Solved

Windows was unable to log you on to the network WDomain - Wireless network

Posted on 2013-01-09
10
803 Views
Last Modified: 2013-01-15
Hi

We have windows 2008 Active Directory and also it is our Radius server. We have XP as a client.
We use Cisco 4400 Series Controller and Cisco Aironet 1142 Wireless-N Access points .
The Laptops were connecting automatically into the wireless network once they are joined to the domain and adding the laptop to the wireless security group in the AD.
All of sudden all the 20 laptops got disconnected from our wireless network.

The Laptops can detect our wireless network. But on the system tray the pop says:

Windows was unable to log you on to the network WDomain. (WDomain is our SSID)

I dont know how my predecessors set up this and looks like authentication issue.
I saw the certificate on the server and the client and the certificates are self signed and are valid till 2030.
I logged into the wireless controller and under Monitor I get continious logs  under - Most recent traps:
It says

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP2.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP3.domain.local User Type: WLAN USER

Is there a way to troubleshoot if the Cisco 4400 WLC controller is able to establish proper relationship with the Radius Server?

Is it the  Wireless Lan Controller  password and the password on the radius server are mismatching/ or if the certificate is corrupted ?
 
Please help how trouble shoot this. I don’t have much experience on the wireless network .Any help will be much appreciated.

Thanks
0
Comment
Question by:lianne143
10 Comments
 
LVL 18

Assisted Solution

by:Sushil Sonawane
Sushil Sonawane earned 100 total points
ID: 38760342
check what are policy apply on the wireless security group in the AD. Make sure your windows firewall not block the any port.

Tried remove the Laptop from the wireless security group and then check.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 38761015
Check the domain account policy and see if password policies were set.

There is a possibility that the password age expired - if that's the case, have the users connect to the network with a cable and reset their passwords.
0
 
LVL 21

Accepted Solution

by:
Jakob Digranes earned 400 total points
ID: 38762235
Hi

The WLC is connected to Radius - that's not the problem.
You need to check logs at Radius server, not WLC. THe WLC only sends authentication request to Radius server, and get a accept or reject in return. The real cause of the authentication failure is in the Radius server

You say certificates is valid until 2030 - but i guess (and hope) you mean this is the root certificate located in Trusted Root Certification Authority.

Log on to Windows server - go to Event Viewer - find Security logs and look for Source "Microsoft SEcurity Auditing" and Task Category "Network Policy Server" ---
Here you'll see some failure audits.

But if this suddenly stopped working, make sure that the COmputer Certificate on NPS server isn't expired. Most likely this certificate is used to create a PEAP tunnel for exchanging authentication details for login.

If that's not the case - then you need to look at NPS server and make let us know what authentication you use; most likely PEAP-MsChapv2 (Domain Username and password) or EAP-TLS (Computer and/or user certificate)
0
 

Author Comment

by:lianne143
ID: 38763757
I have shown the snap shot of some of the settings on the AD and NPS server.

If iam right i can't see any root certificate under the Trusted Root Certification Authority.

In the  Window Radius server -Event Viewer - Security logs and Source  "Microsoft SEcurity Auditing" and Task Category  i cant see Network Policy Server.

But in the event viewer server roles -Network policy and Access server  i can see errors
Event ID:17
Source: NPS
Level:Error

An Access-Request message was received from RADIUS client 10.14.115.51 without a message authenticator attribute when a message authenticator attribute is required. Verify the configuration of the RADIUS client in the Network Policy Server snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.

I have attached the snapshot of the Computer certificate on the NPS and the  client  wireless settings. Please let me know if i have not checked at appropriate settings an if you require further information.

Thanks for your help
Client-wireless-settings.bmp
Default-Domain-Policy-Wireless-N.bmp
Network-Policy-and-Access-Servic.png
NPS-Server-Certificate.png
Security-auditing.png
Trusted-Root-Certi-on-Default-Do.bmp
0
 
LVL 21

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 400 total points
ID: 38764250
The send message authenticator attribute settings is tied to radius client. in NPS got to Radius Clients and uncheck the "Client must always send the message authenticator attribute in the request"
restart NPS service and see if that helps
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:lianne143
ID: 38766502
On the NPS
I Clicked on Radius Clients on the details pane  the Cisco 4400 WLC  was listed .
I right clicked and properties and  removed the check box for
" Access-Request message must contain the message -Authenticator attribute"
and restarted the NPS and still i get  

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local UserType:WLANUSER



Thanks
0
 
LVL 21

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 400 total points
ID: 38766673
same error in Radius server also?
0
 

Author Comment

by:lianne143
ID: 38767455
On the radius  even if check or uncheck  i get the same

information 4400
and Error 17
0
 
LVL 21

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 400 total points
ID: 38768865
try removing and adding Radius client in NPS
0
 

Author Comment

by:lianne143
ID: 38777535
I tried  changing the shared secret on both the radius server and the WLC and it didnt make any difference and if i change on these place will i also need to chage the shared secret in the Cisco Aironet Access  point as well ?
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now