Wireless Networks Thread, RADIUS Wireless Chicken and Egg Problem in Technical; Hi,
For years we have been experiencing a wireless problem on student wireless laptops, that would be really useful to ...
6th February 2014, 12:13 PM #1
RADIUS Wireless Chicken and Egg Problem
For years we have been experiencing a wireless problem on student wireless laptops, that would be really useful to resolve:
in XP 'domain not available' and 7 "no logon servers available" at logon screen with wireless on.
It can be fixed by connecting a network cable and restarting the laptop, then disconnecting the cable at the logon screen. Wireless will then work as expected.
Student Laptops that are used regularly, don't have this problem.
Here is what I think is happening - Laptops are not being used within 30 days, the computer password expires in AD, they go to blow the dust off and use them and the radius computer auth fails because the password has expired. The computer can't update the password because its not connected to the network: hence the chicken & egg.
Has anyone else experienced this? Any ideas to resolve?
6th February 2014, 12:23 PM #2
Can you change the authorisation time on your radius set up, keep it for say 90 days?
6th February 2014, 12:27 PM #3
Yes, this problem dose my head in. Been on my todo fix list for years.
I always thought it was the certificates expiry date that was the problem.
6th February 2014, 01:25 PM #4
- Rep Power
If the computer password had changed, you'd be getting "The trust relationship between the workstation and the primary domain has failed".
This is more likely to do with wireless cards not properly initialising on boot/taking a while to associate. I've been working on this issue for a while as well!
Out of curiosity, are you using Intel Centrino based NICs?
6th February 2014, 02:08 PM #5
Thanks for your replies
not sure where this is set - I'm using the Windows Server RADIUS Server
Can you change the authorisation time on your radius set up
On some, but I've removed the horrid proset rubbish. Others are Dell
are you using Intel Centrino based NICs?
I have tried leaving them for 1/2 an hour but they still don't connect, all have 'wait for network' on group policy set.
If I set up a temp SSID with just a WPK-PSK password it works OK, but I don't really want to have to change all the settings. RADIUS should make it more secure.
Connecting a cable then logging on, then removing the cable still leaves the fault. It has to have the cable in as windows loads up.
6th February 2014, 02:43 PM #6
- Rep Power
Doesn't matter about the proset rubbish unfortunately...
Can you check the WLAN Auto-Config log in event viewer and see if there's any errors there?
6th February 2014, 03:29 PM #7
you can set a policy to stop the machine account password changing if you wish.
Domain controller: Refuse machine account password changes
Also keep an eye on startup repair!
6th February 2014, 04:07 PM #8
- Rep Power
Have you tried observing what is going on with a packet capture from another wireless device in range in monitor mode?
You should be able to observe the EAPOL / EAP exchange to see if the device can successfully authenticate to the network. And if not, what is actually going on.
You can use Wireshark on the RADIUS server to capture the traffic there too for analysis.
There is also tracing that can be performed via netsh on the client which could help you out.
If you're using a machine digital certificate, it is, as far as I am aware, unrelated to the validity of the machine's domain password.
Last edited by nicklowe; 6th February 2014 at 04:42 PM.
6th February 2014, 04:17 PM #9
eh? I am using computer auto-enrolment, in group policy with a CA.
You should be using a machine digital certificate with auto enrolment.
10th February 2014, 11:16 PM #10
OK, so I looked into the policy and I am using PEAP and MSChapv2 and only computer auth. As per Authentication may not succeed when you use PEAP-MS-CHAP-v2 as the authentication method for an 802.1X connection in Windows Vista, Windows XP, Windows Server 2003, and Windows 2000 looks like the computer password expiry is causing the problem. I can't change to user & comp security as it would allow any student access. Interesting that Windows 7 isn't listed in the support article as I've seen it on windows 7 as well.
I think I'm going to have to change to EAP-TLS, but I'm going to put that off until I upgrade the 2003 RADIUS server and CA to 2012, and have to set it all up again anyway.
11th February 2014, 03:49 AM #11
My school has experienced the same issues with all our netbooks for years. The only solution I found was to, every few weeks, hardwire them and force the updates. This seemed to help the "no logon servers" issue.
I'm revisiting these machines as the staff are becoming less and less patient with them. The time it takes to login and then attempt to open Office has become too much. I'm toying with the idea that the settings for the wireless network might be a cause of this issue. Not to hijack the thread but has anyone else had really long login times and has changing the authentication/encryption helped? i.e. switch from 802.1x EAP with WPA2-AES to just 802.1x EAP, open?
By barkat3685 in forum Windows
Last Post: 15th May 2013, 08:33 PM
By tosca925 in forum Hardware
Last Post: 25th November 2006, 12:07 AM
By EL_S in forum Hardware
Last Post: 6th July 2006, 07:32 PM
By alexknight in forum Hardware
Last Post: 17th November 2005, 04:26 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread