Solved

Wireless authentication issues

Posted on 2011-03-08
14
2,432 Views
Last Modified: 2013-12-27
We are running into problems with laptops authenticating to our network. We are getting a variety of behavior, none of which is very consistent. We keep getting a "Domain is not available message" when users attempt to log in. We've seen it work for one user and then not the next user.

In all cases, the access point has been up and functioning. We have several carts of 15 laptops. Each cart has a dedicated access point. We have configured each machine to point to point to a specific SSID.  Config 1 Config 2 Config 3
Access points are configured for WPA authentication.
Wireless Security on AP
Our access points authenicate to a single Cisco ACS server. We are seeing errors like below in the failed authentication logs on the ACS server.
03/08/2011 11:13:58 Authen failed host/RIV340-67199.asd.auburn.wednet.edu Default Group 001a.7353.81bf (Default) External DB user invalid or bad password .. .. 6188

We have also seen errors like below on the actual access points:
Station f0b4.79dd.8427 Authentication failed
Interface Dot11Radio0, Deauthenticating Station 8c7b.9d47.3be8 Reason: Previous authentication no longer valid
Interface Dot11Radio0, Station RIV801AP1 0022.fad0.213c Associated KEY_MGMT[WPA]

I've seen other posts that these errors could be pointing to interference issues. I checked the APs and they all seem to be using a different channel. We have all of the Radios set to use the least congested frequency.

What we've experienced is if we plug the laptop into the network via an ethernet cable, something seems to refresh/update. Upon doing that, any user can log into the laptop using the access point. The laptop you plugged into the network will function using the wireless for a couple weeks, then start having the same issues.

We'll get an entire cart stabilized, it moves to a different room and it starts malfunctioning again. We have configured the APs to live on the same VLAN/ip subnet so we dont' believe it's an issue with DHCP leasing.

Thanks in advance for any assistance!
0
Comment
Question by:ASD_IT
14 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 35080340
There are only three channels you can use together that don't overlap and interfere with each other and they are channels 1, 6, and 11.  http://kb.netgear.com/app/answers/detail/a_id/1027/~/improving-wireless-range%3A-tuning-equipment   When you have other networks in addition to those three, you will probably have some interference.  In addition, there are other devices that use the 2.4GHz range like microwave ovens and some wireless telephone sets.  http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35084406
I do this in schools all the time.

The ACS is checking an external DB for user authentication.  This is probably happening because the correct user account isn't present in the ACS database.

You've configured the AP to ask the PC to send its computer credentials, so the computer account must be allowed to access the wireless network via the policy you've defined on the ACS.  The examples you gave indicate that the computer was not allowed to access the network, probably because the ACS doesn't know about the computer account.

The way I do it usually is to create a security group and make all my domain PCs a member of that security group, then create a policy on the ACS or IAS server that includes that security group.
0
 

Author Comment

by:ASD_IT
ID: 35085374
I'm not sure where you need to configure those settings within the ACS server. Can you tell me where this is configured please?
0
 

Author Comment

by:ASD_IT
ID: 35085962
Or how do we turn off the machine authentication?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35086043
Its part of the EAP process.  You can tell the wireless client to use User Authentication instead of Computer Authentication as per the following (assuming you use Windows 7):

http://www.stevens.edu/itwiki/w/index.php/Windows_7_802.1x_Wired

See step 6 particularly.
0
 

Author Comment

by:ASD_IT
ID: 35086274
Unfortunately, these are all XP machines.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35086360
Sorry, should have guessed that from your screenshots :)

Ok, on the Authentication tab just untick the box 'Authenticate as computer when computer information is available'.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:ASD_IT
ID: 35086572
Is there something that needs to be changed on the ACS server as well? Does anything need to be changed on the access points?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35086694
You should be able to leave the APs and the ACS as they are.

Have a look at this just to make sure you've covered the basics...
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
0
 
LVL 44

Expert Comment

by:Darr247
ID: 35086827
> Or how do we turn off the machine authentication?

Uncheck the box shown above in the wirelessconfig2.JPG attachment.



DO lock your APs to use only channels 1, 6 or 11 as noted by DaveBaldwin.

Actually, any channels 5 or more apart in the 2.4GHz band do not overlap, but here in the americas that means 1, 6 and 11 makes the most of the available spectrum by allotting 3 non-overlapping channels (in Europe that could also use 2, 7 and 12, or 2, 8 and 13... but the americas are restricted to channels 1 through 11).

If you have three carts within range of each other, and those three are using channels 1, 6 and 11, they will not interfere with each other. If you want more than three carts within range of each other, then those on the same channel should use the same SSID, too. If they are on the same channel using the same SSID, they will take turns talking and not interfere with each other (that behavior is part of the IEEE 802.11 specification). If you're having disconnection issues caused by signal overlap, you should not use the channel auto-select function available in most wireless routers/APs... they will *often* chose wrong because their channel choice is made at startup and they don't pick another channel until powered down or reset by their controllers, even though interfering signals may appear later on the frequency chosen.

Attached is a chart that shows approximately how the channels overlap (the rolloff at the edges actually peaks back up, not unlike harmonic distortion, more than those curves show) in the 2.4GHz band. Note that channel 14 is available only in Japan, and is restricted to 802.11b (802.11g modulation is not allowed on channel 14 anywhere).
2.4GHz-Wi-FiChannels.png
0
 

Author Comment

by:ASD_IT
ID: 35089658
Sorry, but we realized that if we turn off machine authentication, we have no way of blocking kids from accessing the internet via our network on their iPhones, etc...so machine authentication needs to stay.

I opened a case with Cisco to see if they had any insight. They claim this a Microsoft issue as a computer account password that cycles every 30 days is what is causing active directory not to see the machine account. The engineer I spoke with claims that this can be modified in group policy, pointed me to an article. The article doesn't seem to point to the correct area.

Do you know where the group policy setting is for this?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35092790
The images you attached suggest you're using MAC authentication, so unless you have the MAC address of each student's iPhone in your directory they shouldn't be able to connect at all!
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 35092795
The explanation from Cisco appears to be incorrect.

All the ACS is doing is asking the directory if the computer account is valid, and if it is allowed to connect to the network based on the criteria set in the access policy.  There is no password checking being done.

I'd have a look at your policy on the ACS and ensure that there is a method of determining which computers are allowed to connect, even if you have to specify Domain Computers.
0
 

Author Comment

by:ASD_IT
ID: 35096425
I'm happy to provide screenshots of anything that you'd be willing to look at. We had tried to make our Domain Computers group mapped to "Group 1" and include that in the external user database settings and it's now broken things to where nothing can authenticate via ACS.

Tell me what settings you need to see and I will get the screenshots. We are running v4.2 of CiscoACS server.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now