ASD_IT
asked on
Wireless authentication issues
We are running into problems with laptops authenticating to our network. We are getting a variety of behavior, none of which is very consistent. We keep getting a "Domain is not available message" when users attempt to log in. We've seen it work for one user and then not the next user.
In all cases, the access point has been up and functioning. We have several carts of 15 laptops. Each cart has a dedicated access point. We have configured each machine to point to point to a specific SSID.
Access points are configured for WPA authentication.
Our access points authenicate to a single Cisco ACS server. We are seeing errors like below in the failed authentication logs on the ACS server.
03/08/2011 11:13:58 Authen failed host/RIV340-67199.asd.aubu
We have also seen errors like below on the actual access points:
Station f0b4.79dd.8427 Authentication failed
Interface Dot11Radio0, Deauthenticating Station 8c7b.9d47.3be8 Reason: Previous authentication no longer valid
Interface Dot11Radio0, Station RIV801AP1 0022.fad0.213c Associated KEY_MGMT[WPA]
I've seen other posts that these errors could be pointing to interference issues. I checked the APs and they all seem to be using a different channel. We have all of the Radios set to use the least congested frequency.
What we've experienced is if we plug the laptop into the network via an ethernet cable, something seems to refresh/update. Upon doing that, any user can log into the laptop using the access point. The laptop you plugged into the network will function using the wireless for a couple weeks, then start having the same issues.
We'll get an entire cart stabilized, it moves to a different room and it starts malfunctioning again. We have configured the APs to live on the same VLAN/ip subnet so we dont' believe it's an issue with DHCP leasing.
Thanks in advance for any assistance!
In all cases, the access point has been up and functioning. We have several carts of 15 laptops. Each cart has a dedicated access point. We have configured each machine to point to point to a specific SSID.
Access points are configured for WPA authentication.
Our access points authenicate to a single Cisco ACS server. We are seeing errors like below in the failed authentication logs on the ACS server.
03/08/2011 11:13:58 Authen failed host/RIV340-67199.asd.aubu
We have also seen errors like below on the actual access points:
Station f0b4.79dd.8427 Authentication failed
Interface Dot11Radio0, Deauthenticating Station 8c7b.9d47.3be8 Reason: Previous authentication no longer valid
Interface Dot11Radio0, Station RIV801AP1 0022.fad0.213c Associated KEY_MGMT[WPA]
I've seen other posts that these errors could be pointing to interference issues. I checked the APs and they all seem to be using a different channel. We have all of the Radios set to use the least congested frequency.
What we've experienced is if we plug the laptop into the network via an ethernet cable, something seems to refresh/update. Upon doing that, any user can log into the laptop using the access point. The laptop you plugged into the network will function using the wireless for a couple weeks, then start having the same issues.
We'll get an entire cart stabilized, it moves to a different room and it starts malfunctioning again. We have configured the APs to live on the same VLAN/ip subnet so we dont' believe it's an issue with DHCP leasing.
Thanks in advance for any assistance!
Dave Baldwin
There are only three channels you can use together that don't overlap and interfere with each other and they are channels 1, 6, and 11. http://kb.netgear.com/app/answers/detail/a_id/1027/~/improving-wireless-range%3A-tuning-equipment When you have other networks in addition to those three, you will probably have some interference. In addition, there are other devices that use the 2.4GHz range like microwave ovens and some wireless telephone sets. http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz
I do this in schools all the time.
The ACS is checking an external DB for user authentication. This is probably happening because the correct user account isn't present in the ACS database.
You've configured the AP to ask the PC to send its computer credentials, so the computer account must be allowed to access the wireless network via the policy you've defined on the ACS. The examples you gave indicate that the computer was not allowed to access the network, probably because the ACS doesn't know about the computer account.
The way I do it usually is to create a security group and make all my domain PCs a member of that security group, then create a policy on the ACS or IAS server that includes that security group.
The ACS is checking an external DB for user authentication. This is probably happening because the correct user account isn't present in the ACS database.
You've configured the AP to ask the PC to send its computer credentials, so the computer account must be allowed to access the wireless network via the policy you've defined on the ACS. The examples you gave indicate that the computer was not allowed to access the network, probably because the ACS doesn't know about the computer account.
