Troubleshooting
Diagnostic Commands
Check Service Status
# Wired AutoConfig must be running
Get-Service dot3svc
# If not running
Start-Service dot3svc
Set-Service dot3svc -StartupType AutomaticVerify Certificates
Check Client Certificate
# List certificates in Personal store
Get-ChildItem Cert:\LocalMachine\My | Format-Table Subject, NotAfter, Thumbprint
# Check specific cert details
Get-ChildItem Cert:\LocalMachine\My | Where-Object {{ $_.Subject -like "*inside.domusdigitalis.dev*" }} | Format-List *
# Verify certificate has private key
Get-ChildItem Cert:\LocalMachine\My | Where-Object {{ $_.HasPrivateKey }}
# Check EKU includes Client Authentication
Get-ChildItem Cert:\LocalMachine\My | ForEach-Object {{
$_.EnhancedKeyUsageList | Where-Object {{ $_.FriendlyName -eq "Client Authentication" }}
}}Common Issues
Issue: 802.1X Not Enabled
Symptom: 802.1x enabled: No in netsh output
Solution:
# Enable via GUI - open Authentication tab in adapter properties
# Or enable via registry
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\dot3svc\Interfaces\{GUID}" -Name "Enable802.1x" -Value 1
Restart-Service dot3svcIssue: Certificate Not Found
Symptom: Authentication fails, no certificate presented
Check:
# Verify cert exists
Get-ChildItem Cert:\LocalMachine\My
# Must have private key
Get-ChildItem Cert:\LocalMachine\My | Where-Object {{ $_.HasPrivateKey }}
# Check EKU includes Client Authentication
Get-ChildItem Cert:\LocalMachine\My | ForEach-Object {{
$_.EnhancedKeyUsageList | Where-Object {{ $_.FriendlyName -eq "Client Authentication" }}
}}Issue: Certificate Chain Incomplete
Symptom: ISE rejects with "Certificate chain validation failed"
Solution:
# Import intermediate CA
Import-Certificate -FilePath "DOMUS-ISSUING-CA.crt" -CertStoreLocation Cert:\LocalMachine\CA
# Import root CA
Import-Certificate -FilePath "DOMUS-ROOT-CA.crt" -CertStoreLocation Cert:\LocalMachine\Root
# Verify chain
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {{ $_.Subject -like "*inside.domusdigitalis.dev*" }}
Test-Certificate $cert -Policy SSLIssue: Wrong Certificate Selected
Symptom: Authentication uses wrong certificate
Solution: Configure certificate selection criteria in 802.1X settings to match on: - Issuer: DOMUS-ISSUING-CA - Subject contains: inside.domusdigitalis.dev
Issue: Service Not Starting
Symptom: Wired AutoConfig fails to start
# Check dependencies
Get-Service dot3svc | Select-Object -ExpandProperty DependentServices
# Check event log
Get-WinEvent -LogName System -FilterXPath "*[System[Provider[@Name='Service Control Manager'] and (EventID=7000 or EventID=7024)]]" -MaxEvents 10Event Logs
Wired AutoConfig Event IDs
| Event ID | Description | Action |
|---|---|---|
15500 |
Authentication started |
Normal - authentication in progress |
15501 |
Authentication succeeded |
Normal - verify network access |
15502 |
Authentication failed |
Check certificate, ISE logs |
View Events
# View recent 802.1X events
Get-WinEvent -LogName "Microsoft-Windows-Wired-AutoConfig/Operational" -MaxEvents 50 |
Format-Table TimeCreated, Id, Message -WrapISE-Side Verification
Check ISE for authentication attempts:
-- Via DataConnect
SELECT TIMESTAMP_TIMEZONE, USERNAME, PASSED, AUTHENTICATION_PROTOCOL,
AUTHORIZATION_RULE, CALLING_STATION_ID
FROM RADIUS_AUTHENTICATIONS
WHERE USERNAME LIKE '%windows-hostname%'
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 10 ROWS ONLY;Or via ISE GUI: Operations → RADIUS → Live Logs
Network Capture
# Start packet capture
netsh trace start capture=yes tracefile=C:\temp\8021x.etl
# Reproduce the issue (disconnect/reconnect)
# Stop capture
netsh trace stop
# Convert to pcapng (requires Message Analyzer or etl2pcapng)