Specifications
Troubleshooting AOS-W Environments 605
Chapter 27
z Perform a wireless packet capture. If 802.1x authentication is observed to
begin, and then abruptly stops, a certificate error may be the cause. The
802.1x supplicant should not proceed with authentication if it detects an
invalid server certificate.
Client Certificate is not accepted (EAP-TLS only)
When using EAP-TLS as an 802.1x authentication method, a client certificate
must be validated by the RADIUS server in order for authentication to
succeed. If the client certificate cannot be validated, authentication will fail.
z Examine the RADIUS server log files. In most cases, the RADIUS server
will provide necessary clues to troubleshoot the problem.
z A common problem for client certificates is an incorrect Common Name
(CN). If the CN is not recognized by the RADIUS server, the RADIUS server
cannot locate the user in the database. Check the RADIUS server docu-
mentation for the correct format. For example, Microsoft IAS expects the
certificate CN to be in the form “user@domain” in order to locate the user
correctly in Active Directory.
z Verify that the client certificate has not expired by examining the certificate
“Valid to” date.
z Verify that the client certificate has not been revoked. The certification
authority Certificate Revocation List (CRL) contains all revoked certificates.
Client is using the wrong form of PEAP
PEAP (Protected Extensible Authentication Protocol) is a widely-deployed
authentication method for 802.1x. There are two different forms of PEAP in
use – Microsoft PEAP and Cisco PEAP. Both client and server must be using
the same form of PEAP. If the RADIUS server is Microsoft IAS and the client is
Microsoft Windows using the built-in Wireless Zero Configuration utility, for
example, it is likely that both sides are using Microsoft PEAP. However, in a
mixed environment, mismatches may occur.
z The client may not provide useful information on which type of PEAP is in
use. However, a clue may be to examine the PEAP “inner” authentication
protocol. Microsoft PEAP allows MS-CHAP v2 and a smart card/certifi-
cate as the inner authentication protocol. Cisco PEAP also supports
one-time passwords or token cards as the inner authentication protocol. If
a one-time password or secure token is available in the client’s PEAP con-
figuration, Cisco PEAP is most likely being used.
z Current versions of Cisco’s ACS RADIUS server support both MS-PEAP
and Cisco PEAP. However, older versions of ACS do not support
MS-PEAP. Ensure that an updated version of ACS is being run if
MS-PEAP is used by clients.