Cannot Connect to the Wireless Network When Using 802.1x (WPA-EAP) for Authentication

When using WPA-EAP, WPA-EAP2 or WPA-AUTO-EAP for authentication, SonicWall Wireless or SonicPoint is required to set Radius Server for Wifi client authentication. During the configuration process, you may encounter some issues. This article aims to show you how to do the troubleshooting when you cannot connect to the wireless network by 802.1x.

NOTE: In this scenario,  192.168.136.168 as Radius Client has been added on the Radius server 192.168.136.66.

1. Check Radius Server Settings

Normally, Radius Server is configured in Wireless or SonicPoint page.

How to configure Radius Server on SonicPoint.: Click SonicPoint | SonicPoints | Click Edit button at SonicPointNs area | Click Radio Basic |  Select WPA-EAP, WPA2-EAP or WPA-AUTO-EAP | Click Configure button at Radius Server Settings area.

However, when doing troubleshooting, navigate to Users | Settings page. You can use Radius testing tool here.

1) Click Configure Radius button | Click tab Settings | Input the IP Address, Shared Secret and Port Number of your Radius Server

2) Click tab Test | Input User name , Password and Authentication type | Click Test button.

Issue A: Server Response Server Timeout.
Resolution A:  On SonicWall, please double check the IP Address, Port Number of your Radius Server.
 On Radius Server (Windows 2008 NPS), please check the Radius Client settings is correct and also ensure the Radius Server is available.

Issue B: Server Response RADIUS communication error.
Resolution B: Please check Shared Secret setting.

Issue C: Server Response Radius Client Authentication Failed.
Resolution C: Your User name, Password is not correct, or authentication methods is not enabled in the Network Policy on your Radius Server.

2. Check NAT Policy or Access Rule configuration on the SonicWall

When the testing is OK from DMZ interface 192.168.236.168 to the Radius server but you still cannot connect to the wireless network, please check whether there is any necessary NAT policy or Access Rule you need add.

1 ) On the Radius Server, if you add DMZ 192.168.136.168 as Radius Client and you access Radius server through WLAN interface 10.10.10.1. Go to Network | NAT Policies, you are required to add an NAT Policy on the firewall as following.

If there is no NAT policy, you may receive error on the NPS server as below picture. When capture the Radius packet , the Source IP is 10.10.10.1.

2) On the Radius Server, if you add WLAN ip 10.10.10.1 as Radius Client. You are required to add an Access Rule on the firewall as the Radius Server of LAN zone is inaccessible from wireless zone by default. Go to Firewall | Access Rules, add an Access Rule as following.

3. Check Wifi client Settings
On Radius Server, please check ther EAP Type. If just using password for authentication , please uncheck the option Validate server certificate on your WIFI client.

How to test:

When everything above configured correctly, you can connect your WIFI client to the network successfully by 802.1x protocol.