Wireless Access

Some laptops on our domain have to login to Windows with their FQDN, or their credentials won't pass through the Controller.  For example User1 can't authenticate to the internal 802.1x wireless if he logs in as "domain\user1".  However his credentials will automatically sign him into the wireless if he logs into Windows with user1@domain.com. 

Both sign-in methods are essentially the same and I can't figure why one is being incorrectly passed to the controller.

Thanks

The event viewer or log in the radius server will give you a starting point.

What are you using for your Radius server?   On the AD side, is it a single or multi-domain forest?  

As Colin mentioned, review of the Radius logs should give an indication as to what is going on.   Post the relavent parts of the log if you would like another set of eyes to have have a look.

We are using a Windows Network Policy Server and AD is a single forest.  The radius logs are showing invalid username/password even though the credentials are correct.  It seems like the area where Windows stores the username/password isn't being read correctly from the wireless unless you login to the laptop as user@domain.com instead of "domain\user".  I'll see if I can get the logs...

Here is a good authentication from our Radius server:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/3/2012 4:55:07 PM
Event ID:      6278
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DBPHQNPCM01.dbi.com
Description:
Network Policy Server granted full access to a user because the host met the defined health policy.

User:
                Security ID:                                         DBI\CTest
                Account Name:                                 DBI\CTest
                Account Domain:                                             DBI
                Fully Qualified Account Name: DBI\CTest

Client Machine:
                Security ID:                                         NULL SID
                Account Name:                                 -
                Fully Qualified Account Name: -
                OS-Version:                                       -
                Called Station Identifier:                             000B86116C80
                Calling Station Identifier:                            904CE5E1B571

NAS:
                NAS IPv4 Address:                           10.199.2.26
                NAS IPv6 Address:                           -
                NAS Identifier:                                 -
                NAS Port-Type:                                 Wireless - IEEE 802.11
                NAS Port:                                            0

RADIUS Client:
                Client Friendly Name:                   Aruba-Wireless
                Client IP Address:                                            10.199.2.26

Authentication Details:
                Connection Request Policy Name:          Secure Wireless Connections
                Network Policy Name:                  Secure Wireless Connections
                Authentication Provider:                             Windows
                Authentication Server:                 DBPHQNPCM01.dbi.com
                Authentication Type:                     MS-CHAPv2
                EAP Type:                                            -
                Account Session Identifier:                         -

Quarantine Information:
                Result:                                                  Full Access
                Extended-Result:                                            -
                Session Identifier:                                          -
                Help URL:                                            -
                System Health Validator Result(s):          -

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6278</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-03T20:55:07.395503000Z" />
    <EventRecordID>1288467</EventRecordID>
    <Correlation />
    <Execution ProcessID="464" ThreadID="2148" />
    <Channel>Security</Channel>
    <Computer>DBPHQNPCM01.dbi.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1350845867-1362718457-871907280-22725</Data>
    <Data Name="SubjectUserName">DBI\CTest</Data>
    <Data Name="SubjectDomainName">DBI</Data>
    <Data Name="FullyQualifiedSubjectUserName">DBI\CTest</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">000B86116C80</Data>
    <Data Name="CallingStationID">904CE5E1B571</Data>
    <Data Name="NASIPv4Address">10.199.2.26</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">-</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">Aruba-Wireless</Data>
    <Data Name="ClientIPAddress">10.199.2.26</Data>
    <Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
    <Data Name="NetworkPolicyName">Secure Wireless Connections</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">DBPHQNPCM01.dbi.com</Data>
    <Data Name="AuthenticationType">MS-CHAPv2</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="QuarantineState">Full Access</Data>
    <Data Name="ExtendedQuarantineState">-</Data>
    <Data Name="QuarantineSessionID">-</Data>
    <Data Name="QuarantineHelpURL">-</Data>
    <Data Name="QuarantineSystemHealthResult">-</Data>
  </EventData>
</Event>

Here is a bad authentication from our Radius server:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/3/2012 5:03:21 PM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DBPHQNPCM01.dbi.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
                Security ID:                                         NULL SID
                Account Name:                                 DBI\ctest
                Account Domain:                                             DBI
                Fully Qualified Account Name: DBI\ctest

