Solved

Wireless authentication issues

Posted on 2011-03-08
14
2,615 Views
Last Modified: 2013-12-27
We are running into problems with laptops authenticating to our network. We are getting a variety of behavior, none of which is very consistent. We keep getting a "Domain is not available message" when users attempt to log in. We've seen it work for one user and then not the next user.

In all cases, the access point has been up and functioning. We have several carts of 15 laptops. Each cart has a dedicated access point. We have configured each machine to point to point to a specific SSID.  Config 1 Config 2 Config 3
Access points are configured for WPA authentication.
Wireless Security on AP
Our access points authenicate to a single Cisco ACS server. We are seeing errors like below in the failed authentication logs on the ACS server.
03/08/2011 11:13:58 Authen failed host/RIV340-67199.asd.auburn.wednet.edu Default Group 001a.7353.81bf (Default) External DB user invalid or bad password .. .. 6188

We have also seen errors like below on the actual access points:
Station f0b4.79dd.8427 Authentication failed
Interface Dot11Radio0, Deauthenticating Station 8c7b.9d47.3be8 Reason: Previous authentication no longer valid
Interface Dot11Radio0, Station RIV801AP1 0022.fad0.213c Associated KEY_MGMT[WPA]

I've seen other posts that these errors could be pointing to interference issues. I checked the APs and they all seem to be using a different channel. We have all of the Radios set to use the least congested frequency.

What we've experienced is if we plug the laptop into the network via an ethernet cable, something seems to refresh/update. Upon doing that, any user can log into the laptop using the access point. The laptop you plugged into the network will function using the wireless for a couple weeks, then start having the same issues.

We'll get an entire cart stabilized, it moves to a different room and it starts malfunctioning again. We have configured the APs to live on the same VLAN/ip subnet so we dont' believe it's an issue with DHCP leasing.

Thanks in advance for any assistance!
0
Comment
Question by:ASD_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 35080340
There are only three channels you can use together that don't overlap and interfere with each other and they are channels 1, 6, and 11.  http://kb.netgear.com/app/answers/detail/a_id/1027/~/improving-wireless-range%3A-tuning-equipment   When you have other networks in addition to those three, you will probably have some interference.  In addition, there are other devices that use the 2.4GHz range like microwave ovens and some wireless telephone sets.  http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 35084406
I do this in schools all the time.

The ACS is checking an external DB for user authentication.  This is probably happening because the correct user account isn't present in the ACS database.

You've configured the AP to ask the PC to send its computer credentials, so the computer account must be allowed to access the wireless network via the policy you've defined on the ACS.  The examples you gave indicate that the computer was not allowed to access the network, probably because the ACS doesn't know about the computer account.

The way I do it usually is to create a security group and make all my domain PCs a member of that security group, then create a policy on the ACS or IAS server that includes that security group.
0
 

Author Comment

by:ASD_IT
ID: 35085374
I'm not sure where you need to configure those settings within the ACS server. Can you tell me where this is configured please?
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:ASD_IT
ID: 35085962
Or how do we turn off the machine authentication?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 35086043
Its part of the EAP process.  You can tell the wireless client to use User Authentication instead of Computer Authentication as per the following (assuming you use Windows 7):

http://www.stevens.edu/itwiki/w/index.php/Windows_7_802.1x_Wired

See step 6 particularly.
0
 

Author Comment

by:ASD_IT
ID: 35086274
Unfortunately, these are all XP machines.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 35086360
Sorry, should have guessed that from your screenshots :)

Ok, on the Authentication tab just untick the box 'Authenticate as computer when computer information is available'.
0
 

Author Comment

by:ASD_IT
ID: 35086572
Is there something that needs to be changed on the ACS server as well? Does anything need to be changed on the access points?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 35086694
You should be able to leave the APs and the ACS as they are.

Have a look at this just to make sure you've covered the basics...
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
0
 
LVL 44

Expert Comment

by:Darr247
ID: 35086827
> Or how do we turn off the machine authentication?

Uncheck the box shown above in the wirelessconfig2.JPG attachment.



DO lock your APs to use only channels 1, 6 or 11 as noted by DaveBaldwin.

Actually, any channels 5 or more apart in the 2.4GHz band do not overlap, but here in the americas that means 1, 6 and 11 makes the most of the available spectrum by allotting 3 non-overlapping channels (in Europe that could also use 2, 7 and 12, or 2, 8 and 13... but the americas are restricted to channels 1 through 11).

If you have three carts within range of each other, and those three are using channels 1, 6 and 11, they will not interfere with each other. If you want more than three carts within range of each other, then those on the same channel should use the same SSID, too. If they are on the same channel using the same SSID, they will take turns talking and not interfere with each other (that behavior is part of the IEEE 802.11 specification). If you're having disconnection issues caused by signal overlap, you should not use the channel auto-select function available in most wireless routers/APs... they will *often* chose wrong because their channel choice is made at startup and they don't pick another channel until powered down or reset by their controllers, even though interfering signals may appear later on the frequency chosen.

Attached is a chart that shows approximately how the channels overlap (the rolloff at the edges actually peaks back up, not unlike harmonic distortion, more than those curves show) in the 2.4GHz band. Note that channel 14 is available only in Japan, and is restricted to 802.11b (802.11g modulation is not allowed on channel 14 anywhere).
2.4GHz-Wi-FiChannels.png
0
 

Author Comment

by:ASD_IT
ID: 35089658
Sorry, but we realized that if we turn off machine authentication, we have no way of blocking kids from accessing the internet via our network on their iPhones, etc...so machine authentication needs to stay.

I opened a case with Cisco to see if they had any insight. They claim this a Microsoft issue as a computer account password that cycles every 30 days is what is causing active directory not to see the machine account. The engineer I spoke with claims that this can be modified in group policy, pointed me to an article. The article doesn't seem to point to the correct area.

Do you know where the group policy setting is for this?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 35092790
The images you attached suggest you're using MAC authentication, so unless you have the MAC address of each student's iPhone in your directory they shouldn't be able to connect at all!
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 35092795
The explanation from Cisco appears to be incorrect.

All the ACS is doing is asking the directory if the computer account is valid, and if it is allowed to connect to the network based on the criteria set in the access policy.  There is no password checking being done.

I'd have a look at your policy on the ACS and ensure that there is a method of determining which computers are allowed to connect, even if you have to specify Domain Computers.
0
 

Author Comment

by:ASD_IT
ID: 35096425
I'm happy to provide screenshots of anything that you'd be willing to look at. We had tried to make our Domain Computers group mapped to "Group 1" and include that in the external user database settings and it's now broken things to where nothing can authenticate via ACS.

Tell me what settings you need to see and I will get the screenshots. We are running v4.2 of CiscoACS server.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Wi-Fi calling 12 105
iCloud Desktop & Documents not syncing 8 189
Radius Debug Error 16 113
iMac cannot 'remember' Wifi connection after restarting. 3 62
Multi-source agreements are important because they set standards that all manufacturers should follow to ensure that devices are compatible with multiple vendors. The multi-source agreement (MSA) is an agreement that establishes how multiple vendors…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question