EAP failures on Wireless suddenly

Hello, we have an HP MSM760 wireless controller (joined to active directory) and several different models of laptops. Things have been working fine but suddenly we are getting laptops not autoconnecting to Wireless. Event viewer shows the following happening:

Error Event 12013 OneXAuthentication
Explicit EAP Failure Received
Error 0x2b3
EAP Reason: 0x2b3
EAP Root Cause String: Network Authentication failed\nThe credentials provided might not be correct.

EAP Error:0x80420112


Right after that:
Error Event ID 11006 MSMSecurity
Reason: Explicit EAP failure received
Error: 0x2b3

Next:
Error Event ID 8004
Failure Reason: Explicit EAP Failure Received
Length of block timer (minutes): 20

Next:
Error Event ID 8002
Failure Reason: Explicit EAP Failure Received


We use a GPO that deploys the wireless profile to the Windows 7 computers. Basic WPA2/PSK setup connects to SSID. SSID setup is setup for AD authentication, so the controller looks to see if the laptop is part of a certain group in AD, if it is it allows it onto the network.

I've tried:
Manually connecting to the network, it doesn't allow it (says it can't connect and gives same event viewer errors).
Plugging it in and then running a gpupate. Doesn't work, even if I reboot and login after the gpudpate, when I disconnect the cable the wireless immediately shows disconnected

Here's what does work. Disjoining and rejoining the laptop to AD. I don't even have to delete the AD entry. I just disjoin, reboot, rejoin and it works. So aside from touching over 1000 machines to disjoin/rejoin is there any other options? The issue is completely random, but we haven't had anyone track if laptops are repeating. From my mental notes, once they's been disjoined/rejoined, they haven't had any further issues.

Thanks for your help!
LVL 8
Casey WeaverManaged Services Windows Engineer IIIAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
Check the certificate on the client device when it fails.  It sounds to me like they're expiring and not auto-renewing.  Disjoin/Join may be renewing the certs automatically.
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
We're not running any certificates in this setup. It's supposed to simply look to see if it's a member of AD and continue on, we're not doing any trusts.
0
Craig BeckCommented:
If you're doing EAP, there's a X.509 certificate somewhere, be it on the client, the RADIUS server, or both.

Can you show the GPO settings for the wireless connection please?
0
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
Please let me know if this helps, or if I need to come up with another way. Thanks for helping!

Windows Settings
Security Settings
Wireless Network (802.11) Policies
<REDACTED>
Policy Name <REDACTED>
Policy Description <REDACTED> 
Policy Type Windows Vista and Later Releases 
Global Settings
Use Windows wireless LAN network services for clients Enabled 
Shared user credentials for network authentication Enabled 
Hosted networks Enabled 
Allow user to view denied networks Disabled 
Allow everyone to create all user profiles Enabled 
Only use Group Policy profiles for allowed networks Disabled 

Network Filters
Prevent connection to infrastructure networks Disabled 
Prevent connection to adhoc networks Enabled 
Allowed Networks
Network Name (SSID) Network Type 
<REDACTED> Infrastructure 

Blocked Networks
Network Name (SSID) Network Type 
<REDACTED> Infrastructure 

Preferred Network Profiles
<REDACTED>
Profile Name <REDACTED>
Network Type Infrastructure 
Automatically connect to this network Enabled 
Automatically switch to a more preferred network Disabled 
    
Network Name (SSID) Network Broadcasts its SSID 
<REDACTED> True 
Security Settings
Authentication WPA2 
Encryption AES 
Use 802.1X Enabled 
Pairwise Master Key (PMK) Caching Enabled 
PMK Time-to-Live (minutes) 720 
Number of Entries in PMK Cache 128 
Maximum Pre-authentication Failures 3 

IEEE 802.1X Settings
Computer Authentication Computer only 
Maximum Authentication Failures 1 
Maximum EAPOL-Start Messages Sent  
Held Period (seconds)  
Start Period (seconds)  
Authentication Period (seconds)  
Network Authentication Method Properties
Authentication method Protected EAP (PEAP) 
Validate server certificate Disabled 
Enable fast reconnect Enabled 
Disconnect if server does not present cryptobinding TLV Disabled 
Enforce network access protection Disabled 
Authentication Method Configuration
Authentication method Secured password (EAP-MSCHAP v2) 
Automatically use my Windows logon name and password(and domain if any) Enabled 

Open in new window

0
joinaunionCommented:
Have you applied hotfix for 802.1x authentication fix?
https://support.microsoft.com/en-us/kb/980295
0
Craig BeckCommented:
That hotfix is for a different issue, but it won't hurt to apply it anyway.
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
We have applied that patch enterprise wide, thanks though!
0
Jakob DigranesSenior ConsultantCommented:
looks very similar to some kind of errors I had on one of my first large 802.1X deployments, however that was XP and WIn2003 servers  but might still be worth a shot.

I guess you only authenticate user in AD? This error could be the computer accounts password run out, but the computers never (or rarely) authenticates to AD server, thus not being able to update password.
Try disabling password change, that helped me back in 2007 :-)
https://technet.microsoft.com/en-us/library/jj852252%28v=ws.10%29.aspx
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
This looks like an interesting suggestion. The GPO is set to the computer, not the user. And the controller is just looking to see that the computer account is a member of active directory. So am I reading right that this could be the affect of the computer password not being changed in time and thus becoming stale? And I should apply a policy to the domain controller?
0
Jakob DigranesSenior ConsultantCommented:
apply it to default domain policy (not domain controller)
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
Thanks! I've changed it now, obviously being the weekend I won't know as much. And it may take a bit of rejoining and disjoining before they get the new policy. So this question may be closed in that time, but I'll do my best to keep updating and keep it open until there's a solution.

Thanks again!
0
Jakob DigranesSenior ConsultantCommented:
Great --- best of luck !
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
We are now getting laptops doing this: The authentication failed because the user certificate required for this network was rejected by the server
0
Jakob DigranesSenior ConsultantCommented:
hmmm .... Can you look at logs at NPS server? Event Viewer - Custom views - server roles - NPS and look at failed authentication request
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
We're not using an NPS server. The MSM760 controller is supposed to be doing AD group authentication.
0
Jakob DigranesSenior ConsultantCommented:
OK

the MSM760 have a certificate that's valid and trust the root chain that's been issued to the clients?
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
Well I set up a new VSC to use an NPS Radius server on a 2012R2 DC, and it solved all the problems. There are no longer any No login server errors across the entire network, there are much faster logins, and no more hung at desktop logins. It seems in the end the issue was with the controller effectively authenticating AD itself, which I can see is nice because it makes it ready to go nearly out of the box. But setting up the Radius server and the certificates was about a 4 hour process and the issue is now solved. Thank you everyone for your help!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
Thank you for you help in tracing down the problem. At the end of the day it was an Authentication issue with the HP controller. We're running OS 5.7.x so that may be part of an issue, we don't have a carepack to get one of the newer OS installs. Rolling out an AD CA and pushing a certificate, followed by pushing out a new VSC that used the radius server was surprisingly easy, and the difference in performance could be seen immediately.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.