Client Machine:
                Security ID:                                         NULL SID
                Account Name:                                 -
                Fully Qualified Account Name: -
                OS-Version:                                       -
                Called Station Identifier:                             000B86116C80
                Calling Station Identifier:                            904CE5E1B571

NAS:
                NAS IPv4 Address:                           10.199.2.26
                NAS IPv6 Address:                           -
                NAS Identifier:                                 -
                NAS Port-Type:                                 Wireless - IEEE 802.11
                NAS Port:                                            0

RADIUS Client:
                Client Friendly Name:                   Aruba-Wireless
                Client IP Address:                                            10.199.2.26

Authentication Details:
                Connection Request Policy Name:          Secure Wireless Connections
                Network Policy Name:                  -
                Authentication Provider:                             Windows
                Authentication Server:                 DBPHQNPCM01.dbi.com
                Authentication Type:                     MS-CHAPv2
                EAP Type:                                            -
                Account Session Identifier:                         -
                Logging Results:                                               Accounting information was written to the local log file.
                Reason Code:                                    16
                Reason:                                                                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-03T21:03:21.826870900Z" />
    <EventRecordID>1288487</EventRecordID>
    <Correlation />
    <Execution ProcessID="464" ThreadID="2148" />
    <Channel>Security</Channel>
    <Computer>DBPHQNPCM01.dbi.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">DBI\ctest</Data>
    <Data Name="SubjectDomainName">DBI</Data>
    <Data Name="FullyQualifiedSubjectUserName">DBI\ctest</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">000B86116C80</Data>
    <Data Name="CallingStationID">904CE5E1B571</Data>
    <Data Name="NASIPv4Address">10.199.2.26</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">-</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">Aruba-Wireless</Data>
    <Data Name="ClientIPAddress">10.199.2.26</Data>
    <Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
    <Data Name="NetworkPolicyName">-</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">DBPHQNPCM01.dbi.com</Data>
    <Data Name="AuthenticationType">MS-CHAPv2</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">16</Data>
    <Data Name="Reason">Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>

UPDATE - I've gotten the "domain\user" to work but only if the LAN cable is disconnected at login.  IF the LAN cable is connected at login, the wireless will never work, so I have to logout, disconnect the CAT5, then log back in then the wireless connects perfectly.  I've tried enabling/disabling the wifi adapter, deleting the wireles network, and it won't connect until I logout.

In your last post, If your asking if someone knows how to prevent the Wireless Card from turning off when the Ethernet port is being used... some laptops have a Wireless Card Property that disables wireless when it is plugged into an Ethernet drop.

For example, my Dell D510 has "Disable Upon Wired Connect" , I have it set to "Disabled" to preventing the wireless card from being turned off.

I believe I've also seen this setting in BIOS as well in Power Settings.

I am having similar issues. A laptop docked or plugged in to LAN, when disconnected from either and the wireless then turned on, we can not authenticate. We can logout or logoff, disconnect, power on and then access wireless. The radius server shows invalid user name or password, and attempting to input the password fails and eventually will lock account. I can recreate it with ease. This has only been an issue since an upgrade to Win7 on the laptop. 

---

@jakersey wrote:

I am having similar issues. A laptop docked or plugged in to LAN, when disconnected from either and the wireless then turned on, we can not authenticate. We can logout or logoff, disconnect, power on and then access wireless. The radius server shows invalid user name or password, and attempting to input the password fails and eventually will lock account. I can recreate it with ease. This has only been an issue since an upgrade to Win7 on the laptop. 

---

Jakersey,

Maybe the Microsoft forum?

Trying that one too. Been chasing this so reaching out for anything. There was a post about a hotfix but didn't fix my issue. 

What do your wifi 802.1x (windows) configs look like?  user/computer auth, use windows domain, single sign on?

Also with NPS what do you have in your Network Policies?  Do you have a single policy setup for all users? do you set restrictions in the chain of policies for different user groups (send different filterIDs, etc based on group membership)?

