Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

WPA2-Enterprise, Engenius EAP350's, and Active Directory -- Eeesh

Posted on 2014-01-20
15
Medium Priority
?
1,163 Views
Last Modified: 2014-01-25
12 Engenius EAP350 Wireless Access Points
200 wireless devices across campus
WPA2-Enterprise (using PEAP for user authentication in a BYOD environment)
Server 2008 R2 (AD) running NPS providing RADIUS and server certificate

That is my current setup.  We used to run our APs in WEP 40-bit, but I can't stand that any longer.  Since I have upgraded to the setup listed above, we have had all kinds of problems with devices connecting.

The issues we are having are intermittent, and I have yet to find a pattern.  If one Mac can connect, another cannot.  One iPhone can connect, another cannot.  PCs, Androids, so on and so forth.

Here are some things I have done to try to resolve this
Ensured that all users needing wireless are a member of the domain\wireless group (per NPS policy)
Ensured that all units are running the same firmware revision (as all are the exact same model)
Did a backup of the configuration on a unit that more people could acces, and restored to all other units (changing only the IP and the unit name).
Verified that devices which do connect with AD username/password are indeed able to access the internet and appropriate network resources

Any troubleshooting suggestions, and generally sage advice, would be much appreciated.
0
Comment
Question by:Shane Kahkola
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39795177
Can you make sure you're not using TKIP - just AES?  Some devices don't like using WPA2 with TKIP.
0
 
LVL 4

Author Comment

by:Shane Kahkola
ID: 39795183
I can confirm that they are not using TKIP.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39795196
Ok can you see if it's any better using WPA1/TKIP?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 4

Author Comment

by:Shane Kahkola
ID: 39795206
We will try that now.  I'll let you know when we test it.
0
 
LVL 4

Author Comment

by:Shane Kahkola
ID: 39796965
We tried it, and we were unable to connect with some, able with others.  This is baffling me.  If we throw it to WEP encryption, or open it wide, we can get on.

I have compared users, but one of my guys was able to connect with his phone using his own username and password, and he was able to connect with his phone using one of the administrators' username and password.  However, when he grabs that Admin's phone, he cannot connect with his own username/password, or the admin's.

Further troubleshooting would be great, but I would also entertain suggestions toward other solutions.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39798021
Is there anything in the logs on the APs when a device fails to connect?

How many NPS servers do you have?
0
 
LVL 4

Author Comment

by:Shane Kahkola
ID: 39798025
Nothing in the logs, and 1 NPS server.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39799623
What about in the logs on the NPS server?  Can you see a failure event being logged?

You'll need to check in the Custom logs, not the Windows logs.
0
 
LVL 4

Author Comment

by:Shane Kahkola
ID: 39799876
I've combed the event logs, and I've looked at the RADIUS accounting logs.  The only errors in the event log are where I had forgotten to create a RADIUS client for one of the APs.  Everything else is just a log of successful connections.

Did I miss something?  Here's what I looked at:
Server Manager --> Diagnostics --> Event viewer --> Custom Views --> Server Roles --> Network Policy Server
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39799881
That's the right place.

If you can't see failures when the clients are failing that means the AP isn't passing the authentication request to the RADIUS server.  That could be for a number of reasons.

If you see this across all your APs I would pick one AP where it is causing you a problem and stick a different version of firmware on it.  If that doesn't make a difference it's probably not a firmware or AP issue.

What does your network look like?  Is it using VLANs?  If so, are the APs on the same VLAN as the NPS server?
0
 
LVL 4

Author Comment

by:Shane Kahkola
ID: 39799931
The network is a flat 22-bit subnet (172.16.0.0/22).  We have one VLAN -- though this was my first step toward segmenting, but nonetheless, it is what it is.

So, effectively, everything is on the same VLAN.  I will try to update the firmware on one unit in particular and play with different versions of it.

While I'm going to do it anyway, the concern I have about this particular troubleshooting step is that some people can authenticate and some can't on the same units.

I'll let you knwo what happens after testing.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39800034
Ok, is it fair to say that one particular client can authenticate successfully every time, while another can't?  Or is it more random than that?

Is this apparent on one type of device more than others?
0
 
LVL 4

Author Comment

by:Shane Kahkola
ID: 39800043
It is more random, actually.  And, there is no real pattern I've been able to discern.  I have on guy who can connect with his iPhone in the library, but when he goes to the classroom building he can't connect.  I have others that can't connect to any of them (I suspect that is an AD config thing) but, there is nobody who can connect to all of them.

I have made sure they were all on the same firmware, and have the exact same config, except the IP address and hostname are different.  Otherwise, the SSID is the same, and all are lower-case.

Edit Note:
I have since moved them all to WPA2-PSK and I am not having any issues with people connecting.

I'm almost convinced that Engenius units just can't handle the enterprise authentication properly.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39800113
Exactly where I was going...

I don't think the APs are passing authentication requests to the NPS server properly.  It may just be a firmware thing though so it's worth trying different versions of firmware on one AP just to rule it out.
0
 
LVL 4

Author Closing Comment

by:Shane Kahkola
ID: 39809135
We just finished some testing today on the wireles units today.  I moved them all back to WPA2-PSK and everyone can connect without issues.

I setup a Cisco Airo 12xx with RADIUS and I can connect all the devices I've tried using the network username and password (so far).  One exception is the occasional iPhone or iPad.  Not sure why Cisco doesn't like them, but I've run into this before with Cisco WAPs.

Otherwise, I'm going to say the problem is solved!  

Thank you for the contributions.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question