https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Troubleshooting-DOT1x-WLAN-EAP-TLS-quot-Unknown-CA-quot-Error/m-p/61966#M171 <P><SPAN>When working with RADIUS, Network Policy Server (NPS), and implementing DOT1x authentication using EAP-TLS, you might encounter an error message in the packet capture stating <STRONG>"Unknown CA."</STRONG> This error typically occurs when the certificate authority (CA) responsible for issuing the server's certificate is not recognized or trusted by the client.</SPAN></P> <P>Symptom:</P> <UL> <LI>Computer fails to connect to the dot1x wireless network. <UL> <LI>Taking a <STRONG>packet capture</STRONG> on the interface of the NPS server, an "Unknown CA" error is seen in the <STRONG>RADIUS Access-Request packet</STRONG> sent to the server during the authentication process.</LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Orlando_Elias_0-1688152015724.png" style="width: 651px;"><img src="https://community.ruckuswireless.com/t5/image/serverpage/image-id/7250iFE3E798FF5D63D94/image-dimensions/651x344/is-moderation-mode/true?v=v2" width="651" height="344" role="button" title="Orlando_Elias_0-1688152015724.png" alt="Orlando_Elias_0-1688152015724.png" /></span></P> <P>Troubleshooting Steps:</P> <OL> <LI> <P>Test with a Different User Account:</P> <UL> <LI>Attempt to connect to the wireless network using a different user account on the same computer.</LI> <LI>Determine if the "Unknown CA" error persists for the alternate user.</LI> </UL> </LI> <LI> <P>Run the 'gpupdate' Command on Windows Computer:</P> <UL> <LI>Open Command Prompt as an administrator.</LI> <LI>Execute the following command: gpupdate /force</LI> <LI>Allow the Group Policy update to complete and restart the computer if necessary.</LI> <LI>Retry connecting to the wireless network and observe if the error persists.</LI> </UL> </LI> <LI> <P>Check Certificates on the Windows Machine:</P> <UL> <LI>Press Windows Key + R, type "certmgr.msc," and press Enter.</LI> <LI>In the Certificate Manager window, expand the "Trusted Root Certification Authorities" folder.</LI> <LI>Verify if the certificate authority (CA) responsible for issuing the server's certificate is present in the list.</LI> <LI>If the CA is missing, you may need to import the CA's root certificate into the "Trusted Root Certification Authorities" store.</LI> <LI>Restart the computer after importing the CA's root certificate if necessary.</LI> </UL> </LI> <LI> <P>Additional Troubleshooting Steps:</P> <UL> <LI>Review the NPS server configuration and ensure the correct server certificate is being used.</LI> <LI>Verify the validity and expiration of the server's certificate.</LI> <LI>Check if the client's operating system is up to date with the latest security patches.</LI> <LI>Reboot the NPS server or servers</LI> </UL> </LI> </OL> <P><SPAN>Shut me a question for further guidance.</SPAN></P> Wed, 12 Jul 2023 14:08:54 GMT Orlando_Elias 2023-07-12T14:08:54Z https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Troubleshooting-DOT1x-WLAN-EAP-TLS-quot-Unknown-CA-quot-Error/m-p/61966#M171 <P><SPAN>When working with RADIUS, Network Policy Server (NPS), and implementing DOT1x authentication using EAP-TLS, you might encounter an error message in the packet capture stating <STRONG>"Unknown CA."</STRONG> This error typically occurs when the certificate authority (CA) responsible for issuing the server's certificate is not recognized or trusted by the client.</SPAN></P> <P>Symptom:</P> <UL> <LI>Computer fails to connect to the dot1x wireless network. <UL> <LI>Taking a <STRONG>packet capture</STRONG> on the interface of the NPS server, an "Unknown CA" error is seen in the <STRONG>RADIUS Access-Request packet</STRONG> sent to the server during the authentication process.</LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Orlando_Elias_0-1688152015724.png" style="width: 651px;"><img src="https://community.ruckuswireless.com/t5/image/serverpage/image-id/7250iFE3E798FF5D63D94/image-dimensions/651x344/is-moderation-mode/true?v=v2" width="651" height="344" role="button" title="Orlando_Elias_0-1688152015724.png" alt="Orlando_Elias_0-1688152015724.png" /></span></P> <P>Troubleshooting Steps:</P> <OL> <LI> <P>Test with a Different User Account:</P> <UL> <LI>Attempt to connect to the wireless network using a different user account on the same computer.</LI> <LI>Determine if the "Unknown CA" error persists for the alternate user.</LI> </UL> </LI> <LI> <P>Run the 'gpupdate' Command on Windows Computer:</P> <UL> <LI>Open Command Prompt as an administrator.</LI> <LI>Execute the following command: gpupdate /force</LI> <LI>Allow the Group Policy update to complete and restart the computer if necessary.</LI> <LI>Retry connecting to the wireless network and observe if the error persists.</LI> </UL> </LI> <LI> <P>Check Certificates on the Windows Machine:</P> <UL> <LI>Press Windows Key + R, type "certmgr.msc," and press Enter.</LI> <LI>In the Certificate Manager window, expand the "Trusted Root Certification Authorities" folder.</LI> <LI>Verify if the certificate authority (CA) responsible for issuing the server's certificate is present in the list.</LI> <LI>If the CA is missing, you may need to import the CA's root certificate into the "Trusted Root Certification Authorities" store.</LI> <LI>Restart the computer after importing the CA's root certificate if necessary.</LI> </UL> </LI> <LI> <P>Additional Troubleshooting Steps:</P> <UL> <LI>Review the NPS server configuration and ensure the correct server certificate is being used.</LI> <LI>Verify the validity and expiration of the server's certificate.</LI> <LI>Check if the client's operating system is up to date with the latest security patches.</LI> <LI>Reboot the NPS server or servers</LI> </UL> </LI> </OL> <P><SPAN>Shut me a question for further guidance.</SPAN></P> Wed, 12 Jul 2023 14:08:54 GMT https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Troubleshooting-DOT1x-WLAN-EAP-TLS-quot-Unknown-CA-quot-Error/m-p/61966#M171 Orlando_Elias 2023-07-12T14:08:54Z