Windows devices unable to connect to BYOD ssid

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I've got a fun one here. This just started recently with no real changes to HM or the network other than updating HM to 6.1r6a. I've already tried reverting to an older version with the same results so I don't think that's the issue.
BYOD ssid looks like this.
Windows server handing out IP and AD info.
802.1x w/ AES, 2.4 & 5ghz. 
2 AP's acting as RADIUS
BYOD has 2 User Profiles, one for Staff and one for IT connecting to different VLANs
Staff Profile is firewalled with access to internet and DNS only
IT Profile has no firewall with full access to LAN
The 2 DHCP scopes are barely getting used so a lack of IPs is not a problem.

All of that is pretty straightforward and has worked fine for a couple of years now. Now all of a sudden Windows 7 laptops are not able to connect to this SSID, but every other device that I have (android, ipad,etc) all connect fine. I've tried both a Staff and IT account and both are Unable to Connect. Below looks to be the relevant lines from Client Monitor


09/10/2014 09:11:12 AM  001C267930B3  0019779CA12D  MS-Library     DETAIL  (3)RADIUS: 

09/10/2014 09:11:12 AM  001C267930B3  0019779CA12D  MS-Library     DETAIL  (4)RADIUS: rejected user 'jason' through the NAS at 172.19.5.69.

09/10/2014 09:11:26 AM  001C267930B3  0019779CA12D  LGS-IT-OFFICE  DETAIL  (891)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=172 length=482

09/10/2014 09:11:26 AM  001C267930B3  0019779CA12D  LGS-IT-OFFICE  DETAIL  (892)Send message to RADIUS Server(172.19.2.73): code=1 (Access-Request) identifier=173 length=174,  User-Name=jason NAS-IP-Address=172.19.5.69

Called-Station-Id=00-19-77-9C-A1-2D:LGS-BYoD Calling-Station-Id=00-1C-26-79-30-B3

09/10/2014 09:11:27 AM  001C267930B3  0019779CA12D  LGS-IT-OFFICE  BASIC   (893)Authentication is terminated (at if=wifi1.6) because it is rejected by RADIUS server

09/10/2014 09:11:27 AM  001C267930B3  0019779CA12D  LGS-IT-OFFICE  BASIC   (894)Sta(at if=wifi1.6) is de-authenticated because of notification of driver
Photo of Jason Baxter

Jason Baxter

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Quick thought: This could be a certificate issue. Have a look if it is maybe expired...
Photo of Jason Baxter

Jason Baxter

  • 4 Posts
  • 0 Reply Likes
That's one thing I haven't touched since setting this up. I'm not using a CWP and it appears that I just used the default certs. Do you mind pointing me in the right direction as to where to check the expiration. You may have just hit the nail on the head.
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
You're using a Windows NPS server to act as your RADIUS server?

Run mmc, add the certificates (local computer) snap-in, look in Personal store to see the certificate you're handing out.
Photo of Jason Baxter

Jason Baxter

  • 4 Posts
  • 0 Reply Likes
I'm using AP's for RADIUS
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Check your existing certificates under Configuration / Advanced / Keys & Certificates (screenshot 1) and how they are linked with your Aerohive AAA server settings under Advanced / Authentication (screenshot 2).

Also check the supplicant configuration on your Windows machines, see if "verify server certificate" is activated and which CA certificates are trusted.




Photo of Jason Baxter

Jason Baxter

  • 4 Posts
  • 0 Reply Likes
I was just looking at this and noticed the "verify Server cert" is checked. Is it possible this is whats causing a fuss with Win7? I tried unchecking it but as soon as I save and go back to it it's checked again. Is that not even an option?
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Looks like your windows settings are controlled by GPO...

Seriously, try to fix the certificate issue first (= using a proper, valid certificate and chain). If you uncheck "verify server certificate", the whole setup is more or less for nothing...