Are you seeing this on all your machines?  Do you have any 3rd party wifi software on the machine (hp connection manager, etc...) or are you just using the windows default connection managers?  

In the wireless properties where the 802.1x settings are,  is the client set to automatically send the windows credentials? 

We are using the EAP-MSCHAP v2 selection for Authentication. By default in our image the "Automatic use my Windows login name and password" is checked. If we uncheck this forcing the user to input name/password we have no authentication issues. Of course this destroys the single sign-on mgmt has requested and that we've been using with XP machines.

We have found stated on a Microsoft board that this is a problem in the way Aruba hands the Win7 credentials to the Radius server and Aruba will have to fix it.. I'm not convinced of that reply but I need to find this answer. 

---

@jakersey wrote:

We are using the EAP-MSCHAP v2 selection for Authentication. By default in our image the "Automatic use my Windows login name and password" is checked. If we uncheck this forcing the user to input name/password we have no authentication issues. Of course this destroys the single sign-on mgmt has requested and that we've been using with XP machines.

 

We have found stated on a Microsoft board that this is a problem in the way Aruba hands the Win7 credentials to the Radius server and Aruba will have to fix it.. I'm not convinced of that reply but I need to find this answer. 

---

We have found that when the machine boots up initially that windows will always send the computer credentials to authenticate (when SSO is enabled), this authentication likely fails in your scenario.  Then when a user tries to login using SSO things do not work properly.  Logging into the machine as the local admin, and waiting a second for wifi auth to fail, then logging out then back in as a domain user will be sucessful.

We have found that we need to create a computer role and allow the individual machines to be able to authenticate to radius.  We created a VERY restricted roll for our machines that would allow them get a dhcp, see DNS, and see our AD.

Once the user logs in using windows SSO aruba will switch to the user role applying the user policy.

I hope that helps...  as it sounds like you are seeing something very similar to what we have seen here.

Yes this problem is only with Windows 7 laptops.  The only workaround is have the user login with their FQDN like user1@domain.com instead of "domain\user1". 

I heard it might be a Realm issue with Active Directory and Windows 7, but I haven't investigated.

We have seen a similar issue relating to laptops moving from wired to wireless.  When a user is connected via wired and then moves to wireless, the machine auth often fails.  From what I can tell the machine auth is sent over the wired connection during bootup/login and hence not resent when trying to move to wireless.  We get it to work by having the user reboot or log off and on.  We also sometimes cant get them connected until they connect via wired and then disconnect wired and reboot then connect via wired (almost like the workstation object needs refreshing in AD via wired before it will work via wireless).

I've been working with TAC and we made a change that seems to have cleared it up. In the 802.1x settings we disabled "Termination". This has cleared our troubles and the laptops are now able to dock and undock and perform as expected in authenticating to the wireless network. 

Hi, did you ever figure anything out on this? I'm having the same problem with Windows 7/8.

Edit: I already have termination disabled..

Was this ever resolved?

I do have this same problem and its driving me crazy :( Windows 10 laptops connect to wireless network very nicely and in the seconds when you take your lan cable off. But Windows 7 laptops cannot connect in anyway. I did find aruba´s log following error : 

Aruba logs :

SSL_accept fail, child exit after 0 requests record layer version error

SSL_accept fail, child exit after 0 requests cant match cipher suite.

Server 2012 NPS Logs :

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

That message in NPS typically means that the domain cannot find the username in AD.  You probably have to dig into that message to find out what that means.  The controller can only process the rejection; it cannot do anything when NPS sends back a reject...

I just dont understand why Windows 10 works like dream both machines will get same group policys :/

Do you have termination enabled at the controller?  That is probably the only thing the controller can do to manipulate the authentication.  Otherwise, the controller just passes the authentication through to the NPS server.

Termination is in default settings "disabled" this is so weird.

If termination is not enabled, you should compare the configuration of the wireless devices between the two OS's.  Try to connect a device using Windows 7 where the wireless is configured manually.

I was using wrong certificate my bad :/ Now its working like a dream.