WPA2-Enterprise, Engenius EAP350's, and Active Directory -- Eeesh

12 Engenius EAP350 Wireless Access Points
200 wireless devices across campus
WPA2-Enterprise (using PEAP for user authentication in a BYOD environment)
Server 2008 R2 (AD) running NPS providing RADIUS and server certificate

That is my current setup.  We used to run our APs in WEP 40-bit, but I can't stand that any longer.  Since I have upgraded to the setup listed above, we have had all kinds of problems with devices connecting.

The issues we are having are intermittent, and I have yet to find a pattern.  If one Mac can connect, another cannot.  One iPhone can connect, another cannot.  PCs, Androids, so on and so forth.

Here are some things I have done to try to resolve this
Ensured that all users needing wireless are a member of the domain\wireless group (per NPS policy)
Ensured that all units are running the same firmware revision (as all are the exact same model)
Did a backup of the configuration on a unit that more people could acces, and restored to all other units (changing only the IP and the unit name).
Verified that devices which do connect with AD username/password are indeed able to access the internet and appropriate network resources

Any troubleshooting suggestions, and generally sage advice, would be much appreciated.
LVL 5
Shane KahkolaDirector of I.T.Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Craig BeckConnect With a Mentor Commented:
Exactly where I was going...

I don't think the APs are passing authentication requests to the NPS server properly.  It may just be a firmware thing though so it's worth trying different versions of firmware on one AP just to rule it out.
0
 
Craig BeckCommented:
Can you make sure you're not using TKIP - just AES?  Some devices don't like using WPA2 with TKIP.
0
 
Shane KahkolaDirector of I.T.Author Commented:
I can confirm that they are not using TKIP.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
Craig BeckCommented:
Ok can you see if it's any better using WPA1/TKIP?
0
 
Shane KahkolaDirector of I.T.Author Commented:
We will try that now.  I'll let you know when we test it.
0
 
Shane KahkolaDirector of I.T.Author Commented:
We tried it, and we were unable to connect with some, able with others.  This is baffling me.  If we throw it to WEP encryption, or open it wide, we can get on.

I have compared users, but one of my guys was able to connect with his phone using his own username and password, and he was able to connect with his phone using one of the administrators' username and password.  However, when he grabs that Admin's phone, he cannot connect with his own username/password, or the admin's.

Further troubleshooting would be great, but I would also entertain suggestions toward other solutions.
0
 
Craig BeckCommented:
Is there anything in the logs on the APs when a device fails to connect?

How many NPS servers do you have?
0
 
Shane KahkolaDirector of I.T.Author Commented:
Nothing in the logs, and 1 NPS server.
0
 
Craig BeckCommented:
What about in the logs on the NPS server?  Can you see a failure event being logged?

You'll need to check in the Custom logs, not the Windows logs.
0
 
Shane KahkolaDirector of I.T.Author Commented:
I've combed the event logs, and I've looked at the RADIUS accounting logs.  The only errors in the event log are where I had forgotten to create a RADIUS client for one of the APs.  Everything else is just a log of successful connections.

Did I miss something?  Here's what I looked at:
Server Manager --> Diagnostics --> Event viewer --> Custom Views --> Server Roles --> Network Policy Server
0
 
Craig BeckCommented:
That's the right place.

If you can't see failures when the clients are failing that means the AP isn't passing the authentication request to the RADIUS server.  That could be for a number of reasons.

If you see this across all your APs I would pick one AP where it is causing you a problem and stick a different version of firmware on it.  If that doesn't make a difference it's probably not a firmware or AP issue.

What does your network look like?  Is it using VLANs?  If so, are the APs on the same VLAN as the NPS server?
0
 
Shane KahkolaDirector of I.T.Author Commented:
The network is a flat 22-bit subnet (172.16.0.0/22).  We have one VLAN -- though this was my first step toward segmenting, but nonetheless, it is what it is.

So, effectively, everything is on the same VLAN.  I will try to update the firmware on one unit in particular and play with different versions of it.

While I'm going to do it anyway, the concern I have about this particular troubleshooting step is that some people can authenticate and some can't on the same units.

I'll let you knwo what happens after testing.
0
 
Craig BeckCommented:
Ok, is it fair to say that one particular client can authenticate successfully every time, while another can't?  Or is it more random than that?

Is this apparent on one type of device more than others?
0
 
Shane KahkolaDirector of I.T.Author Commented:
It is more random, actually.  And, there is no real pattern I've been able to discern.  I have on guy who can connect with his iPhone in the library, but when he goes to the classroom building he can't connect.  I have others that can't connect to any of them (I suspect that is an AD config thing) but, there is nobody who can connect to all of them.

I have made sure they were all on the same firmware, and have the exact same config, except the IP address and hostname are different.  Otherwise, the SSID is the same, and all are lower-case.

Edit Note:
I have since moved them all to WPA2-PSK and I am not having any issues with people connecting.

I'm almost convinced that Engenius units just can't handle the enterprise authentication properly.
0
 
Shane KahkolaDirector of I.T.Author Commented:
We just finished some testing today on the wireles units today.  I moved them all back to WPA2-PSK and everyone can connect without issues.

I setup a Cisco Airo 12xx with RADIUS and I can connect all the devices I've tried using the network username and password (so far).  One exception is the occasional iPhone or iPad.  Not sure why Cisco doesn't like them, but I've run into this before with Cisco WAPs.

Otherwise, I'm going to say the problem is solved!  

Thank you for the contributions.
0
All Courses

From novice to tech pro — start learning today.