• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 861
  • Last Modified:

Windows was unable to log you on to the network WDomain - Wireless network

Hi

We have windows 2008 Active Directory and also it is our Radius server. We have XP as a client.
We use Cisco 4400 Series Controller and Cisco Aironet 1142 Wireless-N Access points .
The Laptops were connecting automatically into the wireless network once they are joined to the domain and adding the laptop to the wireless security group in the AD.
All of sudden all the 20 laptops got disconnected from our wireless network.

The Laptops can detect our wireless network. But on the system tray the pop says:

Windows was unable to log you on to the network WDomain. (WDomain is our SSID)

I dont know how my predecessors set up this and looks like authentication issue.
I saw the certificate on the server and the client and the certificates are self signed and are valid till 2030.
I logged into the wireless controller and under Monitor I get continious logs  under - Most recent traps:
It says

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP2.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP3.domain.local User Type: WLAN USER

Is there a way to troubleshoot if the Cisco 4400 WLC controller is able to establish proper relationship with the Radius Server?

Is it the  Wireless Lan Controller  password and the password on the radius server are mismatching/ or if the certificate is corrupted ?
 
Please help how trouble shoot this. I don’t have much experience on the wireless network .Any help will be much appreciated.

Thanks
0
lianne143
Asked:
lianne143
5 Solutions
 
Sushil SonawaneCommented:
check what are policy apply on the wireless security group in the AD. Make sure your windows firewall not block the any port.

Tried remove the Laptop from the wireless security group and then check.
0
 
AkinsdNetwork AdministratorCommented:
Check the domain account policy and see if password policies were set.

There is a possibility that the password age expired - if that's the case, have the users connect to the network with a cable and reset their passwords.
0
 
Jakob DigranesSenior ConsultantCommented:
Hi

The WLC is connected to Radius - that's not the problem.
You need to check logs at Radius server, not WLC. THe WLC only sends authentication request to Radius server, and get a accept or reject in return. The real cause of the authentication failure is in the Radius server

You say certificates is valid until 2030 - but i guess (and hope) you mean this is the root certificate located in Trusted Root Certification Authority.

Log on to Windows server - go to Event Viewer - find Security logs and look for Source "Microsoft SEcurity Auditing" and Task Category "Network Policy Server" ---
Here you'll see some failure audits.

But if this suddenly stopped working, make sure that the COmputer Certificate on NPS server isn't expired. Most likely this certificate is used to create a PEAP tunnel for exchanging authentication details for login.

If that's not the case - then you need to look at NPS server and make let us know what authentication you use; most likely PEAP-MsChapv2 (Domain Username and password) or EAP-TLS (Computer and/or user certificate)
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
lianne143Author Commented:
I have shown the snap shot of some of the settings on the AD and NPS server.

If iam right i can't see any root certificate under the Trusted Root Certification Authority.

In the  Window Radius server -Event Viewer - Security logs and Source  "Microsoft SEcurity Auditing" and Task Category  i cant see Network Policy Server.

But in the event viewer server roles -Network policy and Access server  i can see errors
Event ID:17
Source: NPS
Level:Error

An Access-Request message was received from RADIUS client 10.14.115.51 without a message authenticator attribute when a message authenticator attribute is required. Verify the configuration of the RADIUS client in the Network Policy Server snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.

I have attached the snapshot of the Computer certificate on the NPS and the  client  wireless settings. Please let me know if i have not checked at appropriate settings an if you require further information.

Thanks for your help
Client-wireless-settings.bmp
Default-Domain-Policy-Wireless-N.bmp
Network-Policy-and-Access-Servic.png
NPS-Server-Certificate.png
Security-auditing.png
Trusted-Root-Certi-on-Default-Do.bmp
0
 
Jakob DigranesSenior ConsultantCommented:
The send message authenticator attribute settings is tied to radius client. in NPS got to Radius Clients and uncheck the "Client must always send the message authenticator attribute in the request"
restart NPS service and see if that helps
0
 
lianne143Author Commented:
On the NPS
I Clicked on Radius Clients on the details pane  the Cisco 4400 WLC  was listed .
I right clicked and properties and  removed the check box for
" Access-Request message must contain the message -Authenticator attribute"
and restarted the NPS and still i get  

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local UserType:WLANUSER



Thanks
0
 
Jakob DigranesSenior ConsultantCommented:
same error in Radius server also?
0
 
lianne143Author Commented:
On the radius  even if check or uncheck  i get the same

information 4400
and Error 17
0
 
Jakob DigranesSenior ConsultantCommented:
try removing and adding Radius client in NPS
0
 
lianne143Author Commented:
I tried  changing the shared secret on both the radius server and the WLC and it didnt make any difference and if i change on these place will i also need to chage the shared secret in the Cisco Aironet Access  point as well ?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now