Back to All Scenarios
PASSEDinfrastructure / dot1x_radius_cert_mismatch
802.1X RADIUS Certificate Mismatch — Enterprise WiFi Auth Failure
The RADIUS server certificate used for EAP-TLS authentication expires, causing all 802.1X wireless clients to fail authentication. Supplicants reject the expired certificate, and no clients can connect to the enterprise SSID. Guest network remains functional.
Pattern
CERTIFICATE_EXPIRY
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | CERTIFICATE_EXPIRY | CERTIFICATE_EXPIRY | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 21 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
NPS RADIUS with EAP-TLS. Server certificate expired 2 hours ago. 400 enterprise WiFi clients affected. Certificate auto-renewal failed (CA offline). Guest SSID on open auth unaffected.
Injected Error Messages (2)
RADIUS EAP-TLS authentication failing — NPS server certificate expired 2 hours ago, certificate expired on 2026-03-29T00:00:00Z, all EAP-TLS handshakes failing at ServerHello, 400 clients receiving Access-Reject, certificate auto-renewal failed: CA server unreachable
Enterprise SSID authentication rate dropped to zero — all 802.1X supplicants rejecting certificate expired server cert, EAP-TLS tunnel setup failing, Windows clients showing 'The server certificate has expired', macOS clients auto-disconnecting
Neural Engine Root Cause Analysis
The RADIUS server (NPS-01) is failing because its SSL/TLS certificate expired 2 hours ago on 2026-03-29T00:00:00Z. This expired certificate is causing all EAP-TLS authentication handshakes to fail at the ServerHello stage, resulting in Access-Reject responses to 400 clients. The automatic certificate renewal process failed due to the Certificate Authority (CA) server being unreachable, preventing the system from self-healing.
Remediation Plan
1. Verify CA server connectivity and restore if needed. 2. Generate new certificate request from NPS-01 server. 3. Submit certificate request to CA for signing. 4. Install new certificate on NPS-01 server. 5. Restart RADIUS/NPS service to load new certificate. 6. Test EAP-TLS authentication with sample client. 7. Monitor authentication success rates. 8. Fix automatic renewal process to prevent recurrence.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjqb3e03pkobqebres0w7y