This document is designed to assist network administrators, help desk personnel, and developers who work with IEEE 802.11 wireless services and Windows Vista®. This document describes how to troubleshoot connectivity problems for wireless clients running Windows Vista that are attempting to make 802.1X authenticated connections to Microsoft® Windows Server® 2003 domain networks.
This document also provides some troubleshooting information for wireless clients running Windows Vista® that are attempting to make wireless connections to small office or home office (SOHO) networks.
There is also information for developers and Microsoft support personnel about how to generate and use advanced tracing reports for debugging.
SOHO wireless networks
For SOHO wireless networks, this document focuses on a typical network deployment that uses:
-
a high-speed modem for Internet connectivity
-
a wireless router
-
one or more computers running Windows XP or Windows Vista with wired IEEE 802.3 Ethernet connections to the wireless router
-
one or more IEEE 802.11 wireless computers running Windows Vista
802.1X-authenticating domain networks
For 802.1X-authenticating domain networks, this document assumes the following services are in place to support wireless clients:
-
Windows Server 2003 Active Directory® with:
-
Domain Name System (DNS)
-
Active Directory Users and Computers
-
Group Policy Domain Policy
-
Microsoft certification authority (Certificate Services), or a RADIUS Server certificate purchased from a non-Microsoft certification authority (CA)
-
Internet Authentication Service (IAS) (a Remote Authentication Dial-in User Service (RADIUS) server)
-
Dynamic Host Configuration Protocol (DHCP)
-
One or more IEEE 802.1X-compliant wireless access points (APs) to provide 802.1X authenticated network access
In this document
This document is divided into several sections:
Section 1: Troubleshooting client connectivity
This section provides a summary of the troubleshooting approach used in this document.
Section 2: Wireless infrastructure components
This section describes the wireless-related components that are typically found in Windows Server 2003 domain networks. It also describes the main wireless components for SOHO wireless networks.
Section 3: The authentication process
This section provides an overview of the main phases involved in establishing 802.1X authenticated 802.11 wireless connections. It is crucial to understand these concepts when troubleshooting connectivity problems and performing root-cause analysis in an 802.1X-authenticating wireless environment.
.gif) Note |
|---|
|
Because there are so many EAP authentication methods and types, it is not practical to provide information for every EAP deployment. The examples and conceptual information in this section are for an authentication process that uses PEAP-MS-CHAP v2. |
Section 4: Network Diagnostics Framework
This section contains information about the features and capabilities of the Network Diagnostics Framework related to wireless, including the Wireless Diagnostics wizard.
Section 5: Netsh commands for wireless LAN
This section demonstrates, using step-by-step procedures, how to use netsh wlan to return detailed information about wireless network adapter capabilities and settings, and wireless profile configuration. There are also examples of the information generated by running two netsh wlan troubleshooting commands.
Section 6: Investigative questions and quick lists for common connectivity problems
This section provides a list of questions that you should consider when trying to determine the cause of wireless connectivity problems. It also contains tables with error conditions and common causes.
Section 7: Event logs, diagnostics logs, and wireless tracing reports
This section describes information found in logs and reports in Windows Vista, including:
-
Basic System Event logs
-
Operational logs
-
Wireless Tracing reports
Appendices
The appendices in this document contain information about Windows Vista wireless features or components for advanced users, and examples that are too long for the main body of this document:
Section 1: Troubleshooting client connectivity
Troubleshooting is a process of finding the source of problems, and then resolving those problems. Due to the complicated nature of wireless technologies, the process of identifying and correcting problems can also be complicated. You can make the troubleshooting process easier by understanding your network environment, gathering useful information, and applying a consistent method when determining the cause of connectivity errors.
The following are the recommended troubleshooting steps.
-
Understand your wireless infrastructure components and the main phases of the wireless connection process. This understanding is the foundation of a good troubleshooting process.
-
Run the Wireless Diagnostics wizard in Windows Vista when connectivity fails. In many cases, the Wireless Diagnostics wizard can either solve your problem automatically or walk you through a process to solve it.
-
Use the netsh wlan command to gather information about wireless client configuration settings and hardware capabilities.
-
Review basic investigative questions to determine what types of issues you should be looking for.
-
Review common or likely problems in the quick lists to see if you can quickly identify the problem.
-
Investigate event, operational, and diagnostics logs and reports. The logs and reports that are generated by wireless components provide detailed information that can help you to diagnose complex wireless connection and authentication issues.
Section 2: Wireless infrastructure components
This section describes the functions of the main components and services that are deployed to support an 802.1X-authenticating 802.11 wireless network.
The following table compares key differences between SOHO and Active Directory domain wireless network deployments.
|
SOHO workgroup
|
Active Directory domain
|
|---|
Does not require any computers running Windows Server 2003. | Requires at least one computer running Windows Server 2003. |
Supports Windows XP Home Edition operating system. | Does not support Windows XP Home Edition. |
Relatively easy for a novice user to deploy. | More difficult to deploy. Deployment is not intended for the average home or small office user. |
Requires a wireless AP or wireless router. | Requires one or more wireless APs that support 802.1X authentication. |
Provides wireless network access security only through: - WPA2 PSK - TKIP/AES Wi-Fi Protected Access Version 2 Personal (WPA2-Personal) with preshared key (PSK) authentication with Temporal Key Integrity Protocol (TKIP) encryption (preferred).
- WPA-PSK - TKIP/AES Wi-Fi Protected Access (WPA) Personal with preshared key (PSK) authentication with TKIP encryption (preferred).
| Note |
|---|
|
The options to select TKIP or AES for WPA-PSK depend on whether the network adapter supports TKIP or AES. |
- Open-system/WEP Open system authentication with Wired Equivalent Privacy (WEP).
| Note |
|---|
|
Due to known security issues with WEP encryption, it is recommended that you use only WPA2-Personal-PSK (preferred) or WPA PSK. |
| Provides strong wireless network access protection using: -
WPA2-Enterprise with Advanced Encryption Standard (AES) or TKIP.
-
WPA-Enterprise with AES or TKIP.
-
Active Directory accounts.
-
RADIUS infrastructure with servers running IAS.
-
Certificates.
-
802.1X authentication with EAP methods.
|
Does not require the purchase of a server certificate. | Requires the purchase of a server certificate or deployment of a public key infrastructure (PKI). |
Does not provide centralized management of user accounts or user authentication. Anyone who has access to the wired network, or to the wireless shared secret (the text string that serves as a password between the wireless AP and other wireless devices) can join the workgroup and access network resources. | Provides centralized management of user accounts and user authentication, using Active Directory user accounts database and IAS. Users and computers must have accounts in Active Directory, and must provide password-based credentials to log on to the network. In addition, mutual authentication occurs with PEAP-MS-CHAP v2 when client computers authenticate the IAS server's certificate. |
Provides limited methods to control or manage workgroup members. | Provides methods to manage domain member accounts. Controls can be fine-tuned. |
SOHO networks
There are many services and hardware devices available for SOHO deployments. The following illustration shows the main components of a common SOHO wireless deployment.
