AD domain\username not logging in

  • 1
  • Question
  • Updated 4 years ago
  • Answered
  • (Edited)
Hi guys,

I have one of my AeroHive AP370's set up as a radius server that connects to our AD environment for authentication.

I can connect using an allowed user account by entering just the windows AD username and password. But when i try to connect to the WiFi using a windows 8.1 PC and ticking the box "use my windows user account" i receive an error telling me it can't connect?

Is this something I've setup wrong in the Radius settings or have i missed a check box along the way?

Any help would be appreciated as i feel it's something small that I've overlooked!

Kind Regards,
Ben

 

Photo of Ben Hawkins

Ben Hawkins

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I suggest you observe what is actually going on at the EAPOL level with Message Analyzer (Windows) or Wireshark (OS X or Linux) via another device watching the air in monitor mode.

You should also set RAS tracing going on the affected client with 'netsh ras set tracing * enabled' prior to logging off and review the supplicant logs:

http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wirele...

These steps should reveal what is going on.

Of course, it has to be said just to check: If the account logged in is not a domain user, this will use the local user account credentials which will not work.
(Edited)
Photo of Ben Hawkins

Ben Hawkins

  • 4 Posts
  • 0 Reply Likes
Hey Nick,

Thanks for the quick reply!

The user account i'm trying is a logged in Domain user with access to the WiFi permitted users group.

The same account logs in fine if i use just the AD username and password but as soon as i add the domain\ it can't connect.

Cheers,
Ben 
Photo of Peter Kroesen

Peter Kroesen

  • 4 Posts
  • 0 Reply Likes

We had this problem also, butwith an AP330. It is a Microsoft problem/feature.

If you connect to the wireless trough a Radius Server (in you're question the AP370), you need to insert the wireless connection manually. If you try to connect on a Android or a Apple device, it is working fine.

Try it with the steps below:

  1. On the Desktop screen, right-click the Wireless Icon located on the lower right hand corner of the screen, and select Open Network and Sharing Center
  2. Select on Set up a new connection or network and then click on Next:
  3. Select on Manually connect to a wireless network and then click on Next :
  4.  Insert the SSID of the network you use.
  5. Set the security type to WPA2-Enterprise and click on Next
  6.  Click on "Change Connection Settings"
  7. Go to the tab "Security"
  8. Click on "Settings"
  9.  Make sure the option "Validate server certificate" is not selected
  10. Go to configure and deselect the option for Windows credentials and click op "OK
  11. Click op "OK", "OK" and "Close
  12. Try to connect to the network and use the Windows Credentials

For the test of the settings on the AD and on Aerohive are correct you can check if you can connect with a Apple or Android device.

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Peter,

Sorry, but this is incorrect and harmful advice and it should not be followed by anybody outside of a test environment as it introduces significant security vulnerability to a deployment.

It is not a Microsoft problem or feature when there are validation issues, rather you just have to ensure that the certificate used by the RADIUS server is appropriate and that your clients are configured to validate it correctly.

Certificate validation issues do not appear to be related to the issue being discussed here.

Regards,

Nick
(Edited)
Photo of Ben Hawkins

Ben Hawkins

  • 4 Posts
  • 0 Reply Likes
Hi Guys,

yep no issues with the certificate as it seems to be accepted via mobile devices and laptops without issue.

Nick i haven't had a chance to do any wireshark air captures but i'm waiting on a call back from AH support today.

Regards,
Ben 
Photo of Ben Hawkins

Ben Hawkins

  • 4 Posts
  • 0 Reply Likes
Nick,

I just found this AH topic from 10 months ago where you helped someone with a very similar issue to me: https://community.aerohive.com/aerohive/topics/problem_connecting_with_windows_8_1_with_radius

It's possible that it's a certificate issue for me too as i'm currently using a self assigned AeroHive cert.

Kind Regards,
Ben
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
So, first off, you should definitely not be using the self-signed Aerohive certificate and should either use one from your own PKI infrastructure or a commercial CA.

If it is the certificate causing issues, you will see failure in all cases on a particular platform and typically only where certificate validation is configured.

The username format should have no bearing on it. Ticking 'Use my Windows user account' should make no difference.