08-12-2005 01:43 AM - edited 07-04-2021 11:01 AM
I hope someone can help with this one.
The hardware we are using is as follows:
Cisco ACS v3.3
Cisco 1200 series Access Point
Cisco Cardbus 802.11a/b/g adapter.
Our requirements are for the wireless connection to be established and authenticated BEFORE windows logon - this is in order that the client machines will then go on to logon to the NT domain and run logon scripts to map drives and printers etc.
We have the client configured (using the Cisco Aironet Desktop Utility ver 2.1.0.2) to use PEAP (EAP-GTC)
The ACS server has been set up to use an External Radius Database which refers authentications on to Signify.
This authentication works fine.
Our problem is that once authenticated and connected the wireless link stays established until an attempt is made to logon to windows, at which point the wireless connection is dropped. The next oppertunity to connect to the wireless network occurs AFTER windows logon has been started. This means that the Windows machine is not able to connect to the domain controllers so start-up scripts etc are not run.
The wireless connections are dropped whether the users account is a "domain" account or a "local" account
These symptoms occur across a wide range of OS and laptop customer builds including: Win2K SP4 and XP SP2 standard builds, Plain Win2K and XP builds and our own XP builds on Dell and HP/Compaq Laptops with the single (so far) exception of an XP installation on a Compaq Evo N620c. This latter device does keep its wireless connection throughout the windows logon process.
I hope i have covered the scenario, please be gentle as i am just learning wireless and cisco stuff.
08-15-2005 12:01 PM
Hi Wayne,
For what it's worth, I am having a similar problem here, albeit with a a different wlan NIC. We are using IBM ThinkPad T42 with intergrated a/b/g miniPCi cards.
What version of IOS are you running on your 1200's? We are at Version 12.3(4)JA which we upgraded to in the past few weeks, and ever since then we have had odd problems.
Regards,
John Rumball, CCNA
Sudbury Regional Hospital
08-19-2005 06:07 AM
Run the following debug commands on your access point.
debug radius authentication
(this collects radius authen)
debug dot11 mgmt int
debug dot11 mgmt msg
(this collects 802.11 mgmt packets)
Also look at the CSAuth directory log files your ACS server. This shows much more information than the failed or passed authentication files. Reason codes, etc...
08-19-2005 08:53 AM
Thanks for the suggestions, but where do I find the CSAuth logs on my ACS appliance?
Actually, I think I solved my problem by reinstalling the MS hotfix for PEAP under Windows XP SP2, KB885453. Ever since I did this on my laptop and on a few others, connectivity has been solid.
Regards.
08-19-2005 09:51 AM
I am glad you seem to have a solution.
Just the same, take a look in the ACS server. You can't use the admin gui interface, you need to get on the server and go in to the program files directory. Go into the directory where your ACSV33 is installed and look (I believe) for a logs directory. You should find a subdirectory for the CSAuth logs. There will be a file in this subdirectory for every day that you have the server keeping logs. the current days log will not have a date in the file name.
Take a look. It is very helpful when debugging! Especially when you are just getting Peap or EAP-TLS going for the first time.
-Karl
08-27-2005 06:21 AM
Has anyone seen this problem occur using LEAP? I have had the exact same phenomoena happen with LEAP clients. Authentication completes and then the user is subsequently logged out. Also have seen this on multi-user laptops that will not perform LEAP unless a previous user profile exists (new Windows domain user will not work).
Has anyone had success using the MS hotfix to delay Group Policy under Win2k SP4?
Thanks
09-14-2005 12:43 AM
Thanks for all your replies, it looks like we have found a work around, Odessey Wireless Client (http://www.funk.com/radius/wlan/wlan_c_radius.asp) seems to work fine when logging on, and it does not drop the connection.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: