WZC Locks Domain Account While Authenticating

We allow WZC to manage our laptop wireless connections. We have
approximately 3500 laptops users with same access to employee wifi using
WPA-Ent TKIP. Of these 3500 laptop users, we have about 10 users who can not
authenticate through WZC, through Aruba network, to Radius server.

The WZC eventually locks the users domain account.

If I install the Intel PROSet Wireless Wifi Connection Utility,
authentication works properly without fail.

Any thoughts / suggestions?

I would prefer to identify a solution vs. leaving on connection utility.

 

Don't have a clue what Aruba is
I know what RADIUS is

Are you talking about authenticating to the Domain as a user on the Domain
or are you talking about autnenticating to the WAP to establish the wireless
connection between the PC and WAP?

I probably don't have an answer,...but the answer to my question will
probably help whoever does to understand what they are really dealing with.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

Phillip: thanks.

To answer your questions, Aruba is our wireless vendor.

Authentication is failing to authenticate against windows AD. If no
authentication occurs, wireless connection can not occur.

Kevin

 

Ok,..so it is the authentication used to allow the connection from the PC to
the WAP. It is not the users "desktop" authenticating to AD for the user
to access Domain resources. Even if AD accounts are used,..those are still
two different things and that is what I wanted to verify.

Have to wait to see what others think about that. This is pretty much a
"blind" question,..there are no details to base any judgments on. What
about log entries?..Event Log entries?,...on both the Radius Server and the
Domain Controller?

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

Phillip - we built a second radius using iis vs. steel belted radius.

We will be looking at logs on the radius and the client.

I would love to know if anyone else has experienced this issue...

Don't ya love the wait and see game...

Thanks,

 

Whenever I have a problem with our WPA-Ent TKIP, I would check the IAS event
log first. If it doesn't have event logged, I would check the connection. If
you do have IAS event ID logged, please psot here. Or check this link:

IAS Issue CollectionsMost Windows IAS Event ID errors are related to
security and permission issues. Review the security or permission settings
first. ...
www.chicagotech.net/troubleshooting/eventid2.htm


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

 

The good news is that the troubled user accounts we tested via the new IIS
aithentication worked without issue. I'm drawing my conclusion to the
outdated version of Steel Belted radius of 4.71 and perhaps the oh so
enjoyable WZC service.

But we seem to be in a much better place using IIS vs. Funk.

The problem with our log files on current Radius was that even though
detailed logging was enbabled, we were not seeing any authentication failures.

 

So it really was called Steel Belted Radius! I thought you were just having
a little fun with the name.

Now the WZC service is really an excellent tool and out performs any third
party tools I have seen,....not because of all its features, because it
pretty much has none,...it is the simplicity and lack of features that make
is so dependable in my opinion (there is less to get screwed up). The best
thing about it is that it runs as a service so it allows the wireless nic to
activate without anyone logging in. I don't know of any other tools that do
that (dependably) and it needs to happen if the user is logging in to a
machine for the first time where there is no cached account to let them on.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

I basically check where the the actual computer was in the domain and moved to the same OU under the user was located. for example. Office.net -> Sydney->Users and Computers i moved it to "SYDNEY computers", but first you need to do a search and find where that specific users computer is liocated.



Posted as a reply to:

WZC Locks Domain Account While Authenticating

We allow WZC to manage our laptop wireless connections. We have
approximately 3500 laptops users with same access to employee wifi using
WPA-Ent TKIP. Of these 3500 laptop users, we have about 10 users who can not
authenticate through WZC, through Aruba network, to Radius server.

The WZC eventually locks the users domain account.

If I install the Intel PROSet Wireless Wifi Connection Utility,
authentication works properly without fail

Any thoughts / suggestions?

I would prefer to identify a solution vs. leaving on connection utility.

EggHeadCafe - Software Developer Portal of Choice
WCF Workflow Services Using External Data Exchange
http://www.eggheadcafe.com/tutorial...a-6dafb17b6d74/wcf-workflow-services-usi.aspx