Troubleshooting Checklist for 802.1X on Your WLAN
If you're having problems with 802.1X authentication on your WLAN, our troubleshooting guide might save you some hair-pulling.
WPA/WPA2-Enterprise with 802.1X authentication provides secure and robust Wi-Fi security for businesses. Though 802.1X isn't the easiest protocol to implement, it should be a must for all organizations with more than a couple of employees using the wireless network. In this tutorial, we'll discuss how to troubleshoot 802.1X client issues.
Verify Client Settings
The 802.1X settings on the client is a frequent trouble spot and is likely the cause if the problem is isolated to a single client. You should verify all encryption and authentication settings are correctly configured.
If the client is using Windows with a third-party wireless connection manager and/or 802.1X supplicant, you might want to disable or uninstall them and revert to using Windows. If the client is another OS or mobile device, you should verify settings similar to those discussed here.
In Windows, bring up the network profile or properties window (figure 1 shows an example) and start by verifying you have selected the right authentication and encryption settings. For instance, WPA with TKIP or WPA2 with AES, depending upon which is supported by your access points (APs).
In Windows 7, you'll also find an Advanced button on the Security tab of the Wireless Network Properties window. Click it and verify those settings, such as seen in figure 2. One key setting is the authentication mode. If you're unsure about it, select User or computer authentication.
Next verify the right authentication method: Protected EAP (PEAP) or Smart Card or other certificate for EAP-TLS. If you're using a third-party supplicant instead of the one built into Windows, make sure it's selected.
Next, open the Protected EAP (PEAP) or Smart Card or other certificate settings by clicking the Settings button in Windows Vista and 7 or clicking the Properties button in Windows XP. Figure 3 shows an example of the Protected EAP (PEAP) settings and figure 4 of the Smart Card or other certificate settings.
For either authentication method, verify the selected server certificate. Double-click on it to verify it's the right one and not expired. If you have a server specified in the Connect to these servers field, consider disabling that option for now to see if that might be the issue. Furthermore, you might uncheck the Validate server certificate option temporally to see if the problem might be related to the server certificate. Just remember to re-enable it later for security reasons.
If using Protected EAP (PEAP), ensure the Secured password (EAP-MSCHAP v2) option is selected on the Properties dialog. Then click the Configure button to verify the setting (see figure 5), which should only be selected if the user credentials on the RADIUS server match the Windows account credentials.
If using EAP-TLS with a Smart Card or certificate, verify the settings on the Properties dialog. If using certificates, make sure it's properly installed on the computer via the Microsoft Management Console (MMC).
After you've verified the settings, you might try connecting again. If using PEAP, be sure to use the correct username and password, and domain if required.
One last client setting you might want to check is the system date and time in Windows. An incorrect date or time can be a problem since the server and user certificates are time-sensitive.