06-30-202312:11 PM - last edited on 07-12-202307:08 AM by dave_feasey
When working with RADIUS, Network Policy Server (NPS), and implementing DOT1x authentication using EAP-TLS, you might encounter an error message in the packet capture stating "Unknown CA." This error typically occurs when the certificate authority (CA) responsible for issuing the server's certificate is not recognized or trusted by the client.
Computer fails to connect to the dot1x wireless network.
Taking a packet capture on the interface of the NPS server, an "Unknown CA" error is seen in the RADIUS Access-Request packet sent to the server during the authentication process.
Test with a Different User Account:
Attempt to connect to the wireless network using a different user account on the same computer.
Determine if the "Unknown CA" error persists for the alternate user.
Run the 'gpupdate' Command on Windows Computer:
Open Command Prompt as an administrator.
Execute the following command: gpupdate /force
Allow the Group Policy update to complete and restart the computer if necessary.
Retry connecting to the wireless network and observe if the error persists.
Check Certificates on the Windows Machine:
Press Windows Key + R, type "certmgr.msc," and press Enter.
In the Certificate Manager window, expand the "Trusted Root Certification Authorities" folder.
Verify if the certificate authority (CA) responsible for issuing the server's certificate is present in the list.
If the CA is missing, you may need to import the CA's root certificate into the "Trusted Root Certification Authorities" store.
Restart the computer after importing the CA's root certificate if necessary.
Additional Troubleshooting Steps:
Review the NPS server configuration and ensure the correct server certificate is being used.
Verify the validity and expiration of the server's certificate.
Check if the client's operating system is up to date with the latest security patches.