Solved

XP wireless client not receiving DHCP settings

Posted on 2010-11-24
13
782 Views
Last Modified: 2012-08-13
I have many wireless XP clients that connect to the network via wireless access points using WPA2, AES, and 802.1x authentication using PEAP-MSCHAP V2. The clients are set to validate server certificates and are configured to trust the local root CA. All of the wireless configuration settings and certificate deployment is done through Group Policy.

Most of the XP clients connect to the wireles network as expected, however we have had many occasions when a client will authenticate but fails to obtain DHCP settings. I have observed the flow of traffic between the client and the DHCP server using wireshark and it appears that this only happens when there is a poor quality wireless signal - the client struggles to authenticate, with many packets exchanged, eventually succeeds but then DHCP requests are sent to the DHCP server, which the server also receives, but the responses are not received by the client. I suspect it is the signal quality because as soon as the client is placed close to an access point the authentication process is completed quickly, and the DHCP process is also completed successfully.

Has anyone else had the same issues? Is there any way of improving the clients chances of success of obtaining DHCP settings as we don't want to use static network settings?
0
Comment
Question by:x3man
  • 6
  • 3
  • 2
  • +2
13 Comments
 
LVL 5

Expert Comment

by:Erk333
Comment Utility
if the hardware of the clients is fairly standardized (as far as WLAN nics) i would confirm that all are using the same protocol ( A, B, G, N), or the best one that is supplied by your access points.

that and you might match the link speed (10, 100, half, full, etc...) of the NIC's to that of your switch(s) instead of 'auto'
0
 
LVL 9

Author Comment

by:x3man
Comment Utility
Hi Erk333

All clients are using 11g

All switches are set to auto negotiate as are the clients.
0
 
LVL 5

Assisted Solution

by:Erk333
Erk333 earned 166 total points
Comment Utility

hmm...well, if the goal is to improve addressing (or communication in general) i would take switches and nodes off auto (hard setting is really best practice) but that can be alot of work

other than that only thing i can think of is changing dhcp server to unicast response.  see link:
http://www.pc1news.com/how-to-configure-dhcp-server-for-unicast-1187.html

and i assume youve updated the affected laptops nic drivers and such
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
It sure sounds like the pool of addresses has been used up.
The IP address assignments are via "leases".  So, a computer need not be present or turned on to be using up an address via the lease it received.  This can cause a degree of confusion when one "knows" that there are only so many computers connected at any one time.

How many addresses are in the DHCP pool?
What is the lease time?  (For a more or less static situation, I'd use 8 hours.  For more dynamic situations, I'd use less - maybe 2 hours).  I believe the computers will refresh their individual leases in half that time.  So, if the leases are short and aren't refreshed, they will run out and make those addresses available for assignment.
How many computers are "involved"?  i.e. there all the time, coming in and out, etc.?
0
 
LVL 9

Author Comment

by:x3man
Comment Utility
Thanks for input guys.

NIC drivers have been updated. Changing auto negotiate settings is not an option I'm afraid. Too much work and too many other devices using it.

Not convinced that changing the DHCP server to unicast will improve things. Like I said originally it appears that the issue relates to signal quality - I can see the client struggle to authenticate, and fail to receive the dhcp response. Yet when i try in an area with good coverage the authentication and DHCP process completes without any problems. It looks like changing the default time out value for the DHCP process is not possible, otherwise that could improve things by giving the client a chance to receive responses from DHCP.

It's definitely not related to lack of available IP addresses in the current address pool - there are more than enough spare, and like I said, the issue is resolved when the wireless signal improves. Unfortunately upgrading the wireless infrastructure is not an option.

Some of the laptops suffer from this issue more than others e.g. the Atheros NICs seem to fare much better. Again suggests signal quality issues?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
does a reboot or restart help??

BTW, i don't mean this is a solution. this is for troubleshooting only. :)
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 9

Author Comment

by:x3man
Comment Utility
No, rebooting doesn't make any difference.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
One can imagine that signal quality could be an issue for DHCP depending on the amount of handshaking required, etc.  But then, this just means that there's a signal quality issue overall - so that's the place to look.  It seems a little odd that you've been able to pinpoint it down to DHCP but then that would be the *first* opportunity for failure wouldn't it?

Is the network secured?  Often one gets a "connection" but only at the "radio" level and then DHCP fails because the security settings are wrong.  Often the software doesn't tell you this and looks like the computers are "connected".  I've often had to try multiple times to get the security right and end up with an IP address all while the radios were "connected" just fine.  If the interfaces are from different manufacturers then the software may well be different and setup for security different - one needing more detailed information than another, etc.  Don't discount this possibility.  

I don't expect one computer to act the same as another on a wireless network.  You seem to be saying the same thing.  

Wireless networks are a bit frustrating because of signal strength being so variable.  You might try using NetStumbler on a laptop so you can better see SNR, etc. and get an idea of how signal levels vary.  If the SNR isn't 20dB or better then it will or can be marginal.  I wouldn't recommend trying to live at 15dB and less than that is surely going to be unsatisfactory.

