Solved

WPA2-Enterprise, Engenius EAP350's, and Active Directory -- Eeesh

Posted on 2014-01-20
15
1,013 Views
Last Modified: 2014-01-25
12 Engenius EAP350 Wireless Access Points
200 wireless devices across campus
WPA2-Enterprise (using PEAP for user authentication in a BYOD environment)
Server 2008 R2 (AD) running NPS providing RADIUS and server certificate

That is my current setup.  We used to run our APs in WEP 40-bit, but I can't stand that any longer.  Since I have upgraded to the setup listed above, we have had all kinds of problems with devices connecting.

The issues we are having are intermittent, and I have yet to find a pattern.  If one Mac can connect, another cannot.  One iPhone can connect, another cannot.  PCs, Androids, so on and so forth.

Here are some things I have done to try to resolve this
Ensured that all users needing wireless are a member of the domain\wireless group (per NPS policy)
Ensured that all units are running the same firmware revision (as all are the exact same model)
Did a backup of the configuration on a unit that more people could acces, and restored to all other units (changing only the IP and the unit name).
Verified that devices which do connect with AD username/password are indeed able to access the internet and appropriate network resources

Any troubleshooting suggestions, and generally sage advice, would be much appreciated.
0
Comment
Question by:Shane Kahkola
  • 8
  • 7
15 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39795177
Can you make sure you're not using TKIP - just AES?  Some devices don't like using WPA2 with TKIP.
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 39795183
I can confirm that they are not using TKIP.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39795196
Ok can you see if it's any better using WPA1/TKIP?
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 39795206
We will try that now.  I'll let you know when we test it.
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 39796965
We tried it, and we were unable to connect with some, able with others.  This is baffling me.  If we throw it to WEP encryption, or open it wide, we can get on.

I have compared users, but one of my guys was able to connect with his phone using his own username and password, and he was able to connect with his phone using one of the administrators' username and password.  However, when he grabs that Admin's phone, he cannot connect with his own username/password, or the admin's.

Further troubleshooting would be great, but I would also entertain suggestions toward other solutions.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39798021
Is there anything in the logs on the APs when a device fails to connect?

How many NPS servers do you have?
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 39798025
Nothing in the logs, and 1 NPS server.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39799623
What about in the logs on the NPS server?  Can you see a failure event being logged?

You'll need to check in the Custom logs, not the Windows logs.
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 39799876
I've combed the event logs, and I've looked at the RADIUS accounting logs.  The only errors in the event log are where I had forgotten to create a RADIUS client for one of the APs.  Everything else is just a log of successful connections.

Did I miss something?  Here's what I looked at:
Server Manager --> Diagnostics --> Event viewer --> Custom Views --> Server Roles --> Network Policy Server
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39799881
That's the right place.

If you can't see failures when the clients are failing that means the AP isn't passing the authentication request to the RADIUS server.  That could be for a number of reasons.

If you see this across all your APs I would pick one AP where it is causing you a problem and stick a different version of firmware on it.  If that doesn't make a difference it's probably not a firmware or AP issue.

What does your network look like?  Is it using VLANs?  If so, are the APs on the same VLAN as the NPS server?
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 39799931
The network is a flat 22-bit subnet (172.16.0.0/22).  We have one VLAN -- though this was my first step toward segmenting, but nonetheless, it is what it is.

So, effectively, everything is on the same VLAN.  I will try to update the firmware on one unit in particular and play with different versions of it.

While I'm going to do it anyway, the concern I have about this particular troubleshooting step is that some people can authenticate and some can't on the same units.

I'll let you knwo what happens after testing.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39800034
Ok, is it fair to say that one particular client can authenticate successfully every time, while another can't?  Or is it more random than that?

Is this apparent on one type of device more than others?
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 39800043
It is more random, actually.  And, there is no real pattern I've been able to discern.  I have on guy who can connect with his iPhone in the library, but when he goes to the classroom building he can't connect.  I have others that can't connect to any of them (I suspect that is an AD config thing) but, there is nobody who can connect to all of them.

I have made sure they were all on the same firmware, and have the exact same config, except the IP address and hostname are different.  Otherwise, the SSID is the same, and all are lower-case.

Edit Note:
I have since moved them all to WPA2-PSK and I am not having any issues with people connecting.

I'm almost convinced that Engenius units just can't handle the enterprise authentication properly.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39800113
Exactly where I was going...

I don't think the APs are passing authentication requests to the NPS server properly.  It may just be a firmware thing though so it's worth trying different versions of firmware on one AP just to rule it out.
0
 
LVL 3

Author Closing Comment

by:Shane Kahkola
ID: 39809135
We just finished some testing today on the wireles units today.  I moved them all back to WPA2-PSK and everyone can connect without issues.

I setup a Cisco Airo 12xx with RADIUS and I can connect all the devices I've tried using the network username and password (so far).  One exception is the occasional iPhone or iPad.  Not sure why Cisco doesn't like them, but I've run into this before with Cisco WAPs.

Otherwise, I'm going to say the problem is solved!  

Thank you for the contributions.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Join & Write a Comment

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now