.gif)
Internet service provider (ISP)
A company that provides individuals or companies access to the Internet. An ISP provides a telephone number (for dial-up connections), a user name, a password, or other connection information so users can connect their computers to the ISP's computers. In some cases, an ISP might require the unique Media Access Control (MAC) address of your high-speed modem, and will then use DHCP to configure the address on the public connection of your router. In this case, you can still configure your network client addresses using the DHCP service that is built into your router.
Modem
A device that transmits computer information over a media such as a telephone line or coaxial cable.
Wireless router
A networking device whose primary function is to provide Internet and SOHO network access to your IEEE 802.11 wireless and IEEE 802.3 wired Ethernet computers and devices. Wireless routers commonly provide the following services:
-
A public-facing connection that connects to a modem, and in turn, to the Internet.
-
A network hub that can connect several IEEE 802.3 wired Ethernet devices, such as computers and printers.
-
An IEEE 802.11 wireless AP, capable of supporting multiple wireless computers.
-
DHCP addressing for wired and wireless client computers. DHCP addressing enables network traffic to be routed to the correct wireless or wired network device.
Domain networks
There are many ways to deploy wireless in a domain network. The following illustration shows components that are found in an Active Directory domain that provides 802.1X authenticated wireless access.
.gif)
| Note |
|---|
|
This illustration is provided as an example only. It does not reflect best practices. For information about Microsoft CAs and PKI, see Public Key Infrastructure for Windows Server 2003 on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=83694). |
Windows Server 2003 Active Directory
The Windows-based directory service that stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.
Domain Name System
A hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.
Active Directory Users and Computers
An administrative tool used by an administrator to perform day-to-day Active Directory administration tasks. The tasks that can be performed with this tool include creating, deleting, modifying, moving, and setting permissions on objects stored in the directory. Examples of objects in Active Directory are organizational units (OUs), users, contacts, groups, computers, printers, and shared file objects.
Group Policy
The infrastructure that enables directory-based change and configuration management of user and computer settings, including security and user data. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify policy settings for registry-based policies, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and OUs—you can apply the GPO's policy settings to the users and computers in those Active Directory containers. To create an individual GPO, use the Group Policy Object Editor. To manage Group Policy objects across an enterprise, you can use the Group Policy Management console.
To best support wireless clients running Windows Vista, it is recommended that you upgrade your Active Directory schema with the schema extension for Windows Vista Wireless Group Policy. The schema enables you to configure independent wireless policies specifically for wireless computers running Windows Vista. Deploying the schema extension will not affect an existing wireless policy for Windows XP.
To update your Windows Server 2003 Group Policy schema, follow the procedures in Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=70195).
Certificates
For PEAP-MS-CHAPv2, administrators can deploy certificate services on the network to issue a RADIUS server certificate, or purchase a RADIUS server certificate from a non-Microsoft CA.
EAP-TLS requires a PKI deployment to issue computer certificates to the RADIUS servers, and user and client certificates to wireless clients.
| Note |
|---|
|
PEAP-MS-CHAPv2 is easier to deploy than other authentication methods, such as EAP-TLS, for several reasons. First, PEAP does not require the deployment of a PKI; only the RADIUS server is required to have a server certificate installed. Nor does PEAP require smart cards or another type of client certificate to validate connecting clients.
The result is a user-friendly experience in which network clients must provide only their account credentials (user name and password) for authentication. The account credentials are then verified against the account that exists in the user accounts database (such as Active Directory).
From a security standpoint, PEAP MS-CHAP-v2 relies on passwords for authentication, which can be stolen or guessed. With EAP-TLS authentication, the certificate that is used for authentication cannot be easily forged. |
Certificate
A digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.
Certification authority
An entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.
Microsoft Certificate Services
A software service that issues certificates for a CA. It provides customizable services for issuing and managing certificates for the enterprise. Certificates can be used to provide authentication support, including secure e-mail, Web-based authentication, and smart-card authentication.
Internet Authentication Service (IAS)
The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy, which provides authentication and accounting for network access.
IAS Remote Access Policy
A set of conditions and connection parameters that define the characteristics of the incoming connection and the set of constraints imposed on it. Remote access policy determines whether a connection attempt is authorized to be accepted.
Dynamic Host Configuration Protocol (DHCP)
A TCP/IP service protocol that offers dynamic leased configuration of host IP addresses and distributes other configuration parameters to eligible network clients. DHCP provides safe, reliable, and simple TCP/IP network configuration; it prevents address conflicts, and helps conserve the use of client IP addresses on the network.
DHCP uses a client/server model where the DHCP server maintains centralized management of IP addresses that are used on the network. DHCP-supporting clients can then request and obtain a lease of an IP address from a DHCP server as part of their network boot process.
Wireless APs (IAS RADIUS clients)
One or more 802.1X-compliant wireless APs must be configured as RADIUS clients so that they can communicate with the IAS RADIUS server. Add all wireless APs as RADIUS clients to the IAS server(s). You will need to know the IP address of each wireless AP to add them as RADIUS clients to IAS.
The wireless access point is configured as a RADIUS client to the IAS server deployed on the organization local area network (LAN). The wireless access points must meet the following requirements for 802.1X wireless deployments:
-
Support for the IEEE 802.1X standard for authentication.
-
Support for Wi-Fi Protected Access 2 (WPA2)–Enterprise or WPA-Enterprise. Support for Wi-Fi Protected Access2 (WPA2)-Enterprise is preferred. WPA2-Enterprise is supported by Windows Vista and Windows XP with Service Pack 2 (SP2). For more information, see Description of the Wireless Client Update for Windows XP with Service Pack 2 on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=83697).
Recommendations
-
For consistency and ease of deployment, it is recommended that you deploy wireless APs of the same brand and model.
