Wireless Access

Reply
Occasional Contributor II

devices on windows cannot authenticate

good morning,

a few days ago my wireless netowrk was fine,
but now all devices turning on windows cannot authenticate except them which are turning on android.

please, what is the problem?

i have the 7210 controller and the 103 AP's.

thank you.

MVP

Re: devices on windows cannot authenticate

Faycal,

 

could you please give us more information?

 

AAA profile configuration, SSID configuration and VAP configuration.

Are you using user derivation rules?

 

Also, can you run show audit-trail and check the changes that have been made on the controller?

 

Cheers

Regards,
Borja
ACMX #567 //ACCP//CWNA//CWAP
Occasional Contributor II

Re: devices on windows cannot authenticate

first, thnak you,

yes,I am using user derivation rules

 

 

 AAA Profile List
----------------
Name References Profile Status
---- ---------- --------------
default 2
default-dot1x 0 Predefined (editable)
default-dot1x-psk 0 Predefined (editable)
default-mac-auth 0 Predefined (editable)
default-open 0 Predefined (editable)
default-xml-api 0 Predefined (editable)
Guest-aaa-profile 1
mgmt-aaa-profile 1
New_WLAN-aaa_prof 1
NoAuthAAAProfile 1 Predefined (editable)
Pro-aaa-Profile 1
Res-aaa-profile 1
VIP-aaa-profile 1

 

 

MVP

Re: devices on windows cannot authenticate

Hi,

 

Can you send us the specific information from the AAA profile that you are saying that is not working anymore and the derivation rules for that service?

 

show audit-trial (review that there are no changes from yesterday) - no need to paste here the logs but check since Sep 12 and find it out.

 

cheers

 

 

 

 

Regards,
Borja
ACMX #567 //ACCP//CWNA//CWAP
Occasional Contributor II

Re: devices on windows cannot authenticate

hi,

the aaa test server is successful, device on android connect,

for the AAA Profiles:

i have res-aaa-profile

authentication 802.1x

role logon

initial role: logon

802.1X Authentication Default Role: authenticated

termination enable
termination eap-type eap-tls
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
termination inner-eap-type eap-gtc

 

aaa server-group "GSRV-RADIUS"
allow-fail-through
load-balance
auth-server SRV-RADIUS,

 

Network authentication security WPA2

encryption AES

 

MVP

Re: devices on windows cannot authenticate

Hi,

Yes, it is a start.

I imagine that inside your SRV-RADIUS you added clearpass, nps or
another RADIUS server. Or you don't have RADIUS server and that is why
are you doing termination on the controller?


If you have a corporate user you use EAP-TLS and you have a certificate
in that corporate laptop, right?

When you are using non-corporate traffic, you use EAP-PEAP and you
authenticate against an AD or database, right?

Are you sending any roles back to the controller once the user has been
authenticated or do you just used the authenticate role?
I mean, when you say that android works, which role do you receive?
(Show user | i (mac address or ip address))

Cheers
Borja
Regards,
Borja
ACMX #567 //ACCP//CWNA//CWAP
Occasional Contributor II

Re: devices on windows cannot authenticate

hi,

thanks

i have RADUIS server to authenticate AD user's, without clearpass,

you're right, corporate users authenticate with certificate

i use only authentication role .... for android user, i receive the role authenticated,

thanks again

MVP

Re: devices on windows cannot authenticate

OK - so you have a RADIUS server. I don't now why you are using termination.

 

An android user, connects to the SSID and introduces his AD username and password. If that is correct, it receives it gets the default role (authenticated) 

 

A corporate laptop, connects to the same SSID with certificates. If the authentication is successful - which role is going to be assigned? How does your derivation rule look like?

 

Regards,
Borja
ACMX #567 //ACCP//CWNA//CWAP
Occasional Contributor II

Re: devices on windows cannot authenticate

 

 ""An android user, connects to the SSID and introduces his AD username and password. If that is correct, it receives it gets the default role (authenticated) "" --> yes

 

""A corporate laptop, connects to the same SSID with certificates. If the authentication is successful - which role is going to be assigned? How does your derivation rule look like?"" -->  the same role is assigned: authenticated

i don't have derivation rules,

thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: