Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3296
  • Last Modified:

Wireless authentication issues

We are running into problems with laptops authenticating to our network. We are getting a variety of behavior, none of which is very consistent. We keep getting a "Domain is not available message" when users attempt to log in. We've seen it work for one user and then not the next user.

In all cases, the access point has been up and functioning. We have several carts of 15 laptops. Each cart has a dedicated access point. We have configured each machine to point to point to a specific SSID.  Config 1 Config 2 Config 3
Access points are configured for WPA authentication.
Wireless Security on AP
Our access points authenicate to a single Cisco ACS server. We are seeing errors like below in the failed authentication logs on the ACS server.
03/08/2011 11:13:58 Authen failed host/ Default Group 001a.7353.81bf (Default) External DB user invalid or bad password .. .. 6188

We have also seen errors like below on the actual access points:
Station f0b4.79dd.8427 Authentication failed
Interface Dot11Radio0, Deauthenticating Station 8c7b.9d47.3be8 Reason: Previous authentication no longer valid
Interface Dot11Radio0, Station RIV801AP1 0022.fad0.213c Associated KEY_MGMT[WPA]

I've seen other posts that these errors could be pointing to interference issues. I checked the APs and they all seem to be using a different channel. We have all of the Radios set to use the least congested frequency.

What we've experienced is if we plug the laptop into the network via an ethernet cable, something seems to refresh/update. Upon doing that, any user can log into the laptop using the access point. The laptop you plugged into the network will function using the wireless for a couple weeks, then start having the same issues.

We'll get an entire cart stabilized, it moves to a different room and it starts malfunctioning again. We have configured the APs to live on the same VLAN/ip subnet so we dont' believe it's an issue with DHCP leasing.

Thanks in advance for any assistance!
1 Solution
Dave BaldwinFixer of ProblemsCommented:
There are only three channels you can use together that don't overlap and interfere with each other and they are channels 1, 6, and 11.   When you have other networks in addition to those three, you will probably have some interference.  In addition, there are other devices that use the 2.4GHz range like microwave ovens and some wireless telephone sets.
Craig BeckCommented:
I do this in schools all the time.

The ACS is checking an external DB for user authentication.  This is probably happening because the correct user account isn't present in the ACS database.

You've configured the AP to ask the PC to send its computer credentials, so the computer account must be allowed to access the wireless network via the policy you've defined on the ACS.  The examples you gave indicate that the computer was not allowed to access the network, probably because the ACS doesn't know about the computer account.

The way I do it usually is to create a security group and make all my domain PCs a member of that security group, then create a policy on the ACS or IAS server that includes that security group.
ASD_ITAuthor Commented:
I'm not sure where you need to configure those settings within the ACS server. Can you tell me where this is configured please?
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

ASD_ITAuthor Commented:
Or how do we turn off the machine authentication?
Craig BeckCommented:
Its part of the EAP process.  You can tell the wireless client to use User Authentication instead of Computer Authentication as per the following (assuming you use Windows 7):

See step 6 particularly.
ASD_ITAuthor Commented:
Unfortunately, these are all XP machines.
Craig BeckCommented:
Sorry, should have guessed that from your screenshots :)

Ok, on the Authentication tab just untick the box 'Authenticate as computer when computer information is available'.
ASD_ITAuthor Commented:
Is there something that needs to be changed on the ACS server as well? Does anything need to be changed on the access points?
Craig BeckCommented:
You should be able to leave the APs and the ACS as they are.

Have a look at this just to make sure you've covered the basics...
> Or how do we turn off the machine authentication?

Uncheck the box shown above in the wirelessconfig2.JPG attachment.

DO lock your APs to use only channels 1, 6 or 11 as noted by DaveBaldwin.

Actually, any channels 5 or more apart in the 2.4GHz band do not overlap, but here in the americas that means 1, 6 and 11 makes the most of the available spectrum by allotting 3 non-overlapping channels (in Europe that could also use 2, 7 and 12, or 2, 8 and 13... but the americas are restricted to channels 1 through 11).

If you have three carts within range of each other, and those three are using channels 1, 6 and 11, they will not interfere with each other. If you want more than three carts within range of each other, then those on the same channel should use the same SSID, too. If they are on the same channel using the same SSID, they will take turns talking and not interfere with each other (that behavior is part of the IEEE 802.11 specification). If you're having disconnection issues caused by signal overlap, you should not use the channel auto-select function available in most wireless routers/APs... they will *often* chose wrong because their channel choice is made at startup and they don't pick another channel until powered down or reset by their controllers, even though interfering signals may appear later on the frequency chosen.

Attached is a chart that shows approximately how the channels overlap (the rolloff at the edges actually peaks back up, not unlike harmonic distortion, more than those curves show) in the 2.4GHz band. Note that channel 14 is available only in Japan, and is restricted to 802.11b (802.11g modulation is not allowed on channel 14 anywhere).
ASD_ITAuthor Commented:
Sorry, but we realized that if we turn off machine authentication, we have no way of blocking kids from accessing the internet via our network on their iPhones, machine authentication needs to stay.

I opened a case with Cisco to see if they had any insight. They claim this a Microsoft issue as a computer account password that cycles every 30 days is what is causing active directory not to see the machine account. The engineer I spoke with claims that this can be modified in group policy, pointed me to an article. The article doesn't seem to point to the correct area.

Do you know where the group policy setting is for this?
Craig BeckCommented:
The images you attached suggest you're using MAC authentication, so unless you have the MAC address of each student's iPhone in your directory they shouldn't be able to connect at all!
Craig BeckCommented:
The explanation from Cisco appears to be incorrect.

All the ACS is doing is asking the directory if the computer account is valid, and if it is allowed to connect to the network based on the criteria set in the access policy.  There is no password checking being done.

I'd have a look at your policy on the ACS and ensure that there is a method of determining which computers are allowed to connect, even if you have to specify Domain Computers.
ASD_ITAuthor Commented:
I'm happy to provide screenshots of anything that you'd be willing to look at. We had tried to make our Domain Computers group mapped to "Group 1" and include that in the external user database settings and it's now broken things to where nothing can authenticate via ACS.

Tell me what settings you need to see and I will get the screenshots. We are running v4.2 of CiscoACS server.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now