The following table lists some common wireless AP configuration items.
| Note |
|---|
|
The names of the configuration items for wireless access points can vary by brand and model, and might be different from those listed in the table. See your wireless AP documentation for configuration-specific details. |
|
Wireless AP Configuration Items
|
Configuration Item Information
|
|---|
SSID | The name of the wireless network (for example, WiFiTest). This is the name that is displayed to wireless clients. In Windows Vista, the SSID is the name displayed in Connect to a network when the computer detects the wireless AP SSID beacon broadcast. Recommendation: All wireless APs that are part of the same wireless network should use the same SSID. |
Suppress SSID Beacon Broadcast | Most wireless APs provide the configuration option to suppress the SSID beacon broadcast. .gif) Important |
|---|
|
Enabling this option can create a security risk because wireless clients that are configured to connect to a network that suppresses the SSID broadcast will send probes for the network, advertising the wireless configuration of the wireless client. By default, this setting is not enabled. |
To connect to wireless networks that are not broadcasting the SSID, wireless clientsthat are running must be configured by enabling the Connect even if the network is not broadcasting setting. Both the Windows Vista Wireless Network (IEEE 802.11) Policies Group Policy extension and the Manually connect to a wireless network wizard (in Connect to a network) provide access to this setting. |
Wireless AP IP Address (Static) | For each wireless AP, configure a unique static IP address that falls within the exclusion range specified in the DHCP scope of the subnet on which the wireless AP is deployed. |
DNS name | Some wireless APs can be configured with a DNS name provided that the DNS service on the network can resolve AP DNS names to an IP address. For each wireless AP that supports this feature, enter a unique name for DNS resolution. |
802.1X Authentication | Configure IEEE 802.1X authentication with WPA2-Enterprise or WPA-Enterprise, depending on which authentication is supported by all of your wireless devices. | Note |
|---|
|
Due to known security issues with WEP encryption, it is recommended that you use only WPA2 (preferred) or WPA. |
|
Wireless AP Subnet Mask | Configure this to match the subnet mask of the attached subnet. |
Disable Wireless AP DHCP Service | If the network is providing DHCP, the DHCP service built into the wireless AP should be disabled. |
RADIUS Shared Secret | Use a unique RADIUS shared secret for each wireless AP. Each shared secret should be a random sequence of uppercase and lowercase letters, numbers, and punctuation that is at least 22 characters long. To ensure randomness, use a random character generation program to create shared secrets to configure on the server running IAS and the wireless AP. You will need to match the shared secret for each wireless AP when you configure them as RADIUS clients in the applicable IAS Remote Access Policy. | Important |
|---|
|
It is recommended that you record the shared secret for each wireless AP, and store the record in a secure location, such as an office safe. |
|
RADIUS Server IP Addresses | Enter the IP addresses of your servers running IAS. |
UDP Port(s) | By default, IAS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages. Recommendation: Unless you have reason to do so, do not change the default RADIUS UDP ports settings. |
Vendor Specific Attributes (VSAs) | Some wireless APs require that the IAS RADIUS server is configured with specific attributes in order to provide full wireless AP functionality. VSAs are added to an IAS Remote Access Policy. |
Wireless client computer(s)
A computer running Windows Vista that has an IEEE 802.11 wireless adapter and a corresponding wireless adapter driver designed for Windows Vista installed.
The Windows Vista 802.1X and wireless components have been redesigned with an emphasis on extensibility and security. In the Windows XP wireless supplicant model, the Wireless Zero Configuration service and supporting dynamic-link libraries (DLLs) handle all primary functions associated with connecting and maintaining a connection. The initial design had some limitations, such as an inability to add new features and the lack of extensibility. Therefore, the Windows Vista wireless components are completely redesigned; the major functions are separated into individual components. Further, independent hardware vendors (IHVs) are now able, through a consistent interface, to extend services and features specific to their needs.
Windows XP, Windows Server 2003, and Windows Vista have built-in support for IEEE 802.11-based wireless networking and IEEE 802.1X authentication using EAP.
Section 3: The authentication process
This section provides an overview of the components and the processes involved in establishing 802.11 wireless connections to 802.1X authenticating infrastructure networks.
Wireless connection phases overview
Given its popularity as the authentication method for wireless 802.1X deployments, this section provides an overview of the main phases that take place in 802.1X-authenticated wireless connections that use PEAP-MS-CHAP v2. The phases are numbered in the order in which they occur; a diagram is included to illustrate, by number, where each phase occurs on the network. In this section, the phases are separated into two sections. The first section provides the phases required for the wireless client to associate with the wireless access point. The second section lists the phases involved with 802.1X authentication.
Association with the wireless AP and link-layer authentication
When a wireless network adapter is turned on, it begins to scan across the wireless frequencies (spectrum) for wireless APs and other wireless clients. Scanning is an active process in which the wireless adapter sends Probe-Request frames on all channels of the ISM frequency range and listens for the Probe-Response frames sent by wireless APs and other wireless clients. After scanning, Windows instructs the wireless adapter to connect to a network, based on the configured preferences.
This choice is made automatically by using the SSID of a known or preferred wireless network and the wireless AP with the best signal strength (the highest signal-to-noise ratio). Next, the wireless client negotiates the use of a logical wireless port with the chosen wireless AP. This process is known as association.
The wireless client’s configuration settings determine whether the wireless client prefers to connect with infrastructure or ad-hoc mode networks. By default, a wireless client running Windows Vista, Windows XP, or Windows Server 2003 prefers infrastructure mode wireless networks over ad-hoc mode wireless networks. If the signal strength of the wireless AP is too low, if the error rate is too high, or if instructed by the operating system, the wireless client scans for other wireless APs to determine whether a different wireless AP can provide a stronger signal to the same wireless network. If so, the wireless client negotiates a connection with that wireless AP. This process is known as roaming.
- Scanning: The client scans for an AP using a probe request.
- Association: The client associates with the AP:
-
The AP registers the client’s MAC address and assigns a unique virtual port that is mapped to that MAC address.
-
The client registers the MAC address of the AP as the only device to which it is permitted to associate (until such time that it disassociates and then reassociates with another AP or wireless device).
.gif)
- Access Request: Using its 802.1X uncontrolled port, the AP forwards a RADIUS Access-Request message to the RADIUS (IAS) server.
| Note |
|---|
|
TCP/IP frames generated by the wireless client can only be sent to the network through the controlled port. The client cannot send frames using the controlled port until it is authenticated and authorized. |
- EAP: If the server running IAS does not reject the Access-Request, the EAP authentication method is negotiated between the client and IAS.
After the negotiation is complete, the AP forwards messages between the client and the server running IAS.
| Note |
|---|
|
There are many EAP authentication types. Both EAP-TLS and PEAP-MS-CHAPv2 are supported natively in Windows Server 2003, Windows XP, and Windows Vista. |
| Note |
|---|
|
When PEAP is used, a TLS session is first created between the access client and the server running IAS; authentication then occurs through the secure TLS session. |
- Authentication: After the EAP authentication method is agreed upon between the client and IAS, the server running IAS sends its server certificate chain to the client computer as proof of identity. The client computer uses the IAS server certificate to authenticate the server running IAS. Successful PEAP-MS-CHAP v2 authentication requires that the client trusts the server running IAS after validating the IAS server certificate chain. For the client to trust the server running IAS, the root CA certificate of the issuing CA of the server certificate must be installed in the Trusted Root Certification Authorities certificate store on client computer.
After the client authenticates the server, the client sends password-based user credentials to the server running IAS, which verifies the client credentials against the user accounts database in Active Directory.
-
If the credentials are not valid, IAS sends an Access-Reject message to the AP in response to the connection request.
-
If the credentials are valid, the server running IAS proceeds to the authorization phase.
- Authorization: The server running IAS performs authorization, as follows:
-
IAS checks the user or computer account dial-in properties in Active Directory.
-
IAS then attempts to find a remote access policy that matches the connection request. If a matching remote access policy is found, IAS authorizes the connection request based on that policy.
- Access-Accept: If the authorization is successful, IAS sends the AP an Access-Accept message. If authorization is not successful, IAS sends an Access-Reject message.
.gif)
- 802.1X controlled port: As part of authentication, 802.1x dynamically generates session keys from which it further derives encryption keys to secure the wireless connection. The encryption keys are configured on both the wireless AP and the client; all subsequent data traffic is protected. The wireless AP enables the controlled port; traffic from the wireless client is allowed to traverse the port.
- DHCP Address Request: The client sends a DHCP address request through the 802.1X controlled port to the network. If a DHCP server responds, the client obtains an IP address.
- Group Policy Applied: If configured, updated Group Policy is applied on the client during domain logon operations; this includes the Wireless Network (IEEE 802.11)Policies Group Policy extension.
| Note |
|---|
|
For computers already configured with Wireless Network (IEEE 802.11) Policies, Group Policy is applied when the computer is started, and whenever an updated policy is downloaded. If Group Policy is updated on the server while the computer is turned off, the last known policy (which might be stale) is immediately applied when the computer is started. If the 802.1X settings on the computer enable IAS to authorize the computer for network access, updated policies are downloaded and applied when the computer connects to the network, prior to user authentication. If 802.1X settings on the computer cannot enable IAS to authorize the computer for network access at startup, then application of updated policies occurs immediately after user authentication. |
- Network Access The client is able to access network resources, contingent upon any applied restrictions.
.gif)
Section 4: Network Diagnostics Framework
In Windows Vista, when a user experiences a network problem, Windows Vista will provide the user with the ability to diagnose and repair the problem. The diagnostic assessment and resolution steps that are provided to the user are in the application or user interface (UI) itself. During the diagnosis, the Network Diagnostics Framework (NDF) will analyze why the user’s task has failed, and will either present a solution to the problem, or list possible causes and steps that the user can to take to fix the problem. The solution can be a process that is run automatically by Windows Vista, or it might be a request that the user manually perform a step. The resolution steps can involve configuration changes, or in some cases, contacting Microsoft Customer Service and Support and providing a report of the problem from the computer.
.gif)
Wireless diagnostics overview
Wireless diagnostics are used to identify and correct troubleshooting wireless connectivity issues. Connectivity issues can include such things as failed connections and intermittent connectivity. Wireless diagnostics works with NDF, which, in turn, is part of Windows Diagnostics Infrastructure (WDI). The role of wireless diagnostics is to collect and analyze information about wireless connectivity, to provide the results of the analysis, and to provide the user with repair options.
Wireless diagnostics purpose and design
The following describes the design approach of wireless diagnostics in Windows Vista:
-
Inform the user about what has happened, or what is causing the problem.
-
Be sure that the user can understand the information and that the information is appropriate in the context of what the user is doing.
-
Instruct the user about how to fix the problem.
-
Provide options instead of errors.
-
Provide better support when diagnostics cannot present a solution.
-
Provide best-effort analysis of collected data.
-
Avoid asking the user for data that is available on the computer.
-
Direct the customer to someone who can help.
All diagnostics are prescriptive in nature, and solutions are corrective when possible. The design is also based on the principle that the solutions will not put the computer at risk.
Categorization of wireless issues
802.11 wireless diagnostics examines and diagnoses two categories of connectivity issues:
- Wireless (802.11) connectivity or configuration issues. These can include security issues associated with 802.11, such as the use of WEP keys for encryption or authentication.
| Note |
|---|
|
Due to known security issues with WEP encryption, it is recommended that you use only WPA2-Personal (preferred) or WPA. |
- Layer 2 security issues. These can include issues such as certificate failures, 802.1X issues, and EAP authentication failure.
Top wireless issues covered by wireless diagnostics
The following are the top wireless issues:
-
Incorrect network key (WEP or WPA(2)-PSK).
-
Radio off (software or hardware switch).
-
Problem with the network adapter, hardware, or drivers.
-
1X certificate failures.
-
1X erroneously enabled or not enabled.
-
Authentication infrastructure (for example, the RADIUS server) is not responding.
-
1X discovery failures.
-
No visible networks, either because none are in range or because radio is off.
-
Frequent roams, swapping of connections.
-
Incompatible hardware or capability mismatch (that is, the client network adapter does not support settings required by AP).
-
Bad signal and connectivity, too far from the wireless AP, poor device placement (due to obstructions, for example), interference resulting in poor performance and throughput.
-
Wireless is connected, but cannot get an IP address.
Parts of wireless diagnostics
For the purposes of this document, wireless diagnostics are divided into two parts:
- Wireless Diagnostics wizard. The Wireless Diagnostics wizard is similar to a configuration wizard. It can assist users by either fixing connectivity problems, or by providing the user with a next-step action. Although the primary focus is on identifying and resolving client-side connectivity problems, the Wireless Diagnostics wizard will attempt to analyze end-to-end network health, as seen from the client perspective and with client user rights, and attempt to determine if the problem is related to network services or infrastructure components.
Running the Wireless Diagnostics wizard should be the first step when you are trying to resolve wireless connectivity problems. Users can access an interactive Wireless Diagnostics wizard in several locations in the UI, which is discussed in Starting the Wireless Diagnostics wizard.
- Diagnostics logs and reports. In addition to providing the interactive Wireless Diagnostic wizard, wireless diagnostics also logs information in event logs, operational logs, and wireless tracing reports. These logs and reports capture detailed information about wireless status and activity, connection attempts, system state, and the network environment.
IT administrators can automatically collect logged information from the client computers and store it for analysis in a central location using MOM integration, or a similar tool. Administrators can also use this information for planning purposes.
Microsoft Customer Service and Support personnel and developers can generate wireless tracing reports for advanced troubleshooting and debugging.
Information about the logs and reports that are generated by wireless diagnostics is discussed in Section 7: Event logs, diagnostics logs, and wireless tracing reports. Samples of diagnostic logs are provided in Appendix D: Trace File examples.
The remainder of this section contains information about the Wireless Diagnostics wizard.
Starting the Wireless Diagnostics wizard
The Wireless Diagnostics wizard is part of Network Diagnostics. You can start the Wireless Diagnostics wizard from several places on a client running Windows Vista. Accessing these entry points will start Network Diagnostics, which will then start the Wireless Diagnostics wizard, if appropriate. This section includes several procedures for starting the Wireless Diagnostics wizard.
Using the Network and Sharing Center notification area icon
The icon for the Network and Sharing Center is located to the left of the clock in the notification area.
| Note |
|---|
|
When you position the mouse pointer directly over the Network and Sharing Center notification area icon, the Currently connected to notification will appear. If the computer running Windows Vista is not connected to a network or another computer, the Network and Sharing Center icon is displayed with an X to indicate that your computer is not connected. |
Using the Diagnose network problems option in Network and Sharing Center
To start the Diagnostics wizard by using the Diagnose and repair option in the Network and Sharing Center
Click Start, click Network, and in the menu, click Network and Sharing Center.
In the left pane, click Diagnose and repair.
Using the Diagnose and repair option in Network and Sharing Center (option 2)
To start the Diagnostics wizard by using the Diagnose and repair option in the Network and Sharing Center
Click Start, click Connect to, and in Connect to a network, click Open Network and Sharing Center.
In Network and Sharing Center, in the left-hand pane, click Diagnose and repair.
Using the Repair option for a network connection icon in Network Connections
Network Connections provides several methods for starting diagnostics.
To start the Wireless Diagnostics wizard by using the Diagnose options for a Network Connections icon
Open Network Connections by using one of the following methods:
-
Click the Network and Sharing Center icon in the notification area, click Network and Sharing Center, and then in the left pane of Network and Sharing Center, click Manage network connections.
-
Click Start, click Network, click Network and Sharing Center, and then click Manage network connections.
-
Click Start, click Connect to, click Open Network and Sharing Center, and then click Manage network connections.
In LAN or High-Speed Internet, select the network connection you want, and then do one of the following:
-
Click Diagnose this connection.
-
Right-click the connection item, and then click Diagnose.
-
For wireless connections, attempt to connect to the network you want. Right-click the connection icon, and then click Connect/Disconnect. In Select a network to connect to, select the desired wireless network, and then click Connect.
If the connection attempt is unsuccessful, the Connect to a network dialog box provides an option to diagnose the problem. Click Diagnose the problem to start the Wireless Diagnostics wizard.
Using Connect to a network
To start the Wireless Diagnostics wizard by using Connect to a network
Additional entry points
Internet Explorer: If Internet Explorer fails to connect to the target resource, it displays:
-
a message indicating that it cannot display the Web page.
-
a list of the most likely causes.
-
links to run Network Diagnostics and get online help information.
You can click Diagnose Connection Problems to open Network Diagnostics and, as appropriate, the Wireless Diagnostics wizard.
Start Search: If an attempt to access a resource by typing a UNC (Universal Naming Convention) name in Start Search fails, the resulting error message provides a link that you can use to run Network Diagnostics and, as appropriate, the Wireless Diagnostics wizard.
To use the Start Search entry point into Diagnostics session
Click Start, in Start Search, type the UNC name for the target resource, such as \\servername\sharename\directory\filename, and then press ENTER.
If the attempt to access the resource is unsuccessful, when the Network Error dialog box opens, click Diagnose to open Network Diagnostics.
In some cases, running the Wireless Diagnostics wizard will not fix the problem. In these situations, your next step is to use the netsh wlan commands documented in the next section to gather information that will be useful for troubleshooting.
Section 5: Netsh commands for wireless LAN
The netsh commands for wireless local area network in Windows Vista provide a lightweight alternative to Group Policy to configure and manage wireless connectivity and security settings. Netsh wlan is also a useful tool for troubleshooting wireless connectivity problems.
You can run the netsh wlan commands directly from the command prompt by typing netsh wlan followed by the command, or by switching to the wlan context by using the following instructions.
Entering the netsh wlan context
To enter the netsh context for wlan
Click Start, click Run, type cmd, and then click OK.
At the command prompt, type netsh, and then press ENTER.
Type wlan, and then press ENTER.
Using netsh wlan to gather troubleshooting information
The primary netsh wlan command for troubleshooting is show all, which you can use to gather the wireless profile configuration on multiple interfaces, and to collect data about the capabilities of the network cards and driver versions. For example, you can use the netsh wlan show all command to quickly determine:
-
whether the wireless network adapter supports the authentication and cipher standard required on your network.
-
if Auto-configuration (WLAN AutoConfig) logic is enabled.
-
whether 802.1X is enabled.
-
which EAP type is applied.
Running the netsh wlan show commands can uncover some types of configuration errors that result in connectivity problems.
The following procedures demonstrate how to use netsh wlan commands to gather troubleshooting information. After each procedure, you will find an example of the information that is rendered by the command.
show all
The show all command combines the following netsh wlan show commands:
- show drivers - Displays the properties of the wireless adapter drivers on the computer.
- show interfaces - Displays a list of the current wireless interfaces on the computer
- show settings - Displays the current global settings of the wireless LAN, including the information rendered by these two netsh wlan commands:
- show autoconfig - Displays whether the wireless WLAN AutoConfig Service is enabled or disabled.
- show blockednetworks - Displays whether blocked network settings are set to be displayed or hidden.
- show filters - Displays the current list of allowed and blocked wireless networks.
- show profiles - Displays a list of wireless profiles that are configured on the computer.
- show networks MODE=BSSID - Displays a list of wireless networks that are visible on the computer.
The following table lists usage information for the netsh wlan show all command.
Syntax: | show all |
Parameters: | There are no parameters for this command. |
Remarks: | Displays the entire collection of 802.11 wireless interface information, network information, and wireless settings on the system, including: -
Wireless adapter driver information
-
Wireless interface status
-
Wireless configuration settings
-
Wireless network filters
-
Wireless network profiles list and details
-
Visible wireless networks
|
Example command: | |
The following command sample shows the information returned by the show all command.
|
F:\>netsh
netsh>wlan
netsh wlan>show all
Wireless System Information Summary
(Time: 1/18/2007 9:49:37 PM)
=======================================================================
============================== SHOW DRIVERS ===========================
=======================================================================
Interface name: Wireless Network Connection
Driver : Broadcom 802.11g Network Adapter
Vendor : Broadcom
Provider : Microsoft
Date : 6/21/2006
Version : 4.82.28.56
INF file : F:\Windows\INF\netbc6.inf
Files : 1 total
F:\Windows\system32\DRIVERS\BCMWL6.SYS
Type : Native Wi-Fi Driver
Radio types supported : 802.11g 802.11b
Authentication and cipher supported in infrastructure mode:
Open None
Open WEP
Shared None
Shared WEP
WPA2-Enterprise TKIP
WPA2-Personal TKIP
WPA2-Enterprise CCMP
WPA2-Personal CCMP
WPA-Enterprise TKIP
WPA-Personal TKIP
WPA-Enterprise CCMP
WPA-Personal CCMP
Authentication and cipher supported in ad-hoc mode:
Open None
Open WEP
=======================================================================
============================= SHOW INTERFACES =========================
=======================================================================
There is 1 interface on the system:
Name : Wireless Network Connection
Description : Broadcom 802.11g Network Adapter
GUID : 0dcf87d3-bed3-4518-ba99-f1066edb3d87
Physical Address : 00:14:bf:74:6d:c3
State : connected
SSID : WIR_TST_Lab
BSSID : 00:18:39:5a:5f:01
Network Type : Infrastructure
Radio Type : 802.11g
Authentication : WPA2-Enterprise
Cipher : CCMP
Connection Mode : Auto Connect
Channel : 6
Receive Rate (Mbps) : 54
Transmit Rate (Mbps) : 54
Signal : 94%
Profile : PEAP
=======================================================================
============================= SHOW SETTINGS ===========================
=======================================================================
Wireless LAN settings
---------------------
Show blocked networks in visible network list: No.