The way I do it usually is to create a security group and make all my domain PCs a member of that security group, then create a policy on the ACS or IAS server that includes that security group.
ASKER
I'm not sure where you need to configure those settings within the ACS server. Can you tell me where this is configured please?
ASKER
Or how do we turn off the machine authentication?
Its part of the EAP process. You can tell the wireless client to use User Authentication instead of Computer Authentication as per the following (assuming you use Windows 7):
http://www.stevens.edu/itwiki/w/index.php/Windows_7_802.1x_Wired
See step 6 particularly.
http://www.stevens.edu/itwiki/w/index.php/Windows_7_802.1x_Wired
See step 6 particularly.
ASKER
Unfortunately, these are all XP machines.
Sorry, should have guessed that from your screenshots :)
Ok, on the Authentication tab just untick the box 'Authenticate as computer when computer information is available'.
Ok, on the Authentication tab just untick the box 'Authenticate as computer when computer information is available'.
ASKER
Is there something that needs to be changed on the ACS server as well? Does anything need to be changed on the access points?
You should be able to leave the APs and the ACS as they are.
Have a look at this just to make sure you've covered the basics...
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
Have a look at this just to make sure you've covered the basics...
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
> Or how do we turn off the machine authentication?
Uncheck the box shown above in the wirelessconfig2.JPG attachment.
DO lock your APs to use only channels 1, 6 or 11 as noted by DaveBaldwin.
Actually, any channels 5 or more apart in the 2.4GHz band do not overlap, but here in the americas that means 1, 6 and 11 makes the most of the available spectrum by allotting 3 non-overlapping channels (in Europe that could also use 2, 7 and 12, or 2, 8 and 13... but the americas are restricted to channels 1 through 11).
If you have three carts within range of each other, and those three are using channels 1, 6 and 11, they will not interfere with each other. If you want more than three carts within range of each other, then those on the same channel should use the same SSID, too. If they are on the same channel using the same SSID, they will take turns talking and not interfere with each other (that behavior is part of the IEEE 802.11 specification). If you're having disconnection issues caused by signal overlap, you should not use the channel auto-select function available in most wireless routers/APs... they will *often* chose wrong because their channel choice is made at startup and they don't pick another channel until powered down or reset by their controllers, even though interfering signals may appear later on the frequency chosen.
Attached is a chart that shows approximately how the channels overlap (the rolloff at the edges actually peaks back up, not unlike harmonic distortion, more than those curves show) in the 2.4GHz band. Note that channel 14 is available only in Japan, and is restricted to 802.11b (802.11g modulation is not allowed on channel 14 anywhere).
2.4GHz-Wi-FiChannels.png
ASKER
Sorry, but we realized that if we turn off machine authentication, we have no way of blocking kids from accessing the internet via our network on their iPhones, etc...so machine authentication needs to stay.
I opened a case with Cisco to see if they had any insight. They claim this a Microsoft issue as a computer account password that cycles every 30 days is what is causing active directory not to see the machine account. The engineer I spoke with claims that this can be modified in group policy, pointed me to an article. The article doesn't seem to point to the correct area.
Do you know where the group policy setting is for this?
I opened a case with Cisco to see if they had any insight. They claim this a Microsoft issue as a computer account password that cycles every 30 days is what is causing active directory not to see the machine account. The engineer I spoke with claims that this can be modified in group policy, pointed me to an article. The article doesn't seem to point to the correct area.
Do you know where the group policy setting is for this?
The images you attached suggest you're using MAC authentication, so unless you have the MAC address of each student's iPhone in your directory they shouldn't be able to connect at all!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm happy to provide screenshots of anything that you'd be willing to look at. We had tried to make our Domain Computers group mapped to "Group 1" and include that in the external user database settings and it's now broken things to where nothing can authenticate via ACS.
Tell me what settings you need to see and I will get the screenshots. We are running v4.2 of CiscoACS server.
Tell me what settings you need to see and I will get the screenshots. We are running v4.2 of CiscoACS server.