Windows 7 / Networking

Common Wireless AP Problems

The following are common problems with wireless APs:

  • Unable to see the wireless AP
  • Unable to authenticate with the wireless AP
  • Unable to communicate beyond the wireless AP

These common problems are discussed in detail in the following sections.

Unable to See the Wireless AP

If wireless clients are unable to see the wireless AP in a scan of wireless networks, one or more of the following may be happening:

  • The wireless AP is not beaconing: All wireless APs should be sending periodic beacon messages that contain the Service Set Identifier (SSID)-unless the wireless AP has been configured to suppress the SSID in the beacon message-and the wireless AP's capabilities (such as supported bit rates and security options). To verify that the wireless AP is beaconing, you can use the site survey software or a packet sniffer that can capture wireless beacon frames. A simple packet sniffer that can capture beacon frames and other types of wireless management frames might be included on the CD-ROM provided by your wireless AP vendor.
  • The wireless AP is not configured for the correct channel: If the wireless AP is using the same channel as an adjacent wireless AP, signal interference might be impairing the wireless clients' ability to connect. Change the wireless AP channel if needed.
  • The wireless AP is not advertising the correct set of capabilities: Confirm that the wireless AP is configured to operate for the correct technology (802.11b, 802.11a, or 802.11g) and with the correct bit rates and security options (WPA or WPA2). By capturing the beacon frame with a network sniffer, you can compare the configured wireless options to those being advertised in the beacon frame.
  • The wireless AP has inadequate signal strength in the anticipated coverage volume: Use your site survey software to confirm that the coverage volume of the wireless AP is as described in your plans after initially deploying the wireless APs. If there are new sources of signal attenuation, reflection, or interference, make the appropriate changes to the locations of either interfering equipment or the wireless AP.
Unable to Authenticate with the Wireless AP

If you have multiple wireless APs, and your wireless clients cannot authenticate with any of them, you might have a problem with your authentication infrastructure. See the section "Troubleshooting the Authentication Infrastructure" in this tutorial for instructions on how to troubleshoot this situation. If you have multiple wireless APs, and the wireless clients cannot authenticate with an individual wireless AP, you need to troubleshoot the authentication-related configuration of the wireless AP. The three areas of authentication configuration you need to investigate are as follows:

  • 802.1X configuration
  • RADIUS configuration
  • WPA configuration
802.1X Configuration

Ensure that the wireless AP has 802.1X authentication enabled. Some wireless APs might refer to 802.1X authentication as Extensible Authentication Protocol (EAP) authentication.

RADIUS Configuration

The RADIUS configuration consists of the following elements:

  • Wireless AP RADIUS configuration: Ensure that the wireless AP has been properly configured for RADIUS. The wireless AP should contain the following configuration information:
    1. The IPv4 or IPv6 address of a primary NPS server
    2. The destination User Datagram Protocol (UDP) ports for RADIUS traffic sent to the primary RADIUS server (UDP port 1812 for RADIUS authentication traffic and UDP port 1813 for RADIUS accounting traffic)
    3. The RADIUS shared secret for the primary NPS server
    4. The IPv4 or IPv6 address of a secondary NPS server
    5. The destination UDP ports for RADIUS traffic sent to the secondary NPS server
    6. The RADIUS shared secret for the secondary NPS server
  • NPS server reachability: Ensure that the primary and secondary NPS servers are reachable from the wireless AP by doing the following:
    1. If the wireless AP has a ping facility-the capability to send an Internet Control Message Protocol (ICMP) Echo message to an arbitrary unicast IPv4 destination- try pinging the IPv4 address of the primary and secondary NPS servers.
    2. If the wireless AP does not have a ping facility, try pinging the IPv4 address of the primary and secondary NPS servers from a network node that is attached to the same subnet as the wireless AP.
      If the ping from the network node succeeds and the ping from the wireless AP does not, examine the IPv4 configuration of the wireless AP to ensure that it has been configured with the correct IPv4 address, subnet mask, and default gateway for the attached wired subnet. If neither ping works, troubleshoot the lack of IPv4 connectivity between the attached subnet and the RADIUS servers.
      Note: The ping test is not necessarily a definitive test of IPv4 reachability. There might be routers in the path between the wireless AP and the RADIUS server that are filtering ICMP traffic, or the NPS server might be configured with packet filters to discard ICMP traffic.
      To ensure that RADIUS traffic is reaching the primary and secondary NPS servers, use a network sniffer such as Network Monitor 3.1 on the NPS servers to capture the RADIUS traffic sent from and to the wireless AP during an authentication attempt.
  • NPS server configuration: If RADIUS traffic is reaching the primary and secondary NPS servers, verify that the primary and secondary NPS servers are configured with a RADIUS client that corresponds to the wireless AP, including the following:
    1. The IPv4 address of the wireless AP's interface on the wireless subnet
    2. The destination UDP ports for RADIUS traffic sent by the wireless AP (UDP port 1812 for RADIUS authentication traffic and UDP port 1813 for RADIUS accounting traffic)
    3. The RADIUS shared secret configured at the wireless AP
      Check the System event log for authentication failure events corresponding to connection attempts to the wireless AP. To view the failed authentication events, use the Event Viewer to view the events in the System event log with the Source of NPS and the Event ID of 2.
  • IPsec for RADIUS traffic: If you are using IPsec to encrypt the RADIUS traffic sent between the wireless AP and the NPS server, check the IPsec settings on both the wireless AP and NPS server to ensure that they can successfully negotiate security associations and authenticate each other.

WPA or WPA2 Configuration

If your wireless AP is WPA- or WPA2-capable and you want to use WPA or WPA2 for wireless security, ensure that WPA or WPA2 is enabled.

Unable to Communicate Beyond the Wireless AP

The wireless AP is a transparent bridge and Layer 2 switching device, forwarding packets between the wired network to which it is attached and the connected wireless clients. If wireless clients can connect and authenticate but cannot reach locations beyond the wireless AP, one or more of the following may be happening.

  • The wireless AP is not forwarding frames as a bridge: All transparent bridges support the spanning tree protocol, which is used to prevent loops in a bridged section of the network. The spanning tree protocol uses a series of multicast messages to communicate bridge configuration information and automatically configure bridge interfaces to forward frames or block forwarding to prevent loops. While the spanning tree algorithm is determining forwarding and blocking interfaces, the bridge is not forwarding frames. Check the wireless AP's forwarding status and bridge configuration.
  • The wireless AP is not configured with the correct VLAN IDs: Many wireless APs support VLANs, which are switch ports grouped so that they appear on the same link or subnet. Each group is assigned a separate VLAN ID. Verify that the VLAN IDs for your wireless client and your wired interfaces are correctly configured. For example, you might use one VLAN ID for authenticated wireless clients (that connects them to the organization intranet) and a separate VLAN ID for guest wireless clients (that connects them to an alternate subnet or the Internet).
[Previous] [Contents] [Next]