Troubleshooting Checklist for 802.1X on Your WLAN - Page 2
Check RADIUS Server
If you've verified the client settings and are still having problems you might want to check the RADIUS server, whether you're running IAS or NPS on a Windows Server, FreeRADIUS, or another authentication server. Verify it's up and check the logs to see if there are any clues. Also verify that the user database and any other required databases are running.
If all or many clients are having issues, the problem likely is with the authentication server. If you have a smaller network it may take awhile to see issues with more clients, as they will at least remain connected to the wireless LAN until they try to authenticate with the server again.
Check Access Point or Switch
You may want to check the wireless access point (AP) or switch that the problem client is connecting through. If the problem seems to be through a particular AP or switch, double check the IP address to what you have setup in the RADIUS server. Remember you must assign static IPs to the APs and switches since that is how the RADIUS server identifies them. Also verify the corresponding Shared Secret and other authentication settings on the AP or switch.
General Network Issues
If it's an older adapter, you can try to download and install an updated driver that might give you better interoperability and/or WPA/WPA2 support.
You may also find that the operating system is lacking WPA or WPA2 support. For Windows XP without any Service Pack installed, an update is available for adding WPA support. For Windows XP or Windows XP Service Pack 2, an update is available for adding WPA2 support. Windows XP Service Pack 3 contains both of these updates already.
Review User Settings and Attributes on RADIUS Server
If you've already verified the client settings and think this is an isolated issue, you might want to review the settings and attributes assigned to that specific user on the RADIUS server.
If you've assigned any custom attributes, you may want to disable them to see if they might be causing an issue. For example, you may have limited access to specific access points or switches with the NAS-Identifier or Called-Station-Identifier, or limited access from specific network adapters with the Calling-Station-Identifier. Most RADIUS servers also let you set login-times and an expiration date/time, which might cause an issue. If using VLANs, you might see if there are any problems there.
Perform Tracing and Review Client Logs
If the client is running Windows, you can use the tracing features of the Netsh command-line tool to help identify the underlying issue. For tracing of various networking components in Windows XP or later, you can use the netsh ras commands. In Windows Vista or later, you can perform wireless tracing with the netsh wlan commands.
If you're using a third-party 802.1X supplicant, you might check any available logs.
We discussed the key methods of troubleshooting 802.1X client issues. If you're now questioning 802.1X, keep in mind these 15 reasons to use 802.1X. You might also want to check out another piece that discusses overcoming the common 802.1x deployment issues including simplifying client configuration.
Eric Geier founded NoWiresSecurity, which helps businesses quickly and easily protect their Wi-Fi with enterprise-level security. He's also a freelance tech writer and author of many networking and computing books, for brands like For Dummies and Cisco Press.