802.1x authentication fails
Last Post: June 3, 2010:
We have a wireless network with the following security solution:
WPA with PEAP mschapv2
RADIUS is MS IAS
Recently we?ve changed the remote access policy on the RADIUS servers so that the only criteria for authentication is for the computer to be member of our AD (ie member of Domain Computers). Earlier we had two criterias, both the computer and the user was authenticated against the AD. Our wireless computer configuration GPO then demanded re-user authentication meaning that first the computer was authenticated and then when the user logged on a second authentication took place, this time with the users credentials. Because there was a and/or relationship between those two criterias we decided to remove the user auth and change the GPO to computer only auth. The reason for this was that some users connected non domain computers to our wireless network by disregarding the server certificate providing a valid username/password instead. We had no idea that this was possible, it was not included in any documentation for IAS that there was this and/or relationship between the two criterias in the remote access policy.
However lately we have had problems with some computers unable to reassociate to the wireless network. It seems that the 802.1x auth fails somehow and they can?t get a valid IP-address. We are talking about computers that used to work perfectly well with the wireless network and suddenly no longer can authenticate. In the IAS logfile I can see that the entry is incomplete, for example the OU-information is missing.
Could this be related to the recent change in the remote access policy? With the earlier policy the computer was re-authenticated when the user logged on. I should mention that we first changed the GPO to only require computer auth and gave it a good 3-4 weeks to make sure all computers got the new settings before changing the remote access policy on the RADIUS. The only way to reauthenticate a computer with this problem now is to connect with cable and do a "gpupdate /force". This action can be required on the same computer several times with some interval.
Sorry for the long post. Does anyone here have any clue or suggestion on how to troubleshoot this problem?