Skip Links

Tips for troubleshooting 802.1X connections

By Eric Geier, Network World
September 24, 2012 07:06 AM ET

Network World - Implementing 802.1X authentication, which includes everything from setting up a RADIUS server to keeping end users connected, isn't easy.

Using 802.1X complicates the connection process, opening your network up to many more potential connectivity issues. For example, the extra exchange of packets for the 802.1X authentication increases the time it takes to connect and to roam across different wireless access points.

What is 802.1X?

6 secrets to a successful 802.1X rollout

If you're having connection issues, here are some troubleshooting techniques, features, and tools you can use.

1. Check the RADIUS Server Logs

Before performing troubleshooting steps on the client you should check the logs on the RADIUS server. If the authentication attempts are making it to the server, the logs can usually give you an idea of the underlying issue. But if the logs don't help or the authentication attempts aren't making it to the server you can continue troubleshooting via other methods.

2. Address Intermittent Connection Issues

If a client is having intermittent connection issues — disconnecting periodically, not reconnecting after resuming from sleep, or not roaming well between wireless access points — you may first want to eliminate general networking issues.

For wireless adapters that came with their own wireless configuration software, try uninstalling it so the adapter uses the native Windows interface and Microsoft 802.1X supplicant. Also consider reinstalling and even updating the driver for the client's network adapter.

If clients are still being intermittently disconnected (even if automatically reconnected), it may be because a Fast Roaming technique isn't being used. By default, the full 802.1X authentication process must take place the first time a client connects to the network, when roaming to another wireless access point, and after the 802.1X session interval expires. And this full authentication process can interrupt the client connection, especially for latency-sensitive traffic like VoIP or video streams.

When a Fast Roaming technique is supported by your network, however, it helps reduce the amount of full authentication processes a client must make on the network. The three most popular techniques are called WPA/WPA2 Fast Reconnect (or EAP Session Resumption), WPA2 PMK Caching, and Pre-authentication.

WPA/WPA2 Fast Reconnect (or EAP Session Resumption) caches the TLS session from the initial connection and uses it to simplify and shorten TLS handshake process for re-authentication attempts. This is usually enabled by default when a client connects to an 802.1X network the first time, but if you push network settings to domain clients you should make sure Fast Reconnect is enabled.

WPA2 Pairwise Master Key (PMK) Caching allows clients to perform a partial authentication process when roaming back to the access point the client had originally performed the full authentication on. This is typically enabled by default in Windows, with a default expiration time of 720 minutes (12 hours). In Windows 7 and later you can configure these settings via the advanced 802.1X settings for each network connection, however in Windows Vista and earlier they must be edited via registry entries or Group Policy.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News