Controllerless Networks

Reply

Instant - AD authentication fails in some machines

Hi experts,

I have just set up an Instant cluster with AD authentication in customer. I set up the RADIUS role in the Windows Server, configured the RADIUS client and so on. The authentication method is PEAP. After that, tried to connect to the network from my laptop with Windows 10 and from my iPhone and was successful.
I tried to connect to the network from a laptop with Windows 7 and fail. I thought the reason was the Windows version was old, but after trying the connection from another laptop with Windows 10 the authentication failed too. I checked the wireless driver and it seemed to be updated. After doing some tests, I realized the authentication is successful in some machines while it fails in others.
Does the Windows version have to do with this? How can I troubleshoot this? From the RADIUS server side? Is there any debug commands to see the AP side?

Edit: When I said the authentication failed in some machines I meant in some of them I clicked on the WLAN name to connect but the cursor kept spinning and the username and password fields never appeared. In other machines when I clicked on the WLAN name an error message appeared which said "Unabled to connect to this network". Instead of saying the authentication failed is better to say that I was unabled to connect to the network.

Regards,
Julián
Aruba Employee

Re: Instant - AD authentication fails in some machines

In this case, Instant is just taking the EAP traffic from the client and forwarding it within Radius to the Windows server. You'll want to get logs from the server to see what's going on and why the Windows server is rejecting the authentication.


Charlie Clemmer
Aruba Customer Engineering

Re: Instant - AD authentication fails in some machines

Hi Charlie,

 

As I said at the end of my message, I think the server is not really rejecting the authentication since I didn't have chance to enter the credentials. The laptop, instead of showing the username and password fields to enter the credentials, it said "Unable to connect to the network", so the client sent no credentials to the server. In this case is also valid to see the logs from the server? My knowledge of RADIUS servers is very small, do you mean the security logs?

 

Thanks for your interest,

Julián

Aruba Employee

Re: Instant - AD authentication fails in some machines

Security logs on the IAP may show what username is being attempting, but to resolve whether the auth is being rejected and why will ultimately come from the Radius server itself.

 

Windows has a tendency to use cached credentials when the user isn't prompted. This most likely is the user credentials that were entered into the workstation at login, regardless of whether the machine is AD joined or not. Similarly, some versions of Windows would attempt computer or user login, and in this case may be defaulting to the machine login ... again not prompting the user for credentials first. 


Charlie Clemmer
Aruba Customer Engineering

Re: Instant - AD authentication fails in some machines

Hi Charlie,

 

Sorry, I meant the RADIUS server's security logs. When you said the server logs, did you mean the server security logs or the event viewer logs? I will check again, but in the failing laptops I first forgot the network and then manually configured the network to use user login (and not machine login), and to not automatically use the Windows logon name and password.

 

Regards,

Julián

Aruba Employee

Re: Instant - AD authentication fails in some machines

I'm not an expert on troubleshooting Windows NPS, but yes ... I believe the logs you're after will be security logs rather than general event logs.

 

The behavior with some versions of Windows is that it will use the credentials you used to log into the computer, so it's not necessarily cached with the network setting, but rather Windows is assuming your computer login should be valid for the network. Now if you configured the network to prompt the user for credentials and it's not, then I would ensure that machine authentication isn't be attempted by making sure the network configuration dictates only user authentication (and not machine or machine or user).


Charlie Clemmer
Aruba Customer Engineering
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: