Tips for troubleshooting 802.1X connections

By , Network World |  Networking, 802.1x

To further troubleshoot the server validation, verify/change some settings before re-enabling it and connecting:

" Ensure the computer or device has been using the correct Certificate Authority certificate for the server validation and consider reinstalling the certificate anyways.

" For Windows and other devices that allow you to specify the RADIUS server's IP or FQDN, verify they're correct and consider temporarily removing them to see if that might be your issue.

" For Windows and other devices that allow you to set the client to not prompt users for trusting new servers or Certificate Authorities, consider disabling that option in case you've made a change to your RADIUS server recently.

" Verify the system time of the client is correct because an incorrect time or date can cause issues if it doesn't fall inside the validity period of Certificate Authority certificate.

If the client still can't connect after verifying the server validation settings and disabling the validation altogether, next check other client settings that can be misconfigured:

" Verify the correct authentication mode (machine or user) is being used. In Windows 7 and later, click the advanced button on the network's properties dialog and verify the selected authentication mode. For Windows Vista and later, refer to Microsoft's support site.

" If using EAP-TLS, verify the system time of the client is correct because an incorrect time or date can cause issues if it doesn't fall inside the validity period of the user certificate.

If problems still persist, lastly consider reinstalling the network adapter driver on the client and verifying user attributes (VLAN ID, log-time, etc) on the RADIUS server.

4. Solve connectivity issues with a switch or access point

If multiple clients can't connect to your 802.1X network via a single switch or access point, first check if it's a general network issue, like the Ethernet/network connection and also consider power cycling the switch or access point. And then if problems persist, verify the RADIUS server settings in the switch or access point:

" Make sure the Shared Secret is the same as defined by the RADIUS server for that particular access point's IP address.

" Ensure the RADIUS IP address is set to the IP of the server.

" Ensure the defined RADIUS ports are those that your server is using, keeping in mind servers may use two different port pairs: 1812/1813 or 1645/1646.

Keep in mind; you want the RADIUS server and all switches and access points to have static IP addresses because if they change it will cause issues.

5. Turn to troubleshooting tools

For further troubleshooting, you might try using client-based tools and utilities. In Windows Vista or later, for instance, you can perform wireless tracing with the netsh wlan commands. Plus there are also third-party applications you might consider:

Radius Test is a Windows-based RADIUS testing tool featuring a GUI and command-line access. You can send simulated authentication and accounting requests to the RADIUS server and see the replies. It supports a wide range of EAP types.

Radlogin is a freeware RADIUS test client, available for Windows, FreeBSD, Sparc Solaris and Linux platforms. You can use to simulate, debug and monitor your RADIUS server. Its monitoring capabilities give you the ability to keep stats on RADIUS servers and supports email alerts.

In addition to troubleshooting tools, you might consider solutions to help distribute the 802.1X and other network settings to your clients, which can help reduce misconfigurations. If you deploy a domain network with a Windows Server, consider using Group Policy to distribute the settings. And for clients that aren't joined to the domain, consider using a solution such as XpressConnect, QuickConnect, or SU1x.

Eric Geier is a freelance tech writer keep up with his writings on his Facebook Fan Page. He's also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site computer services company.

Read more about wide area network in Network World's Wide Area Network section.

  Sign me up for ITworld's FREE daily newsletter!
Email: 
 


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness