Shark Attack
asked on
AP wireless issue
I have an Access Point issues. I haven't dealt with AP much at all. We have a guest wireless and Internal wireless connection. Users can connect wirelessly to the guest but not to the internal connections. Users authenticate automatically to their AD account so not password input needed. I did reset the connection, reboot AP and checked the user acc in AD. Any suggestions?
Thanks,
Thanks,
ASKER
1. yes, started this Saturday out of nowhere
2, no changes
3. yes, they are
4, yes, same.
thats the only thing I can think of, radius issues. they're using the same radious server that im using at my location i dont have any issues here. i just had user reboot a router, will see what happens.
2, no changes
3. yes, they are
4, yes, same.
thats the only thing I can think of, radius issues. they're using the same radious server that im using at my location i dont have any issues here. i just had user reboot a router, will see what happens.
Can you clarify the issue a bit further? When you say "Users can connect wirelessly to the guest but not to the internal connections.", you mean that the users DO get connected to the network, they just cannot access any internal network resources, correct? Are these same users able to access the Internet?
It could be DNS related. When connected, are they able to get a ping from the router (default gateway)? If you ping a server by name, does it reply or does it say the server cannot be found? If you ping the server by IP Address, does it reply?
TB
It could be DNS related. When connected, are they able to get a ping from the router (default gateway)? If you ping a server by name, does it reply or does it say the server cannot be found? If you ping the server by IP Address, does it reply?
TB
ASKER
yeah still nothing, same issue after reboot of AP and router
ASKER
No, we have 2 wireless connections. one, used only for guest without access to internal network and 2 for internal users that can access network resources wirelessly. the local lan works fine when connected by lan cable. so they cannot connect to the wireless connection that is internal at all.
ASKER
it gives me an error "issue connecting do to user account"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks,
ASKER
seems like it's a site issue. I was able to login as my self and could not connect on that users computer at the site. the site is at a different location. I am able to connect to that wireless internal connection where im at in the office. so no user issue or expired password.
So, once youre authenticated to the wireless network in that office, using wireless only, can you ping the default gateway? Can you ping anything internal and get a reply or access anything local to that site only?
What is the default gateway of the wireless clients that are having the problem? Check the connection from there to the main switch to the firewall and/or gateway to the Internet and make sure you have access all along those spots.
But, how does that explain the error you are receiving that you posted "issue connecting do to user account"?
What is the default gateway of the wireless clients that are having the problem? Check the connection from there to the main switch to the firewall and/or gateway to the Internet and make sure you have access all along those spots.
But, how does that explain the error you are receiving that you posted "issue connecting do to user account"?
ASKER
The wireless connection that has access to internal resources is currently unavailable. The connection shows up but it wont authenticate any user account, even mine, which works just fine in the office where I'm at. The user is at a different location so there is something wrong there. We're all using the same Tacacs server to authenticate, So question is, why am I able to get in the connection from my office authenticating to the same tacacs server but can;t do the same from the other office.
I do get an error unable to authenticate the account which is weird. The tacacs is reachable via lan connection though,
I do get an error unable to authenticate the account which is weird. The tacacs is reachable via lan connection though,
Where is the TACAS server located, your site or the problem site?
Has anyone changed any routing or anything on the switches? If it works fine for you in one building and its the same SSID wireless network but you cant authenticate from the problem building but the network is available (you said you can contact the tacas server), that leads me to believe me its an authentication issue, but if you're authenticating to the same Tacacs server then it may be the Tacacs server lost a connection from the problem building.
Can you quickly diagram the network and send a config or something?
Has anyone changed any routing or anything on the switches? If it works fine for you in one building and its the same SSID wireless network but you cant authenticate from the problem building but the network is available (you said you can contact the tacas server), that leads me to believe me its an authentication issue, but if you're authenticating to the same Tacacs server then it may be the Tacacs server lost a connection from the problem building.
Can you quickly diagram the network and send a config or something?
ASKER
Will the attached help? I am located at the fat left.
Far right, is the ap far left is the ACS server that point to the domain controller for authentication.
I have created capture ACL's on the firewall and I see captures form the AP 201.10 to the ACS server at 0.26
What would you like configs of? captures are coming though. Weird as one user at the site is getting error "access point issue" and one at the same site is getting "user account issue" I also discovered more sites that are having the same issues. Some site do not have the issue. Weird
2014-11-26-15-19-30.jpg
Far right, is the ap far left is the ACS server that point to the domain controller for authentication.
I have created capture ACL's on the firewall and I see captures form the AP 201.10 to the ACS server at 0.26
What would you like configs of? captures are coming though. Weird as one user at the site is getting error "access point issue" and one at the same site is getting "user account issue" I also discovered more sites that are having the same issues. Some site do not have the issue. Weird
2014-11-26-15-19-30.jpg
is it possible to check the logs on the Tacacs server and Wireless controller?
ASKER
As far as I know, there is no wireless controller on site. I'm new here, still figuring things out. I rebooted the tacacs server today so I don't know if there are any logs. I will check
ASKER
there is a boat load of logs, is there a particular one im looking for? The file "logs" it's just one instance of the error. There is about 20 or more of those. Clearly authentication issues
logs.txt
logs.txt
That log points to two things that stick out to me. Looks like the username that your using to authenticate with is "unknown user". Has it been deleted?
FailureReason=22056
Response={AuthenticationRe
uthentication; Authen-Reply-Status=Fail; }
https://supportforums.cisco.com/discussion/11625811/acs-52-error-22056-subject-not-found-applicable-identity-stores
FailureReason=22056
Response={AuthenticationRe
uthentication; Authen-Reply-Status=Fail; }
https://supportforums.cisco.com/discussion/11625811/acs-52-error-22056-subject-not-found-applicable-identity-stores
ASKER
Why unknown though? Some sites work just fine. No users were deleted.
From the log you posted it looks like its using user: root. Has that account been modified or deleted? Do you have TAC support?
2. Have there been any recent changes?
3. Are users on the internal wireless getting an IP address?
4. Are both the guest and wireless SSID on the same wireless controller?
If users connect automatically to the internal wireless through AD then is there a Radius connection or problem?