How To Troubleshoot Cloud RADIUS

How To Troubleshoot RADIUS Configuration in EZRADIUS

If you have setup your Cloud RADIUS instance and are having trouble authenticating users, this guide will help you troubleshoot your Cloud RADIUS configuration for EAP-TLS or Entra ID Wifi Authentication in EZRADIUS.

  1. The first step to troubleshoot your RADIUS connection is to go to your EZRADIUS portal and click on Audit Logs. This will have most of the information you need to troubleshoot your RADIUS connection. EZRADIUS Cloud RADIUS view Audit Logs
  2. In the top tab selector select “Authentication Logs” to view the logs of users authenticating to your Cloud RADIUS instance.
  3. In the next sections we will go through some common issues and how to troubleshoot them.

How to Troubleshoot No Logs in Authentication Logs

  1. In here we should see some connection attempts from your access points. If you don’t see any logs, it means your access points are not sending the RADIUS requests to your Cloud RADIUS instance. or that the wrong IP address is configured in your access points.
  2. Check your IP address in Nord VPN page and ensure that that is the IP address you have configured in your RADIUS policy: RADIUS AP IP Address
  3. If the IP address is correct, check your access point configuration and ensure that the RADIUS server is configured correctly.
  4. You can also Run Wireshark on your test machine with the filter ‘udp port 1812’ to see if the RADIUS requests are reaching your Cloud RADIUS instance. This is how a successful RADIUS request looks like: How to debug RADIUS using wireshark
  5. If you only see one way ensure that your firewall is not blocking the RADIUS requests.

How to Troubleshoot RADIUS Authentication Failure

  1. If you see an error “The wrong shared secret was used to connect your network to EZRADIUS please check your configuration” it means that the shared secret configured in your access point is incorrect. RADIUS Authentication Failure
  2. This means that your access point is sending the RADIUS request with the wrong shared secret. Ensure that the shared secret in your access point matches the shared secret in your RADIUS policy. RADIUS Access Point Shared Secret

How to Troubleshoot RADIUS Authentication EAP-TLS Failure

In EAP-TLS authentication, the client sends a certificate to the RADIUS server. The RADIUS server validates the certificate and if it is valid, it sends an Access-Accept message to the client. If the certificate is invalid, the RADIUS server sends an Access-Reject message to the client. There are many issues that might be causing the EAP-TLS authentication to fail. Here are some common issues and how to troubleshoot them:

Most of them start with the same error message so it is important to read the error message carefully to understand the root cause of the issue.

How To Troubleshoot EAP-TLS Authentication Failure Invalid Certificate

  1. If you see an error “Failed to build and validate certificate (XXXX): RevocationStatusUnknown: unable to get certificate CRL OfflineRevocation: unable to get certificate CRL UntrustedRoot: self-signed certificate in certificate chain” it means that one of the certificates in the certificate chain is invalid. Please ensure that all the certificates in the certificate chain are part of your Policy Trusted Certificate Authorities. RADIUS EAP-TLS Trusted Certificate Authorities

How To Troubleshoot EAP-TLS Authentication Failure Certificate Expired

  1. If you see an error “Failed to build and validate certificate (XXX): NotTimeValid: certificate has expired” it means that the certificate has expired. Please ensure that the certificate is not expired.

How to Troubleshoot RADIUS Password Authentication

  1. If you see the error “Username and Password authentication failed. Error password expired” it means that the password has expired. Please reset the password in the EZRADIUS portal.