This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Troubleshooting DOT1x WLAN / EAP-TLS "Unknown CA" Error seen in RADIUS Access-Request in wireshark

Orlando_Elias
RUCKUS Team Member

‎06-30-2023 12:11 PM - last edited on ‎07-12-2023 07:08 AM by Community Manager

When working with RADIUS, Network Policy Server (NPS), and implementing DOT1x authentication using EAP-TLS, you might encounter an error message in the packet capture stating "Unknown CA." This error typically occurs when the certificate authority (CA) responsible for issuing the server's certificate is not recognized or trusted by the client.

Symptom:

  • Computer fails to connect to the dot1x wireless network.
    • Taking a packet capture on the interface of the NPS server, an "Unknown CA" error is seen in the RADIUS Access-Request packet sent to the server during the authentication process.

Orlando_Elias_0-1688152015724.png

Troubleshooting Steps:

  1. Test with a Different User Account:

    • Attempt to connect to the wireless network using a different user account on the same computer.
    • Determine if the "Unknown CA" error persists for the alternate user.

  2. Run the 'gpupdate' Command on Windows Computer:

    • Open Command Prompt as an administrator.
    • Execute the following command: gpupdate /force
    • Allow the Group Policy update to complete and restart the computer if necessary.
    • Retry connecting to the wireless network and observe if the error persists.

  3. Check Certificates on the Windows Machine:

    • Press Windows Key + R, type "certmgr.msc," and press Enter.
    • In the Certificate Manager window, expand the "Trusted Root Certification Authorities" folder.
    • Verify if the certificate authority (CA) responsible for issuing the server's certificate is present in the list.
    • If the CA is missing, you may need to import the CA's root certificate into the "Trusted Root Certification Authorities" store.
    • Restart the computer after importing the CA's root certificate if necessary.

  4. Additional Troubleshooting Steps:

    • Review the NPS server configuration and ensure the correct server certificate is being used.
    • Verify the validity and expiration of the server's certificate.
    • Check if the client's operating system is up to date with the latest security patches.
    • Reboot the NPS server or servers

Shut me a question for further guidance.

With regards,
--
Orlando Elias
Technical Support
0 REPLIES 0
Copyright © 2024 Khoros, LLC