• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 876
  • Last Modified:

Windows was unable to log you on to the network WDomain - Wireless network


We have windows 2008 Active Directory and also it is our Radius server. We have XP as a client.
We use Cisco 4400 Series Controller and Cisco Aironet 1142 Wireless-N Access points .
The Laptops were connecting automatically into the wireless network once they are joined to the domain and adding the laptop to the wireless security group in the AD.
All of sudden all the 20 laptops got disconnected from our wireless network.

The Laptops can detect our wireless network. But on the system tray the pop says:

Windows was unable to log you on to the network WDomain. (WDomain is our SSID)

I dont know how my predecessors set up this and looks like authentication issue.
I saw the certificate on the server and the client and the certificates are self signed and are valid till 2030.
I logged into the wireless controller and under Monitor I get continious logs  under - Most recent traps:
It says

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP2.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP3.domain.local User Type: WLAN USER

Is there a way to troubleshoot if the Cisco 4400 WLC controller is able to establish proper relationship with the Radius Server?

Is it the  Wireless Lan Controller  password and the password on the radius server are mismatching/ or if the certificate is corrupted ?
Please help how trouble shoot this. I don’t have much experience on the wireless network .Any help will be much appreciated.

5 Solutions
Sushil SonawaneCommented:
check what are policy apply on the wireless security group in the AD. Make sure your windows firewall not block the any port.

Tried remove the Laptop from the wireless security group and then check.
AkinsdNetwork AdministratorCommented:
Check the domain account policy and see if password policies were set.

There is a possibility that the password age expired - if that's the case, have the users connect to the network with a cable and reset their passwords.
Jakob DigranesSenior ConsultantCommented:

The WLC is connected to Radius - that's not the problem.
You need to check logs at Radius server, not WLC. THe WLC only sends authentication request to Radius server, and get a accept or reject in return. The real cause of the authentication failure is in the Radius server

You say certificates is valid until 2030 - but i guess (and hope) you mean this is the root certificate located in Trusted Root Certification Authority.

Log on to Windows server - go to Event Viewer - find Security logs and look for Source "Microsoft SEcurity Auditing" and Task Category "Network Policy Server" ---
Here you'll see some failure audits.

But if this suddenly stopped working, make sure that the COmputer Certificate on NPS server isn't expired. Most likely this certificate is used to create a PEAP tunnel for exchanging authentication details for login.

If that's not the case - then you need to look at NPS server and make let us know what authentication you use; most likely PEAP-MsChapv2 (Domain Username and password) or EAP-TLS (Computer and/or user certificate)
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

lianne143Author Commented:
I have shown the snap shot of some of the settings on the AD and NPS server.

If iam right i can't see any root certificate under the Trusted Root Certification Authority.

In the  Window Radius server -Event Viewer - Security logs and Source  "Microsoft SEcurity Auditing" and Task Category  i cant see Network Policy Server.

But in the event viewer server roles -Network policy and Access server  i can see errors
Event ID:17
Source: NPS

An Access-Request message was received from RADIUS client without a message authenticator attribute when a message authenticator attribute is required. Verify the configuration of the RADIUS client in the Network Policy Server snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.

I have attached the snapshot of the Computer certificate on the NPS and the  client  wireless settings. Please let me know if i have not checked at appropriate settings an if you require further information.

Thanks for your help
Jakob DigranesSenior ConsultantCommented:
The send message authenticator attribute settings is tied to radius client. in NPS got to Radius Clients and uncheck the "Client must always send the message authenticator attribute in the request"
restart NPS service and see if that helps
lianne143Author Commented:
On the NPS
I Clicked on Radius Clients on the details pane  the Cisco 4400 WLC  was listed .
I right clicked and properties and  removed the check box for
" Access-Request message must contain the message -Authenticator attribute"
and restarted the NPS and still i get  

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local UserType:WLANUSER

Jakob DigranesSenior ConsultantCommented:
same error in Radius server also?
lianne143Author Commented:
On the radius  even if check or uncheck  i get the same

information 4400
and Error 17
Jakob DigranesSenior ConsultantCommented:
try removing and adding Radius client in NPS
lianne143Author Commented:
I tried  changing the shared secret on both the radius server and the WLC and it didnt make any difference and if i change on these place will i also need to chage the shared secret in the Cisco Aironet Access  point as well ?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now