Troubleshooting Tip: Identify EAP-TLS certificate validation issues on the Windows client side
| Description | This article describes how to identify and resolve problems related to Certificate Issues when the client does not respond to Server Hello Challenges from FortiNAC RADIUS server. |
| Scope | FortiNAC, Windows Clients. |
| Solution | When using 802.1x EAP-TLS method for authentication, both Windows Client and Radius Server will authenticate through Certificates. In some occassions, clients will have Certificate validation issues related to root CA trust or certificate chain validity. FortiNAC radius logs will show it sends an Access-Challenge containing the 'Server Hello' message during the TLS Handshake and no response (Access-Request) is returned back from the Network Access Server.
Example FortiNAC RADIUS logs:
12 2026-02-12 10:33:22.504586 10.10.10.6 10.10.10.1 RADIUS 976 Access-Challenge id=203
A packet capture analyzed with Wireshark will show the Server certificate details when TLS1.2 is used. This is the step when the Supplicant (windows client) will validate the Server certificate against its Trusted root store and the proceed with the generation of the session key in order to complete the TLS handshake. To investigate certificate issue on the windows client it is possible to use the CAPI2 event log in Windows Event viewer. This is a windows diagnostic tool useful to find errors related to public key infrastructure (PKI) on the system.
This CAPI2 event logs needs first to be enabled by right clicking the 'Operational' logs in Event Viewer\Applications and Services Logs\Microsoft\Windows\CAPI2. After, note the time of the Authentication attempt when the Access-Challenge is returned from FortiNAC.
 Figure 1. Validating Certificate errors in CAPI2 Event logs.
On the right in the 'Actions' tab, it is possible to filter for the Level and Event ID.
 Figure 2. Filter for specific Event IDs and Event level
The most common errors related to EAP-TLS on the client side are as follows:
|