AP wireless issue

I have an Access Point issues. I haven't dealt with AP much at all. We have a guest wireless and Internal wireless connection. Users can connect wirelessly to the guest but not to the internal connections. Users authenticate automatically to their AD account so not password input needed. I did reset the connection, reboot AP and checked the user acc in AD. Any suggestions?

Thanks,
LVL 3
Shark AttackNetwork adminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tolinromeCommented:
1. Has it been working before?
2. Have there been any recent changes?
3. Are users on the internal wireless getting an IP address?
4. Are both the guest and wireless SSID on the same wireless controller?

If users connect automatically to the internal wireless through AD then is there a Radius connection or problem?
0
Shark AttackNetwork adminAuthor Commented:
1. yes, started this Saturday out of nowhere
2, no changes
3. yes, they are
4, yes, same.

thats the only thing I can think of, radius issues. they're using the same radious server that im using at my location i dont have any issues here. i just had user reboot a router, will see what happens.
0
TropicalBoundCommented:
Can you clarify the issue a bit further?  When you say "Users can connect wirelessly to the guest but not to the internal connections.", you mean that the users DO get connected to the network, they just cannot access any internal network resources, correct?  Are these same users able to access the Internet?

It could be DNS related.  When connected, are they able to get a ping from the router (default gateway)?  If you ping a server by name, does it reply or does it say the server cannot be found?  If you ping the server by IP Address, does it reply?

TB
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Shark AttackNetwork adminAuthor Commented:
yeah still nothing, same issue after reboot of AP and router
0
Shark AttackNetwork adminAuthor Commented:
No, we have 2 wireless connections. one, used only for guest without access to internal network and 2 for internal users that can access network resources wirelessly. the local lan works fine when connected by lan cable. so they cannot connect to the wireless connection that is internal at all.
0
Shark AttackNetwork adminAuthor Commented:
it gives me an error "issue connecting do to user account"
0
tolinromeCommented:
Well, that narrows it down. It does seem to be an authentication problem then. On the Radius server has the password expired that allows AD authentication? Reset it anyway. Look int he logs for Saturday to see what happened.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shark AttackNetwork adminAuthor Commented:
thanks,
0
Shark AttackNetwork adminAuthor Commented:
seems like it's a site issue. I was able to login as my self and could not connect on that users computer at the site. the site is at a  different location. I am able to connect to that wireless internal connection where im at in the office. so no user issue or expired password.
0
tolinromeCommented:
So, once youre authenticated to the wireless network in that office, using wireless only, can you ping the default gateway? Can you ping anything internal and get a reply or access anything local to that site only?

What is the default gateway of the wireless clients that are having the problem? Check the connection from there to the main switch to the firewall and/or gateway to the Internet and make sure you have access all along those spots.

But, how does that explain the error you are receiving that you posted "issue connecting do to user account"?
0
Shark AttackNetwork adminAuthor Commented:
The wireless connection that has access to internal resources is currently unavailable. The connection shows up but it wont authenticate any user account, even mine, which works just fine in the office where I'm at. The user is at a different location so there is something wrong there. We're all using the same Tacacs server to authenticate, So question is, why am I able to get in the connection from my office authenticating to the same tacacs server but can;t do the same from the other office.

I do get an error unable to authenticate the account which is weird. The tacacs is reachable via lan connection though,
0
tolinromeCommented:
Where is the TACAS server located, your site or the problem site?

Has anyone changed any routing or anything on the switches? If it works fine for you in one building and its the same SSID wireless network but you cant authenticate from the problem building but the network is available (you said you can contact the tacas server), that leads me to believe me its an authentication issue, but if you're authenticating to the same Tacacs server then it may be the Tacacs server lost a connection from the problem building.
Can you quickly diagram the network and send a config or something?
0
Shark AttackNetwork adminAuthor Commented:
Will the attached help? I am located at the fat left.
Far right, is the ap far left is the ACS server that point to the domain controller for authentication.

I have created capture ACL's on the firewall and I see captures form the AP 201.10 to the ACS server at 0.26

What would you like configs of? captures are coming though. Weird as one user at the site is getting error "access point issue" and one at the same site is getting "user account issue" I also discovered more sites that are having the same issues. Some site do not have the issue. Weird
2014-11-26-15-19-30.jpg
0
tolinromeCommented:
is it possible to check the logs on the Tacacs server and Wireless controller?
0
Shark AttackNetwork adminAuthor Commented:
As far as I know, there is no wireless controller on site. I'm new here, still figuring things out. I rebooted the tacacs server today so I don't know if there are any logs. I will check
0
Shark AttackNetwork adminAuthor Commented:
there is a boat load of logs, is there a particular one im looking for? The file "logs" it's just one instance of the error. There is about 20 or more of those. Clearly authentication issues
logs.txt
0
tolinromeCommented:
That log points to two things that stick out to me. Looks like the username that your using to authenticate with is "unknown user". Has it been deleted?

FailureReason=22056

Response={AuthenticationResult=UnknownUser; Type=A
uthentication; Authen-Reply-Status=Fail; }

https://supportforums.cisco.com/discussion/11625811/acs-52-error-22056-subject-not-found-applicable-identity-stores
0
Shark AttackNetwork adminAuthor Commented:
Why unknown though? Some sites work just fine. No users were deleted.
0
tolinromeCommented:
From the log you posted it looks like its using user: root. Has that account been modified or deleted? Do you have TAC support?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.