We're a large organization with several campuses. We currently have Cisco 1230 series deployed everywhere with a couple of different SSID's on them. We've been running SSID 1 with 64bit WEP (yes I know) SSID 2 with 128bit WEP (was to take over) and now that I'm in the job, i wanted to move our clients over to WPA. I started with one campus as a guinea pig and have the following going. Our Wireless Network is WDS based and the WDS being another 1232 not serving wireless. This has always seemed to work well. Since then I've instituded SSID SECURE on the AP's which run's WPA w/EAP. The authentication servers are pointed to our ACS server. Authentication to these seem to be fine, there are no failed authentications in it's log files at least
The client configuration is through Windows and is the following: WPA w/TKIP, host based authentication, EAP Type: Protected EAP, Authenticate as computer when computer information is available. Also under Type: Protected EAP Properties: Validated Server certificate is UNCHECKED, Authentication type is EAP-MSCHAPV2, Fast Reconnect is UNCHECKED (unchecked in ACS as well), EAP-MSCHAPV2 is configured to automatically use Windows Username and Password and domain.
Normally when I add SSID SECURE, I set it up on the client, move it as the top priority, do a 'Repair' on the Wireless Card and it will disconnect and reconnect from the SSID 2 (128bit WEP) to SSID SECURE with out issue and log me in just fine. Verified by checking ACS server logs. I then reboot the PC and login as the user for the pc (which is processed through ACS as well to AD) and the user is able to connect. But the problem we've been having is users are getting disconnected randomly it seems AND login times can take a long time to process. When the user gets disconnected, the pc drops down to SSID 2 and connects with out issue. Also, even if log in times don't take a long, we've noticed in the clients Event Manager that it is stating the Domain Controller can not be found, therefor it's using cached creditionals I'm assuming to make the initial login. Verified by trying to login in as some one that's never been on a certain laptop and sometimes they are received 'DOMAIN CAN NOT BE FOUND'. However, the weird thing is even though we're getting that error message in the Event Viewer when we can log in, we're obviously authenticating as we're on the wireless and our scripts (Desktop Authority) run fine, and all mappings are there.
At times If I look at the logs on the AP, I will see xxxx.xxxx.xxxx is not authenticating, but that seems to be mainly when the user is just at the login screen and hasn't logged in yet.. although in timing it can also seem to happen when the user is trying to login. I'm at a loss. I've tried this on my personal laptop and have seen it as well.. but this morning I logged in just fine with out any messages in the Event Viewer, so it obviously found the Domain First thing. Any ideas what may be going on? What is the preferred method of deploying WPA/TKIP in a Cisco environment? I've read countless documents, but we seem to have some glitches going on somewhere.
BTW, our clients are using Cisco b/g 350 cards with driver 8.7.7 and we also have a few Proxim Orinoco b/g cards with the latest driver. Both seem to have the same issue. I've scouted the area time and time again for interference with our spectrum analyzer and the only thing I've found is cards themselves. Seems like sometimes the client cards will 'wig' out and broadcast and will end up showing as a 'Continous Transmitter'. Sometimes shutting the machine down will resolve this. Any ideas on that?
Any help is appreciated.