Auto configuration logic is enabled on interface "Wireless Network
Connection".
=======================================================================
============================== SHOW FILTERS ===========================
=======================================================================
Allow list on the system (group policy)
---------------------------------------
SSID: "WIR_TST_Lab", Type: Infrastructure
SSID: "GUEST", Type: Infrastructure
Allow list on the system (user)
-------------------------------
<None>
Block list on the system (group policy)
---------------------------------------
SSID: "WSUA-EAP", Type: Infrastructure
SSID: "Home", Type: Adhoc
SSID: "", Type: Adhoc
Block list on the system (user)
-------------------------------
<None>
=======================================================================
=========================== SHOW CREATEALLUSER ========================
=======================================================================
Everyone is allowed to create all user profiles.
=======================================================================
============================= SHOW PROFILES ===========================
=======================================================================
Profiles on interface Wireless Network Connection:
Group Policy Profiles (read only)
---------------------------------
PEAP
User Profiles
-------------
<None>
=======================================================================
========================== SHOW PROFILES NAME=* =======================
=======================================================================
Profile PEAP on interface Wireless Network Connection:
=======================================================================
Applied: Group Policy Profile
Profile Information
-------------------
Version : 1
Type : Wireless LAN
Name : PEAP
Control options :
Connection mode : Connect automatically
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Switch to more preferred network if
possible
Connectivity settings
---------------------
Number of SSIDs : 1
SSID name : "WIR_TST_Lab"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present
Security settings
-----------------
Authentication : WPA2-Enterprise
Cipher : CCMP
Security key : Absent
802.1X : Enabled
EAP type : Protected EAP (PEAP)
802.1X auth credential : Machine or user credential
Cache user information : Yes
=======================================================================
======================= SHOW NETWORKS MODE=BSSID ======================
=======================================================================
Interface Name : Wireless Network Connection
There are 3 networks currently visible.
SSID 1 : WIR_TST_Lab
Network type : Infrastructure
Authentication : WPA2-Enterprise
Encryption : CCMP
BSSID 1 : 00:18:39:5a:5f:01
Signal : 97%
Radio Type : 802.11g
Channel : 6
Basic Rates (Mbps) : 1 2 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 2 : 00:18:39:5a:5f:01
Signal : 97%
Radio Type : 802.11g
Channel : 6
Basic Rates (Mbps) : 1 2 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
SSID 2 : TST_WLAN
Network type : Infrastructure
Authentication : Open
Encryption : WEP
BSSID 1 : 00:0b:86:da:4b:a0
Signal : 20%
Radio Type : 802.11g
Channel : 6
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 2 : 00:0b:86:db:1b:40
Signal : 0%
Radio Type : 802.11g
Channel : 8
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 3 : 00:0b:86:db:30:80
Signal : 8%
Radio Type : 802.11g
Channel : 11
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
SSID 3 : TST_GUEST
Network type : Infrastructure
Authentication : Open
Encryption : None
BSSID 1 : 00:0b:86:da:4b:a1
Signal : 28%
Radio Type : 802.11g
Channel : 6
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 2 : 00:0b:86:db:30:81
Signal : 8%
Radio Type : 802.11g
Channel : 11
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 3 : 00:0b:86:da:57:a1
Signal : 68%
Radio Type : 802.11g
Channel : 11
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
netsh wlan> |
show tracing
You can use show tracing to determine whether wireless tracing is enabled or disabled.
Syntax: | show tracing |
Parameters: | There are no parameters for this command. |
Remarks: | Displayed information includes: -
Tracing state (enabled or disabled)
-
Tracing persistence state (running or not running)
-
Trace log file location (for example, "c:\Windows\system32\logfiles\WirelessAutoLog\")
|
Example command: | |
The following command sample shows the information returned by the show tracing command.
|
F:\netsh
Netsh>wlan
Netsh wlan>show tracing
Wireless tracing is currently stopped.
Last trace logs are stored in "F:\Windows\tracing\wireless"
netsh wlan> |
Section 6: Investigative questions and quick lists for common connectivity problems
When troubleshooting wireless connectivity, ask the following questions to help define the problem.
Is the problem isolated to a single computer? If so:
-
Has the computer previously connected successfully to the network?
-
Can other computers on the same subnet reach targeted resources?
-
Is the computer in a media disconnected state?
-
Many portable devices have an external switch to turn off the wireless antenna. Is the external switch turned off?
-
Is the wireless adapter disabled in Network Connections?
-
Is the wireless adapter hardware malfunctioning?
-
Is the computer attempting to connect to a wireless AP or wireless router that is either unplugged from its power source or malfunctioning?
-
Can you identify configuration changes on the computer between the time the computer most recently connected successfully to the wireless network and when the connection failed?
-
Review the status details of the local area connection in Network Connections. Is there information in Network Connection Details that indicates the source or nature of the connectivity problem?
| Note |
|---|
|
To open the details for a local area connection, in Network Connections, right-click the local area connection icon, click Status, and then click Details. |
-
Is there a value listed for Connection-specific DNS Suffix? Is the value the same as the name of your domain?
-
In a DHCP network, are the TCP/IP properties of the local area connection configured for dynamic addressing? If so, Yes will be displayed in DHCP Enabled.
-
Are both the IPv4 address and IPv4 subnet mask in the same range as those defined for the network subnet? Or, is the IPv4 address in Autoconfiguration IPv4 Address listed in the range of 169.254.0.1 through 169.254.255.254 with a subnet mask of 255.255.0.0?
| Note |
|---|
|
TCP/IP addresses in the range of 169.254.0.1 through 169.254.255.254 are Automatic Private IP Addressing (APIPA) addresses. When the TCP/IP protocol is configured for dynamic addressing and a DHCP server is not available, APIPA automatically configures a unique IP address from the 169.254.x.x range (where x is an integer between 1 and 254). |
-
Is there information in Lease Obtained or Lease Expires?
-
Are the correct IP addresses displayed for the DHCP, DNS, and WINS servers?
Are multiple computers presenting the same symptoms? If so:
-
What do those computers have in common?
-
Do those computers connect to a common wireless AP?
-
Do the computers connect through one or more wireless APs that, in turn, connect to a common network switch?
-
Are the computers on the same subnet?
-
Do the computers or users belong to a common Active Directory security group?
-
Do the computers or users belong to an Active Directory security group that is controlled through a common IAS remote access policy?
-
Do the computers all obtain their TCP/IP addresses from the same DHCP server?
-
Is the connectivity outage constant or intermittent?
-
Can you identify changes in your network between the time the computers connected to the network successfully and the time when connections began to fail?
