The user's device fails 802.1X EAP-TLS authentication, but the client-side certificate is known to be valid. We need two likely causes.
EAP-TLS Process:Involves mutual certificate validation and TLS handshake between client and RADIUS server (proxied by NAD).
Causes (Client Cert OK):
Server Certificate Issues: Client doesn't trust server cert (Untrusted CA, name mismatch, expired).
EAP Type Mismatch:Client supplicant configured for different EAP type than RADIUS server policy.
RADIUS Server Issues:Policy misconfiguration, user not found, internal errors.
NAD <-> RADIUS Communication Failure:Switch cannot reach RADIUS server (IP connectivity, firewall, routing), incorrect shared secret.
Client Supplicant Misconfiguration:Incorrect identity, settings other than the certificate itself.
Network packet loss.
Analysis of Options (Select Two):
A: Wrong gateway affects L3 post-authentication.
B: ACL blocking EAPoL/RADIUS is possible but less common than config errors.
C:EAP-type mismatch:A very common configuration error leading to failure.
D: Wrong MAC address is irrelevant for EAP-TLS failure itself.
E: NAD not able to communicate with DNS servers: DNS isn't directly involved in EAP-TLS. However, if interpreted more broadly asNAD not able to communicate with the RADIUS server(due to IP routing, firewall, or incorrect server address), this is a very common cause of failure.
Conclusion:An EAP-type mismatch (C) is a prime suspect when basic certificate validity is assumed. Failure of the Network Access Device (NAD - the switch) to communicate with the RADIUS server (E, interpreted broadly as RADIUS reachability) is another major category of failure causes.
[References:EAP-TLS (RFC 5216), 802.1X Troubleshooting Guides, ClearPass Documentation. This relates to "Troubleshooting" (10%), "Security" (10%), and "Authentication/Authorization" (9%)., ]
Submit