Solved

Windows was unable to log you on to the network WDomain - Wireless network

Posted on 2013-01-09
10
787 Views
Last Modified: 2013-01-15
Hi

We have windows 2008 Active Directory and also it is our Radius server. We have XP as a client.
We use Cisco 4400 Series Controller and Cisco Aironet 1142 Wireless-N Access points .
The Laptops were connecting automatically into the wireless network once they are joined to the domain and adding the laptop to the wireless security group in the AD.
All of sudden all the 20 laptops got disconnected from our wireless network.

The Laptops can detect our wireless network. But on the system tray the pop says:

Windows was unable to log you on to the network WDomain. (WDomain is our SSID)

I dont know how my predecessors set up this and looks like authentication issue.
I saw the certificate on the server and the client and the certificates are self signed and are valid till 2030.
I logged into the wireless controller and under Monitor I get continious logs  under - Most recent traps:
It says

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP2.domain.local User Type: WLAN USER
AAA Authentication Failure for UserName:host/LAPTOP3.domain.local User Type: WLAN USER

Is there a way to troubleshoot if the Cisco 4400 WLC controller is able to establish proper relationship with the Radius Server?

Is it the  Wireless Lan Controller  password and the password on the radius server are mismatching/ or if the certificate is corrupted ?
 
Please help how trouble shoot this. I don’t have much experience on the wireless network .Any help will be much appreciated.

Thanks
0
Comment
Question by:lianne143
10 Comments
 
LVL 18

Assisted Solution

by:Sushil Sonawane
Sushil Sonawane earned 100 total points
ID: 38760342
check what are policy apply on the wireless security group in the AD. Make sure your windows firewall not block the any port.

Tried remove the Laptop from the wireless security group and then check.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 38761015
Check the domain account policy and see if password policies were set.

There is a possibility that the password age expired - if that's the case, have the users connect to the network with a cable and reset their passwords.
0
 
LVL 20

Accepted Solution

by:
Jakob Digranes earned 400 total points
ID: 38762235
Hi

The WLC is connected to Radius - that's not the problem.
You need to check logs at Radius server, not WLC. THe WLC only sends authentication request to Radius server, and get a accept or reject in return. The real cause of the authentication failure is in the Radius server

You say certificates is valid until 2030 - but i guess (and hope) you mean this is the root certificate located in Trusted Root Certification Authority.

Log on to Windows server - go to Event Viewer - find Security logs and look for Source "Microsoft SEcurity Auditing" and Task Category "Network Policy Server" ---
Here you'll see some failure audits.

But if this suddenly stopped working, make sure that the COmputer Certificate on NPS server isn't expired. Most likely this certificate is used to create a PEAP tunnel for exchanging authentication details for login.

If that's not the case - then you need to look at NPS server and make let us know what authentication you use; most likely PEAP-MsChapv2 (Domain Username and password) or EAP-TLS (Computer and/or user certificate)
0
 

Author Comment

by:lianne143
ID: 38763757
I have shown the snap shot of some of the settings on the AD and NPS server.

If iam right i can't see any root certificate under the Trusted Root Certification Authority.

In the  Window Radius server -Event Viewer - Security logs and Source  "Microsoft SEcurity Auditing" and Task Category  i cant see Network Policy Server.

But in the event viewer server roles -Network policy and Access server  i can see errors
Event ID:17
Source: NPS
Level:Error

An Access-Request message was received from RADIUS client 10.14.115.51 without a message authenticator attribute when a message authenticator attribute is required. Verify the configuration of the RADIUS client in the Network Policy Server snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.

I have attached the snapshot of the Computer certificate on the NPS and the  client  wireless settings. Please let me know if i have not checked at appropriate settings an if you require further information.

Thanks for your help
Client-wireless-settings.bmp
Default-Domain-Policy-Wireless-N.bmp
Network-Policy-and-Access-Servic.png
NPS-Server-Certificate.png
Security-auditing.png
Trusted-Root-Certi-on-Default-Do.bmp
0
 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 400 total points
ID: 38764250
The send message authenticator attribute settings is tied to radius client. in NPS got to Radius Clients and uncheck the "Client must always send the message authenticator attribute in the request"
restart NPS service and see if that helps
0
 

Author Comment

by:lianne143
ID: 38766502
On the NPS
I Clicked on Radius Clients on the details pane  the Cisco 4400 WLC  was listed .
I right clicked and properties and  removed the check box for
" Access-Request message must contain the message -Authenticator attribute"
and restarted the NPS and still i get  

AAA Authentication Failure for UserName:host/LAPTOP1.domain.local UserType:WLANUSER



Thanks
0
 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 400 total points
ID: 38766673
same error in Radius server also?
0
 

Author Comment

by:lianne143
ID: 38767455
On the radius  even if check or uncheck  i get the same

information 4400
and Error 17
0
 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 400 total points
ID: 38768865
try removing and adding Radius client in NPS
0
 

Author Comment

by:lianne143
ID: 38777535
I tried  changing the shared secret on both the radius server and the WLC and it didnt make any difference and if i change on these place will i also need to chage the shared secret in the Cisco Aironet Access  point as well ?
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now