Solved

Windows was unable to log you on to the network WDomain - Wireless network

Posted on 2013-01-09
10
824 Views
Last Modified: 2013-01-15
Hi

We have windows 2008 Active Directory and also it is our Radius server. We have XP as a client.
We use Cisco 4400 Series Controller and Cisco Aironet 1142 Wireless-N Access points .
The Laptops were connecting automatically into the wireless network once they are joined to the domain and adding the laptop to the wireless security group in the AD.
All of sudden all the 20 laptops got disconnected from our wireless network.

The Laptops can detect our wireless network. But on the system tray the pop says:

Windows was unable to log you on to the network WDomain. (WDomain is our SSID)

I dont know how my predecessors set up this and looks like authentication issue.
I saw the certificate on the server and the client and the certificates are self signed and are valid till 2030.
I logged into the wireless controller and under Monitor I get continious logs  under - Most recent traps:
It says

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP2.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP3.domain.local User Type: WLAN USER

Is there a way to troubleshoot if the Cisco 4400 WLC controller is able to establish proper relationship with the Radius Server?

Is it the  Wireless Lan Controller  password and the password on the radius server are mismatching/ or if the certificate is corrupted ?
 
Please help how trouble shoot this. I don’t have much experience on the wireless network .Any help will be much appreciated.

Thanks
0
Comment
Question by:lianne143
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 18

Assisted Solution

by:Sushil Sonawane
Sushil Sonawane earned 100 total points
ID: 38760342
check what are policy apply on the wireless security group in the AD. Make sure your windows firewall not block the any port.

Tried remove the Laptop from the wireless security group and then check.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 38761015
Check the domain account policy and see if password policies were set.

There is a possibility that the password age expired - if that's the case, have the users connect to the network with a cable and reset their passwords.
0
 
LVL 22

Accepted Solution

by:
Jakob Digranes earned 400 total points
ID: 38762235
Hi

The WLC is connected to Radius - that's not the problem.
You need to check logs at Radius server, not WLC. THe WLC only sends authentication request to Radius server, and get a accept or reject in return. The real cause of the authentication failure is in the Radius server

You say certificates is valid until 2030 - but i guess (and hope) you mean this is the root certificate located in Trusted Root Certification Authority.

Log on to Windows server - go to Event Viewer - find Security logs and look for Source "Microsoft SEcurity Auditing" and Task Category "Network Policy Server" ---
Here you'll see some failure audits.

But if this suddenly stopped working, make sure that the COmputer Certificate on NPS server isn't expired. Most likely this certificate is used to create a PEAP tunnel for exchanging authentication details for login.

If that's not the case - then you need to look at NPS server and make let us know what authentication you use; most likely PEAP-MsChapv2 (Domain Username and password) or EAP-TLS (Computer and/or user certificate)
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:lianne143
ID: 38763757
I have shown the snap shot of some of the settings on the AD and NPS server.

If iam right i can't see any root certificate under the Trusted Root Certification Authority.

In the  Window Radius server -Event Viewer - Security logs and Source  "Microsoft SEcurity Auditing" and Task Category  i cant see Network Policy Server.

But in the event viewer server roles -Network policy and Access server  i can see errors
Event ID:17
Source: NPS
Level:Error

An Access-Request message was received from RADIUS client 10.14.115.51 without a message authenticator attribute when a message authenticator attribute is required. Verify the configuration of the RADIUS client in the Network Policy Server snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.

I have attached the snapshot of the Computer certificate on the NPS and the  client  wireless settings. Please let me know if i have not checked at appropriate settings an if you require further information.

Thanks for your help
Client-wireless-settings.bmp
Default-Domain-Policy-Wireless-N.bmp
Network-Policy-and-Access-Servic.png
NPS-Server-Certificate.png
Security-auditing.png
Trusted-Root-Certi-on-Default-Do.bmp
0
 
LVL 22

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 400 total points
ID: 38764250
The send message authenticator attribute settings is tied to radius client. in NPS got to Radius Clients and uncheck the "Client must always send the message authenticator attribute in the request"
restart NPS service and see if that helps
0
 

Author Comment

by:lianne143
ID: 38766502
On the NPS
I Clicked on Radius Clients on the details pane  the Cisco 4400 WLC  was listed .
I right clicked and properties and  removed the check box for
" Access-Request message must contain the message -Authenticator attribute"
and restarted the NPS and still i get  

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local UserType:WLANUSER



Thanks
0
 
LVL 22

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 400 total points
ID: 38766673
same error in Radius server also?
0
 

Author Comment

by:lianne143
ID: 38767455
On the radius  even if check or uncheck  i get the same

information 4400
and Error 17
0
 
LVL 22

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 400 total points
ID: 38768865
try removing and adding Radius client in NPS
0
 

Author Comment

by:lianne143
ID: 38777535
I tried  changing the shared secret on both the radius server and the WLC and it didnt make any difference and if i change on these place will i also need to chage the shared secret in the Cisco Aironet Access  point as well ?
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question