Deploying Secure 802.11 Wireless Networks with Microsoft Windows

Common Wireless AP Problems

The following are common problems with wireless APs:

• Unable to see the wireless AP.

• Unable to authenticate with the wireless AP.

• Unable to communicate beyond the wireless AP.

These common problems are discussed in detail in the following sections.

Unable to See the Wireless AP

If wireless clients are unable to see the wireless AP in a scan of wireless networks, one or more of the following may be happening.

• The wireless AP is not beaconing.

  All wireless APs should be sending periodic beacon messages that contain the Service Set Identifier (SSID) unless the wireless AP has been configured to suppress the SSID in the beacon message and the wireless AP s capabilities (such as supported bit rates and security options). To verify that the wireless AP is beaconing, you can use the site survey software, the Wireless Monitor snap-in for Microsoft Windows Server 2003, or a packet sniffer that can capture wireless beacon frames. A simple packet sniffer that can capture beacon frames and other types of wireless management frames might be included on the CD-ROM provided by your wireless AP vendor.

NOTE Microsoft Network Monitor cannot capture wireless beacon frames.

• The wireless AP is not configured for the correct channel.

  If the wireless AP is using the same channel as an adjacent wireless AP, signal interference might be impairing the wireless clients ability to connect. Change the wireless AP channel if needed.

• The wireless AP is not advertising the correct set of capabilities.

  Confirm that the wireless AP is configured to operate for the correct technology (802.11b, 802.11a, or 802.11g) and with the correct bit rates and authentication options, such as Wi-Fi Protected Access (WPA). By capturing the beacon frame with a network sniffer, you can compare the configured wireless options to those being advertised in the beacon frame.

• The wireless AP has inadequate signal strength in the anticipated coverage volume.

  Use your site survey software to confirm that the coverage volume of the wireless AP is that which is described in your plans after initially deploying the wireless APs (as described in Chapter 7). If there are new sources of signal attenuation, reflection, or interference, make the appropriate changes to the locations of either interfering equipment or the wireless AP.

Unable to Authenticate with the Wireless AP

If you have multiple wireless APs, and your wireless clients cannot authenticate with any of them, you might have a problem with your authentication infrastructure. See Chapter 16, Troubleshooting the Authentication Infrastructure, for instructions on how to troubleshoot this situation. If you have multiple wireless APs, and the wireless clients cannot authenticate with an individual wireless AP, you need to troubleshoot the authentication-related configuration of the wireless AP. The three areas of authentication configuration you need to investigate are as follows:

• 802.1X configuration

• RADIUS configuration

• WPA configuration

802.1X Configuration

Ensure that the wireless AP has 802.1X authentication enabled. Some wireless APs might refer to 802.1X authentication as Extensible Authentication Protocol (EAP) authentication.

RADIUS Configuration

The Remote Authentication Dial-In User Service (RADIUS) configuration consists of the following elements:

• Wireless AP RADIUS configuration

• RADIUS server reachability

• RADIUS server configuration

• Internet Protocol Security (IPSec) for RADIUS traffic

These elements are described in the following sections.

Wireless AP RADIUS Configuration

Ensure that the wireless AP has been properly configured for RADIUS. The wireless AP should contain the following configuration information:

• The IP address of a primary RADIUS server

• The destination User Datagram Protocol (UDP) ports for RADIUS traffic sent to the primary RADIUS server (UDP port 1812 for RADIUS authentication traffic and UDP port 1813 for RADIUS accounting traffic)

• The shared secret for the primary RADIUS server

• The IP address of a secondary RADIUS server

• The destination UDP ports for RADIUS traffic sent to the secondary RADIUS server

• The shared secret for the secondary RADIUS server

RADIUS Server Reachability

Ensure that the primary and secondary RADIUS servers are reachable from the wireless AP by doing the following:

• If the wireless AP diagnostics has a ping facility the capability to send an Internet Control Message Protocol (ICMP) Echo message to an arbitrary unicast IP destination try pinging the IP address of the primary and secondary RADIUS servers.

