Troubleshooting WPA Enterprise
Client View
Wrong XML
Check that your client has a certificate to authenticate and that you are using the correct WiFi configuration profile or XML.
Trusted Root issues
Check that you've done the following:
-
Told your RADIUS Server which certificates are allowed to connect.
-
Imported the active RADIUS Server certificate as trusted root on your client.
Also check your reports (IronWiFi console -> Reports -> Authentication Requests) There is a detailed description of the error.
If your Clients need to verify on connecting the first time, and you're seeing this dialog:
Make sure that you have referenced the Server certificate in your WiFi Profile:
Server View
Unknown CA
if you see something like this in your Logs:
1. Mon Jul 12 12:38:09 2021 : ERROR: (14872) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate
2. Mon Jul 12 12:38:09 2021 : ERROR: (14872) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
3. Mon Jul 12 12:38:09 2021 : Error: tls: TLS_accept: Error in error
4. Mon Jul 12 12:38:09 2021 : Auth: (14872) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer certificate): [host/8dc38402-20fb-41db-a8f3-4e4e95637173/<via Auth-Type = eap>] (from client contoso port 1 cli 18-9K-EA-0H-7F-C5)
It can be one of this options:
-
Your RADIUS server doesn't know the issuer of the certificate which was used for authentication. Add your CA .
-
Your Client doesn't know the Server certificate and rejects the connection. Check that you've added your Server certificate.
-
You've changed/added a new Server certificate and your XML profile on the client is using the old one. In that case, please double-check that you've either updated your WiFi/Wired profile or re-generated your XML after adding the certificates and pushed that to your clients.
Fatal decrypt error
If you can see something like this in your Logs:
1. Wed Apr 7 08:14:39 2021 : Auth: (312) Login incorrect (eap_tls: TLS Alert write:fatal:decrypt error): [host/00128t09-cbna-469c-9768-2783d28eikl9/<via Auth-Type = eap>] (from client contoso port 1 cli 84-FD-D1-8C-0E-33)
2. Wed Apr 7 08:14:41 2021 : ERROR: (320) eap_tls: ERROR: TLS Alert write:fatal:decrypt error
3. Wed Apr 7 08:14:41 2021 : Error: tls: TLS_accept: Error in error
... then it is probably a bug of the TPM software on your Windows machines.
Related Articles
Troubleshooting WPA Enterprise
Client View Wrong XML Check that your client has a certificate to authenticate and that you are using the correct WiFi configuration profile or XML. Trusted Root issues Check that you've done the following: Told your RADIUS Server which certificates ...Connecting Android 11+ devices to WPA/WPA2/WPA3/Enterprise SSID
In the past, Android supplicants haven't put any importance on trusting the Authenticating Server, this was seen as a blessing (ease of use) and a curse (without installing the root CA certificate on the client device, you don't know who you're ...Troubleshooting
Why is the Splash Page not loading on my client device? Several reasons - problem with DHCP, DNS, Walled Garden list on the network controller, or disabled Captive Network Assistant service on the client device. Try to open the splash page on another ...Troubleshooting
Why is the Splash Page not loading on my client device? Several reasons - problem with DHCP, DNS, Walled Garden list on the network controller, or disabled Captive Network Assistant service on the client device. Try to open the splash page on another ...Okta
Captive Portal SAML - ironwifi.com/help/okta-saml WPA Enterprise Connector setup - ironwifi.com/help/connector