Showing results for 
Search instead for 
Did you mean: 

Trust Domain issues over Wifi

I have a wireless network that is using a 5508 WLC (running, and AIR-LAP1142N-A-K9. My users are having trust domain relationship issues with their laptops when connected to WiFi. I have isolated this problem to WiFi by connecting the Laptops directly with a LAN cable and they do not have this issue. I think this has something to do with AP isolation but am not sure. Does anyone have any clue what could be causing this?


Accepted Solutions

This may sound weird but it was the TCP adjust MSS option on the new APs. Unchecking it seems to have fixed the issue.

View solution in original post

VIP Advisor

Hi @tombstone1 


Can you explain a bit more about what the "trust domain relationship issue" is ?  

The end result of a wireless association is that the client session is in RUN state and its traffic is fed into a VLAN (for central switching), or in the case of FlexConnect, the traffic breaks out of the AP onto a VLAN on the attached switch.  There should be no impact for the upper layers (AD domain or otherwise).  If you are plugging users into a switch port then you may not be making a fair comparison, unless you can prove that they ended up on the same VLAN.



We only have one vlans. I'm not using flexconnect. Should I be? They are
local like the rest of my access points on my network. The other aps are
older but dont have an issue with them. Plugging into the switch is the
same as using ap, except nic card.

One VLAN to rule them all!!! Nice ... let's park that discussion.  FlexConnect is just an alternative to Central Switching when the controller is central, but APs are spread over various geographic locations - the traffic stays local.


Can you still please explain what this "domain trust issue" is?  


Domain trust is when a computer cant find the Active Directory server or
there is a handshake mismatch. Since it works on the wired lan, I assume
something is blocking this on the wireless.

Windows 7 clients by any chance?
If you boot up a Win7 client, the LAN connection will be established at boot time. The WLAN connection will be established after the user has logged in (if using WPA2-Enterprise with PEAP).

Btw. you use a fairly insecure software release, which also contains a ton of bugs and I suggest you upgrade to the latest (and final) 8.3 release.

No its my Windows 10 Clients. I wish I could update but with the older APs I have they won't work on it.

Highlighted will support the same APs as your currently used older 8.3 version.

Ok, with Windows 10 you have the option of authenticating before logon.
What is the exact error you have and in which situation? Your previous messages still leaves to much room for interpretation.

Ok, when a computer connected to wifi trys to logon with thier user account they get "The trust relationship between this workstation and the primary domain failed." Though if I take and cable computer in they can log on just fine. This only happens with the newer model APs in the room, not the where the older models are.


Then it might be a driver issue actually. The old and new APs are both connected to the same WLC?
Are you using Flexconnect or different AP Groups (with maybe different policies/acls/vlans)?

Same WLC, same Vlan, Same ACL. I am using groups but they are all
configured the same.

This is very weird.
Do you maybe have several security options enabled on the SSID? Like WPA1 + WPA2 or TKIP and AES?

I'm pretty sure I don't, as I didn't change anything to the setup of the Wi-Fi other than adding new accessp  Here's another interesting little tidbit to add to this. My wireless devices cannot print from my cable to printers. So if I plug the wireless devices in to cabling they can print just fine.


This could be caused by Firewall, ACL or "Block Peer to Peer" connections on the SSID (assuming the printers are in the same VLAN as the wireless).

Yes they are all on same VLAN. Its not any of those. The APs should let this all work. The old ones I replaced didn't have this issue. Only thing I can think of is it has to do with the APs. Only change to network was the new APs.

Content for Community-Ad