Thanks for the quick bounce-back.  Yes, I had confirmed with the customer that they were trying to use AD credentials.

Then you should have no problems. The main issue I see with devices having issues is when using both WPA/TKIP and WPA2/AES or a mix of both. Also when client load balancing is enabled can cause issues. You best bet is to post the show WLAN and the show sysinfo of the WLC to start. Also a debug client and the failure log on the radius server.

This would be good to start with troubleshooting.

Sent from Cisco Technical Support iPhone App

Thanks for the feedback.  The APs are autnomous, so no controller.  But, the debug client, and maybe debug radius commands as well as radius server failure log should give me more info.

That will give you more detail for sure. Also make sure your only using one type of encryption. That is important!!!

Sent from Cisco Technical Support iPhone App

i've checked the WZC on both a Win XP and Win 7 client and they both are set for WPA2/TKIP only.

The AD user for the Win XP client is in the AD user group referenced in the WAP network policy on the RADIUS.

any input is appreciated.

That is wrong... you should be using WPA2/AES not WPA2/TKIP.  Change it to WPA2/AES and test again.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

I've flipped the settings to all combinations, currently on WPA2/AES and the Win 7 client still connects and the Win XP does not.

Sent from Cisco Technical Support iPhone App

Try WPA/TKIP now... maybe the hardware on the XP machines don't support AES.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

That combination fails as well.
I've double checked the Radius policy and its a match of what's described in the Cisco SBA doc for setting up a win 2008 server.
Thank you

Sent from Cisco Technical Support iPhone App

Take a look at this doc and see if its setup similar.  I don't know what else you can do.  If the drivers have been updated, then it seems like you would see a failure of some sort that would tell you what is happening on the radius logs.  Have you tried with multiple XP machines and not just one or two?

https://supportforums.cisco.com/docs/DOC-17512

http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

I have 3 XP laptops i'm using to test.

Here is the AP's config:

test-ap#show run
Building configuration...

Current configuration : 2506 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test-ap
!
enable secret 5 $1$kpqT$UTsafjX/60V8nWu7e8s/90
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.1.7 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server 192.168.1.7 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid AP
   authentication open eap eap_methods1
   authentication network-eap eap_methods1
   authentication key-management wpa version 2
   guest-mode
!
!
!
username Cisco password 7 072C285F4D06
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid AP
!
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption mode ciphers aes-ccm
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.3.10 255.255.252.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.7 auth-port 1645 acct-port 1646 key 7 12380614412B5                                                                                                                     550787A
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

test-ap#

Okay, leave it as wpa/tkip for testing and once you make the change, does the windows 7 devices still connect except for the windos XP?

dot11 ssid AP

   authentication open eap eap_methods1

   authentication network-eap eap_methods1

   authentication key-management wpa

   guest-mode

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Here is a troublshooting link... use these debug commands and post what shows up

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml#tshoot

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"