Jan 25 12:01:27.582: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
Question. Since the debugs doesn't show the exact reason why the authentication fails, we can collect logs from Radius server and screen shots of the supplicant's (client) configuration.
Answer. After checking the windows radius/NPS server, their is no events from the AP register so it look like the request is not reaching the Radius server.
After Making the configuration changes the NPS server is showing the following error:
An Access-Request message was received from RADIUS client 1**** with a message authenticator attribute that is not valid.
Jan 29 16:50:50.333: dot11_mgr_sm_send_resp_to_authent: Started dot11 authenticator timeout 60 seconds
Jan 29 16:50:50.333: RADIUS/ENCODE(000001DE):Orig. component type = DOT11
Jan 29 16:50:50.333: RADIUS: AAA Unsupported Attr: ssid  4
Jan 29 16:50:50.333
APDWAP1#b: RADIUS: 54 45 [TE]
Jan 29 16:50:50.333: RADIUS: AAA Unsupported Attr: interface  3
Jan 29 16:50:50.334: RADIUS: 37 
Jan 29 16:50:50.334: RADIUS(000001DE): Config NAS IP: 0.0.0.0
Jan 29 16:50:50.334: RADIUS/ENCODE(000001DE): acct_session_id: 478
Jan 29 16:50:50.334: RADIUS(000001DE): sending
Jan 29 16:50:50.334: RADIUS/ENCODE: Best Local IP-Address 10.1.2.245 for Radius-Server 10.****
Windows 7 wireless profiles
Configuration Modified:Corrected the configuration for the SSID.
Under the SSID configuration add the command:
authentication key-management wpa version 2
under the radio configuration add the command:
encryption vlan 3 mode ciphers aes-ccm
User had a $ in the radius password, either the Radius server or Access Point didn't like this. After changing the password everything has started working fine.
Question. Do we need WPA2 Key + Cert based auth?
Answer. You need to choose WPA2-Enterprise and use AES as encryption method.
I know 802.1x is misleading because actually WPA2-Enterprise uses 802.1x too. However, 802.1x mentioned here is used only with WEP encryption in order to negotiate WEP keys via the RADIUS server rather than static keys. WEP is obsolete and found to be very weak. So don't use it.
Now, You need to configure WPA2-Enterprise with AES. Then use the authentication method as: Microsoft: Smart Card or other certificate.
In the settings tab configure things as highlighted below. In the Trusted Root Certification Authorities field, choose the Authority that generates the server's certificate. (if not available you have to add it by obtaining the server's root CA certificate and install it on the machine).
You need to have a certificate installed on the user machine. (you must obtain that and install it on the machine as a "personal certificate" that will be used to authenticate the machine to the server).
Now, by default, the username used for the authentication is the name mentioned in the personal certificate.
If the username that is used is different then you need to provide it at the time of the authentication. in order to do that you need to check the box of "Use a different username for the connection" that is highlighted below.
On the server side though, You need to add the AAA device (the access point in your case) to the server and configure the shared secret. You need also to configure the radius server information on the AP with the same shared secret that is configured for the AP on the server. You need also to make sure the policies on the server are configured to allow EAP-TLS.
With all the above configured correctly and with having the client certificate (personal cert) trusted on the server and vice versa, things should work.
How EAP with TLS Works
As previously mentioned, EAP-TLS authentication is based on 802.1x/EAP architecture. Components involved in the 802.1x/EAP authentication process are: supplicant (the end entity, or end user's machine), the authenticator (the access point), and the authentication server (back-end RADIUS server). The supplicant and the RADIUS server must support EAP-TLS authentication. The access point has to support the 802.1x/EAP authentication process. (The access point is not aware of the EAP authentication protocol type.)
Figure illustrates the overall 802.1x/EAP authentication process with EAP-TLS as the authentication protocol. Note that LEAP and EAP MD5 also use the same 802.1x/EAP authentication process.
EAP-TLS Authentication Overview
Figure illustrates the details of EAP-TLS exchange. The figure shows that, as part of the EAP request, the RADIUS server provides its certificate to the client and requests the client's certificate. The client validates the server certificate and responds with an EAP response message containing its certificate and also starts the negotiation for cryptographic specifications (cipher and compression algorithms). After the client's certificate is validated, the server responds with cryptographic specifications for the session.