : ""));
     if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE))
         g_string_append_printf(phase1, "%stls_disable_tlsv1_2=1", (phase1->len ? " " : ""));
+    if (NM_FLAGS_HAS(phase1_auth_flags,
+                     NM_SETTING_802_1X_AUTH_FLAGS_TLS_ALLOW_UNSAFE_RENEGOTIATION))
+        g_string_append_printf(phase1, "%sallow_unsafe_renegotiation=1", (phase1->len ? " " : ""));
 
     if (phase1->len) {
         if (!add_string_val(self, phase1->str, "phase1", FALSE, NULL, error)) {
diff --git a/src/libnm-core-impl/nm-setting-8021x.c b/src/libnm-core-impl/nm-setting-8021x.c
index 41feae57a9785d673fc3b957a1eaa1a9a481149a..23a5d3e6996a4157290c15a12c608d462e0f13fa 100644
--- a/src/libnm-core-impl/nm-setting-8021x.c
+++ b/src/libnm-core-impl/nm-setting-8021x.c
@@ -3594,9 +3594,13 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
      *
      * Specifies authentication flags to use in "phase 1" outer
      * authentication using #NMSetting8021xAuthFlags options.
+     *
      * The individual TLS versions can be explicitly disabled. If a certain
      * TLS disable flag is not set, it is up to the supplicant to allow
      * or forbid it. The TLS options map to tls_disable_tlsv1_x settings.
+     * It also allows to set "tls-allow-unsafe-renegotiation" to workaround
+     * authentication servers that don't support RFC 5746 secure authentication.
+     *
      * See the wpa_supplicant documentation for more details.
      *
      * Since: 1.8
diff --git a/src/libnm-core-public/nm-setting-8021x.h b/src/libnm-core-public/nm-setting-8021x.h
index 93c78fa374dd5a70518b92dc62bbd9976904e773..0ee344299ce4691ef77b137e95b64ac8f1946d51 100644
--- a/src/libnm-core-public/nm-setting-8021x.h
+++ b/src/libnm-core-public/nm-setting-8021x.h
@@ -65,6 +65,10 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
  * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0
  * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1
  * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_ALLOW_UNSAFE_RENEGOTIATION: Allow
+ *   unsafe TLS renegotiation, if the authentication server does not support
+ *   RFC 5746. This might open security vulnerabilities, but might
+ *   be necessary to connect to legacy authentication servers. Since: 1.40.
  * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
  *
  * #NMSetting8021xAuthFlags values indicate which authentication settings
@@ -76,12 +80,13 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
  * Since: 1.8
  */
 typedef enum /*< underscore_name=nm_setting_802_1x_auth_flags, flags >*/ {
-    NM_SETTING_802_1X_AUTH_FLAGS_NONE            = 0,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE = 0x1,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE = 0x2,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE = 0x4,
+    NM_SETTING_802_1X_AUTH_FLAGS_NONE                           = 0,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE                = 0x1,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE                = 0x2,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE                = 0x4,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_ALLOW_UNSAFE_RENEGOTIATION = 0x8,
 
-    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x7,
+    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0xF,
 } NMSetting8021xAuthFlags;
 
 #define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type())
diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in
index 2a582ad7a2a5e5d70321fb092895e39b5e872825..69652113b2c12b3025491b1b2d35ae7a8c4fce33 100644
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@@ -62,7 +62,7 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_FLAGS N_("Flags indicating how to handle the \"password\" property.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_RAW N_("Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the \"password\" property and the \"password-raw\" property are specified, \"password\" is preferred.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_RAW_FLAGS N_("Flags indicating how to handle the \"password-raw\" property.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_AUTH_FLAGS N_("Specifies authentication flags to use in \"phase 1\" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_AUTH_FLAGS N_("Specifies authentication flags to use in \"phase 1\" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. It also allows to set \"tls-allow-unsafe-renegotiation\" to workaround authentication servers that don't support RFC 5746 secure authentication. See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING N_("Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the \"eap\" property. Recognized values are \"0\" (disabled), \"1\" (allow unauthenticated provisioning), \"2\" (allow authenticated provisioning), and \"3\" (allow both authenticated and unauthenticated provisioning).  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPLABEL N_("Forces use of the new PEAP label during key derivation.  Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1.  Set to \"1\" to force use of the new PEAP label.  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPVER N_("Forces which PEAP version is used when PEAP is set as the EAP method in the \"eap\" property.  When unset, the version reported by the server will be used.  Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version.  To do so, this property may be set to \"0\" or \"1\" to force that specific PEAP version.")
diff --git a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
index 525b36b634cbdc5816409d7a97996e723f2b188d..496fbc0304c5ca728adb9b63bec2a4448a93e7f8 100644
--- a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
+++ b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
@@ -143,7 +143,7 @@
         <property name="phase1-fast-provisioning"
                   description="Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the &quot;eap&quot; property. Recognized values are &quot;0&quot; (disabled), &quot;1&quot; (allow unauthenticated provisioning), &quot;2&quot; (allow authenticated provisioning), and &quot;3&quot; (allow both authenticated and unauthenticated provisioning).  See the wpa_supplicant documentation for more details." />
         <property name="phase1-auth-flags"
-                  description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details." />
+                  description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. It also allows to set &quot;tls-allow-unsafe-renegotiation&quot; to workaround authentication servers that don&apos;t support RFC 5746 secure authentication. See the wpa_supplicant documentation for more details." />
         <property name="phase2-auth"
                   description="Specifies the allowed &quot;phase 2&quot; inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  For TTLS this property selects one of the supported non-EAP inner methods: &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot; while &quot;phase2-autheap&quot; selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot; and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both &quot;phase2-auth&quot; and &quot;phase2-autheap&quot; cannot be specified." />
         <property name="phase2-autheap"