Review the location and timing of the problem to help narrow the scope of the problem. In addition, examine the failures systematically by referring to the sequence of steps used to establish communications, as described in Section 3: The authentication process.
Quick lists for common connectivity problems
This section provides a series of tables and lists that can help you to quickly identify conditions that can cause connectivity problems. The quick lists are presented in two categories: by symptom and by network type.
Quick lists by symptom
Quick lists by network type
Quick lists by symptom
The following series of tables present common symptoms, their causes, and likely solutions.
Symptom: Inability to connect
|
Possible Causes
|
Corrective Measures
|
|---|
-
Improperly functioning or outdated wireless network adapter driver.
-
Incorrect or incompatible wireless network configuration. For example, shared key authentication is configured on the wireless AP and the wireless client is attempting open system authentication.
-
Inadvertent media access control (MAC) address filtering.
-
The wireless network name is not visible.
-
The wireless AP and wireless network adapter are not using the same 802.11 standard (for example, you are using an 802.11b network adapter and a 802.11a wireless AP).
-
Radio frequency (RF) interference from nearby devices, such as cordless phone and Bluetooth devices.
-
Wireless client is at the periphery of the RF range of the wireless AP.
| -
Verify that the wireless network configurations between the wireless client and wireless AP are compatible.
-
Review the wireless network environment and network topology.
-
Double-check the steps you followed during configuration. User error is a common source of incorrect configuration.
-
Obtain and install the most recent version of the wireless network adapter driver.
-
Enable logging and look at the Wireless trace logs.
For information about generating trace logs, see Wireless trace logs.
|
Symptom: Intermittent connectivity
|
Possible Causes
|
Corrective Measures
|
|---|
-
Improperly functioning or outdated wireless network adapter driver.
-
Improperly functioning wireless AP.
| -
Obtain and install the most recent version of the wireless network adapter driver.
-
Look for unexpected disconnects in the Wireless trace logs.
For information about generating trace logs, see Wireless trace logs.
|
Symptom: Incorrect, missing, or stale visible networks
|
Possible Causes
|
Corrective Measures
|
|---|
-
Improperly functioning or outdated wireless network adapter driver.
-
Improperly functioning radio equipment on wireless AP or wireless network adapter.
| -
Malfunctioning wireless network adapter drivers are unable to detect and register visible networks. Look through the wireless trace logs to see if the wireless network adapter has registered any visible networks.
For information about generating trace logs, see Wireless trace logs.
-
Obtain and install the most recent version of the wireless network adapter driver.
-
Run diagnostic functions on the wireless network adapter or wireless AP.
|
Symptom: Wireless client has associated, but no there is no valid IP address configuration or no network connectivity
|
Possible Causes
|
Corrective Measures
|
|---|
-
Authentication problem.
-
Incorrect encryption key.
-
Corrupt, expired, or missing certificates.
-
Improperly functioning wireless AP.
| -
Verify that the wireless network configurations between the wireless client and wireless AP are compatible.
-
If you are using a static WEP key, verify that it has been correctly configured.
| Note |
|---|
|
Due to known security issues with WEP encryption, it is recommended that you use only WPA2-Personal (preferred) or WPA. |
-
Verify whether other computers connected to the wireless AP have the same problem. If all wireless clients of the same wireless AP have the same problem, check the wireless AP settings.
-
IEEE 802.1X authentication might be failing. Look in the OneX Trace file for entries that indicate authentication has failed, as in the following example:
"The authentication failed because there is a problem with the user account"
|
Symptom: Wireless connection problems when performing a suspend and resume with a laptop computer
|
Possible Causes
|
Corrective Measures
|
|---|
-
Improperly functioning or outdated wireless network adapter driver.
| -
Obtain and install the most recent version of the wireless network adapter driver.
Look in the wireless trace logs for wireless network adapter driver errors. For information about generating trace logs, see Wireless trace logs.
|
Symptom: Wireless Networks tab is not present for the properties of the wireless network adapter in the Network Connections folder or there are no visible wireless networks
|
Possible Causes
|
Corrective Measures
|
|---|
-
The WLAN AutoConfig Service is not running.
-
Improperly functioning or outdated wireless network adapter driver.
-
On a laptop computer, the wireless radio button might be in the off position.
| -
Check to see if the WLAN AutoConfig Service is running by using the netsh wlan set autoconfig command.
-
Using the Services snap-in, confirm that the WLAN AutoConfig Service is configured to start automatically.
-
A wireless network adapter driver that fails in the early stages of service startup can cause the WLAN AutoConfig Service not to initialize on that interface.
|
Quick lists by network type
The following quick lists are not exhaustive catalogs of connectivity problems. They provide information about the types of conditions that can cause connectivity problems.
For the purposes of this document, network connectivity problems fall into three groups:
-
General network connectivity problems
-
Domain network connectivity problems
-
802.1X-authenticated network connectivity problems
General network connectivity problems
These types of problems can occur on networks ranging from SOHO workgroup-based networks to enterprise networks:
| Note |
|---|
|
In Windows Vista, Windows Network Diagnostics can frequently determine the cause of these types of errors, and either fix the problem or provide next-step user actions. |
-
A wireless setting mismatch exists between the wireless AP and the wireless client. For example, the network key configured on the client does not match the network key configured on the wireless AP, or the wireless AP is configured to use WPA2-Personal and the client is configured with WPA-Personal.
-
The wireless adapter is disabled in Network Connections.
-
The external switch that controls the wireless antenna is turned off.
-
The wireless network adapter is malfunctioning.
-
Network clients configured with static IP addresses are not configured using the same IP address or subnet mask.
-
The DHCP service is enabled on the wireless router to provide addressing to network clients, but one or more network clients are configured with a static IP address.
-
Excluding networks on which client computers are configured with static addresses, the TCP/IP properties of the local area connection are not configured for dynamic addressing.
-
The DHCP server is disconnected from the network, powered off, or the service is not running. In a SOHO network, the DHCP service is typically provided by the wireless router or by Internet Connection Sharing (ICS).
-
In a SOHO network:
-
In a new wireless network or when replacing your modem or wireless AP, you have not registered your modem with your ISP, or your router Media Access Control (MAC) address. Modem or router registration varies by ISP.
-
Your ISP requires that the public (Internet) connection of your router is configured by the DHCP server on the ISP's network, but you have not configured the public connection on the router to accept DHCP leases. For example, you have configured the public connection on the wireless router with a static IP address.
Domain network connectivity problems
In addition to the general network connectivity problems, these types of problems commonly occur on domain networks, ranging from small organizations to enterprise networks:
Active Directory
-
The user does not have an account in Active Directory Users and Computers.
-
The dial-in properties of the user account or computer account in Active Directory Users and Computers is set to Deny access.
-
The user account has expired.
-
The user is attempting a connection at a prohibited time, as specified in the logon hours of the user account (the default setting is Logon Permitted for all hours).