Solutions include: more robust access points (i.e. power level)  and better antennas at both ends.
Antenna solutions are generally better than increases in power as increases in power don't yield all that many dB.  6dB is a 4X change in power level.
0
 
LVL 9

Author Comment

by:x3man
Comment Utility
Thanks fmarshall

DHCP is usually the point of failure for the laptops - however we have also had a few laptops that fail to authenticate and so are refused access. Again this is variable and the same laptop has connected when relocated to a strong signal area.

I agree it is frustrating! The network was originally using WPA-PSK, and while it certainly wasn't perfect, we did have more success with connectivity. I would not be happy if we had to move back to this level of security due to connectivity issues.

I have used NetStumbler to get a picture of the signal quality across the network. I can't remember the exact SNR but it was less than satisfactory. The SNR was low in some areas and high in others, and different during different times of day (people going home etc.). Many hours have already been spent trying to optimise AP location, power levels, channels etc without any real improvements to reliability.

I am interested to know what settings you are referring to when you say "had to try multiple times to get the security right and end up with an IP address all while the radios were "connected" just fine.  If the interfaces are from different manufacturers then the software may well be different and setup for security different - one needing more detailed information than another". All the laptops are using XP SP3 and the Windows XP Wireless Zero Configuration service so aren't the security settings all the same? Are you referring to using the NIC manufacturers management software? Or are you referring to the advanced properties of the device itself?
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 167 total points
Comment Utility
If you don't have 20dB SNR then you will surely see problems and at 15-20dB quite a bit of variation.  So, if you're operating a computer with 17dB SNR then it may work some of the time and lead to a lot of frustration.  Best to avoid that with accepable SNR.  Numbers may vary but I'm sure you get the idea.  This is *not* an exact thing but close enough for discussion purposes.  In your situation it's essential to know what the numbers are I should think.

In my reference to settings there's nothing magic here so you won't be surprised with this:

I would not suggest one security type over another in this regard.  I don't have any statistics that would lead to a conclusion.  You should use the highest level that your human and computer environment will tolerate.

The settings I mentioned were:

Type of security: WEP, WPA-PSK, WPA2-PSK, WPA-Personal, etc. etc.  it seems that every interface mfr. has their own idea of what this list should be.  Some newer interfaces appear to be able to figure it out all by themselves and all you have to do is say "yes".  With older interfaces you may have to try a few things to get the AP and the computer interface to agree as the terms do vary for their respective settings.

Also, which interface software are you using?  There will/could be the interface mfr's software (i.e. Intel, Atheros, Broadcom, etc.), the computer mfr's software (Dell, HP, Lenovo, etc.), and MS Windows.
The tradeoff seems to be that the interface mfr GUI will be nicer than Windows but that Windows is almost surely to work.  In some cases I've had to disable Dell software in order to get things to work.  How I wish for a standardized interface without the seemingly endless variation in what each company comes up with!!

Type of encryption: TKIP, AES?

The passphrase.  They should be complicated to avoid hacking.  If you use a typical approach then you do this but either remember them or write them down and then type them in manually.  It's the typos that get you here and it's sometimes really hard to convince yourself that you've made a mistake.   What I have taken to doing is use random 63-character passphrases and enter them using copy and paste.  Hardest to hack and no typos.  

I've had situations where I've had to try 1/2 dozen times before I got it right when I was typing in the passphrases.  That puzzled and frustrated me but that's my experience.  Sometimes you have to delete the profile and just start over as often the profiles can't be edited completely or renamed or ......

But this seems to not be your issue in this case...  maybe in some of them??

Obviously if a laptop connects completely one place and not another is a signal issue.  Don't forget that SNR varies with "N" as well as "S".  So it can be that one location is noisier even though the signal level is still what would be OK in a quieter location.  Electromechanical machines generating electromagnetic noise fields, microwave ovens, portable telphones are all possibilities.
0
 
LVL 5

Assisted Solution

by:RikeR
RikeR earned 167 total points
Comment Utility
Hi,

DHCP is a broadcast message and are usually transmitted at a lower data rate. Since distance from AP degrades the datarate DHCP will fade out earlier then Unicast traffic. If the system allows you cab increase the broad/multicast Tx rate. Not sure if this will work. Alternativily oerform a site-survey using free tools like Ekahau's heatmapper (use google to find the link).

In general: DHCP issues are known at the edges of a wireless network.
0
 
LVL 9

Author Closing Comment

by:x3man
Comment Utility
Thanks everyone

There's some interesting points to consider. Particularly concerning data rates, broadcast and unicast etc. I'll have a look at setting the DHCP server to respond with unicast responses - see what effect, if any, that has.

It looks likely that the most successful way of improving connectivity would be to upgrade and improve the wireless AP infrastructure. However like I said before, that is unlikely to happen, hence the reason I asked if there is any other option to improve connectivity.

Thanks again to all who replied.
0
 
LVL 9

Author Comment

by:x3man
Comment Utility
Just for info. I tried setting the DHCP server to respond with unicast responses as described in the links, and this slowed down the DHCP process for the XP clients even more - wired and wireless. As soon as I removed the setting DHCP started working again. Although the wireless clients often still have problems as mentioned above...
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now