• If the wireless AP diagnostics does not have a ping facility, try pinging the IP address of the primary and secondary RADIUS servers from a network node that is attached to the same subnet as the wireless AP.

If the ping from the network node succeeds and the ping from the wireless AP does not, examine the IP configuration of the wireless AP to ensure that it has been configured with the correct IP address, subnet mask, and default gateway for the attached wired subnet. If neither ping works, troubleshoot the lack of IP connectivity between the attached subnet and the RADIUS servers.

NOTE The ping test is not necessarily a definitive test of IP reachability. There might be routers in the path between the wireless AP and the RADIUS server that are filtering ICMP traffic, or the RADIUS server might be configured with packet filters or IPSec to discard ICMP traffic.

To ensure that RADIUS traffic is reaching the primary and secondary RADIUS servers, use a network sniffer such as Network Monitor on the Internet Authentication Service (IAS) RADIUS servers to capture the RADIUS traffic sent from and to the wireless AP during an authentication attempt. For more information about Network Monitor, see Chapter 16.

RADIUS Server Configuration

If RADIUS traffic is reaching the primary and secondary IAS RADIUS servers, verify that the primary and secondary IAS RADIUS servers are configured with a RADIUS client that corresponds to the wireless AP, including the following:

• The IP address of the wireless AP s interface on the wired network

• The destination UDP ports for RADIUS traffic sent by the wireless AP (UDP port 1812 for RADIUS authentication traffic and UDP port 1813 for RADIUS accounting traffic)

• The shared secret configured at the wireless AP

Check the system event log for authentication failure events corresponding to connection attempts to the wireless AP. To view the failed authentication events, use the Event Viewer to view the events in the system event log with the Source of IAS and the Event ID of 2.

IPSec for RADIUS Traffic

If you are using IPSec to encrypt the RADIUS traffic sent between the wireless AP and the IAS RADIUS server, check the IPSec settings on both the wireless AP and IAS server to ensure that they can successfully negotiate security associations and authenticate each other.

More Info For more information about how to configure IPSec policies in Windows Server 2003 to provide protection for RADIUS traffic, see Help and Support Center for Windows Server 2003. For more information about how to configure IPSec settings for a wireless AP, see your wireless AP s product documentation.

WPA Configuration

If your wireless AP is WPA-capable and you want to use WPA for wireless security, ensure that WPA is enabled. For a Small Office/Home Office (SOHO) configuration using WPA and preshared key authentication, ensure that the correct preshared key is configured.

Unable to Communicate Beyond the Wireless AP

The wireless AP is a transparent bridge and Layer 2 switching device, forwarding packets between the wired network to which it is attached and the connected wireless clients. If wireless clients can connect and authenticate, but cannot reach locations beyond the wireless AP, one or more of the following may be happening.

• The wireless AP is not forwarding frames as a bridge.

  All transparent bridges support the spanning tree protocol, which is used to prevent loops in a bridged section of the network. The spanning tree protocol uses a series of multicast messages to communicate bridge configuration information and automatically configure bridge interfaces to forward frames or block forwarding to prevent loops. While the spanning tree algorithm is determining forwarding and blocking interfaces, the bridge is not forwarding frames. Check the wireless AP s forwarding status and bridge configuration.

• The wireless AP is not configured with the correct virtual LAN identifiers (VLAN IDs).

  Many wireless APs support VLANs, a grouping of ports and interfaces so that they appear on the same link or subnet. Each group is assigned a separate VLAN ID. Verify that the VLAN IDs for your wireless client ports and your wired interfaces are correctly configured. For example, you might use one VLAN ID for authenticated wireless clients (that connects them to the organization intranet) and a separate VLAN ID for guest wireless clients (that connects them to an alternate subnet or the Internet).