-
The user is attempting a prohibited connection by using a computer not specified in the Log On To setting of the user account properties, and the default setting All computers is not selected.
-
The DNS service is stopped or is not configured.
-
The domain controller is offline.
Users and Computers
-
The client computer is not joined to the domain.
-
The client is attempting to log on to the domain with non-domain credentials.
DHCP
-
The DHCP scope is full, and can no longer lease addresses to requesting clients.
-
The IP address of the DHCP server was changed and now DHCP clients cannot get IP addresses.
-
The DHCP server is stopped.
-
On a newly configured DHCP server:
-
The DHCP server is not authorized in Active Directory.
-
The IP address range is incorrectly specified.
-
The DHCP service is stopped.
-
The DHCP scope is not activated.
-
The DHCP server is not on the same subnet as the clients.
-
The DHCP server is offline.
802.1X-authenticated network connectivity problems
This section provides examples of configuration problems that are specific to networks that deploy 802.1X-authenticating wireless APs and IAS for 802.1X-authenticated connections. In an 802.1X network, the following examples should be considered in addition to the examples listed in the previous two sections.
Active Directory Problems
-
The Active Directory domain functional level is not raised to Windows Server 2003. IAS RADIUS settings require the Windows Server 2003 domain functional level.
| Important |
|---|
|
If domain controllers on your network are running Windows NT 4.0 and earlier, then do not raise the domain functional level to Windows 2000 native. After the domain functional level is set to Windows 2000 native, it cannot be changed back to Windows 2000 mixed. If domain controllers on your network are running Windows 2000 or Windows NT 4.0 and earlier, then do not raise the domain functional level to Windows Server 2003. After the domain functional level is set to Windows Server 2003, it cannot be changed back to Windows 2000 mixed or Windows 2000 native. |
-
In Active Directory Users and Computers, the dial-in properties of the user account are not configured to Control access through Remote Access Policy.
-
The IAS remote access policy grants access for members of an Active Directory security group. However, the user is not a member of the security group that is specified in the remote access policy.
-
The authentication method specified in the Wireless Network (IEEE 802.11) Policies does not match the authentication method specified in the IAS remote access policy.
For example, if network clients running Windows Vista are configured by the Wireless Network (IEEE 802.11) Policies to use PEAP-MS-CHAPv2 authentication, but there is not a matching IAS remote access policy that specifies PEAP-MS-CHAPv2 authentication, the mismatch will prevent client authentication.
Client
-
The WLAN AutoConfig Service is not running.
| Note |
|---|
|
By default, the WLAN AutoConfig Service startup type is set to start automatically. You can start the service in the Services console, by running the netsh wlan set autoconfig command on individual computers or in a script, or by configuring the service in Windows Server 2008 Group Policy. |
-
In an 802.1X authenticating network with PEAP, EAP-TLS, or PEAP-TLS deployed, the user has chosen not to trust the server certificate when prompted.
-
Using EAP-TLS authentication, the client does not have a certificate that contains the Client Authentication purpose in the Enhanced Key Usage extension and is configured according to minimum client certificate requirements.
Certificate Services
-
For EAP-TLS deployments, the user does not have a client certificate.
-
The client does not have a corresponding root CA certificate that matches the issuing CA of the IAS server certificate.
IAS (RADIUS)
-
The RADIUS shared secret on the wireless AP does not match the shared secret configured for RADIUS clients in IAS.
-
The IAS remote access policy properties are configured to reject the user or computer requests. For example:
-
On the Settings tab, the properties of the policy are set to Deny remote access permission.
-
On the Dial-in Constraints tab of the remote access policy, time restrictions prohibiting the connection are configured using the Allow access only on these days and at these times setting.
-
On the Dial-in Constraints tab, an incorrect media type is specified in Allow access only through these media (NAS-Port-Type).
-
A mismatch exists between the trusted root certification authority that issued the RADIUS server certificate that is specified in the IAS remote access policy, and the trusted root certification authority that is specified in the properties of the selected EAP type in the Wireless Network (IEEE 802.11) Policies.
-
The wireless AP (RADIUS Client) vendor-specific attributes are configured incorrectly.
-
The IP address of the RADIUS client (wireless AP) specified in IAS is incorrect.
-
The IAS server certificate has expired.
-
The IAS service is stopped.
-
EAP is configured differently in the applicable remote access policy from the way it is configured in the Wired Network (IEEE 802.11) Policy in Active Directory.
-
On a newly configured IAS server:
-
IAS is not registered in Active Directory.
-
The IAS service is not running.
-
The IAS server does not have a server certificate.
Wireless AP
-
The wireless AP does not have the correct or latest firmware.
-
The IP address of the wireless AP is incorrectly configured for the subnet.
-
The wireless AP does not specify the correct address of the IAS RADIUS server.
-
802.1X is not enabled on the switch.
-
The RADIUS shared secret configured on the wireless AP does not match the shared secret configured on the RADIUS server.
Wireless user troubleshooting quick list
Wireless users can follow these steps to solve several common problems associated with wireless connections:
-
Many portable computers have a switch that can be used to turn the 802.11 wireless network adapter antenna on and off. Be sure that the switch is turned on. For more information, see the product documentation for your portable computing device.
-
Make sure that the wireless adapter has not been disabled in Network Connections. You can enable a wireless adapter through the UI by right-clicking a wireless adapter icon, and then selecting Enable.
Wireless adapters that have been disabled in Network Connections do not appear in the notification area and can only be enabled in Network Connections.
-
Use WLAN AutoConfig to configure wireless network settings. When enabled, WLAN AutoConfig allows you to connect to an existing wireless network, change wireless network connection settings, configure a connection to a new wireless network, and specify preferred wireless networks. It also notifies you when new wireless networks are available. When you switch wireless networks, your wireless network adapter settings will be dynamically updated to match the settings of that new network and a network connection attempt will be made.
-
If you are connecting to a wireless network for the first time, WLAN AutoConfig will configure basic network settings, if the service is enabled. However, you might need to configure additional settings, such as the data encryption type or network key, if they are not automatically configured for your account through the Wireless Network (IEEE 802.11) Policies in Active Directory. You might also need to request account permissions from your network administrator.
-
Check to see if the desired wireless network appears in the network list. Right-click the network center icon, and then click Connect to a network. If the desired wireless network does not appear under Select a network to connect to, you might be outside of the broadcast range of that network or the network might be suppressing the beaconing signal. First, try to relocate the wireless device to a location that receives a stronger signal. To refresh the network list and get the most current list of wireless networks that are advertising within reception range of your computer, right-click the Network Center icon, click Connect to a network, and then click the Refresh button.
| Note |
|---|
|
Some infrastructure networks suppress the beaconing signal because they do not want to advertise the availability of their wireless network. In Windows Vista, hidden networks appear under Choose a wireless network as Unnamed Network, indicating that a hidden SSID is present. You can connect to these networks if you manually configure a wireless profile with all of the correct network settings, such as the SSID, netw |