client association issues with built-in Windows utility

jrensink78 · ‎07-09-2007

I have an issue where I recently added a new SSID to a batch of older 1200 series access points running IOS. I set the SSID to use WPA with a TKIP cipher (they can't handle AES). Our office uses all Dell laptops with the Dell internal wireless cards. Using the Dell wireless utility, the laptops can associate to the APs using the new SSID and proceed to go through the PEAP authentication process.

The problem I run into is that I can't get the built-in Windows wireless utility to associate using the new SSID on the same laptops. This is on Windows XP as well as Vista. It's not that the PEAP process is failing, because it never even gets to that stage. It's like the wireless utility doesn't see the network, or it does but doesn't think that it matches up with the profile settings. The SSID is set to not broadcast itself.

In the Widoes utility, I setup the profile with the correct SSID (ensuring proper case). I try using WPA-Enterprise and TKIP for the key/encryption settings with no success. I have even tried the other available key options with no success. I've tried checking and unchecking most every option in the profile setup.

Does anyone have any ideas as to why the Dell utility would connect to the new SSID and the built-in Windows utility will not on the same laptop?

bcolvin · ‎07-09-2007

I have solved this by broadcasting the SSID, add "guest-mode" to the SSID configuration, another fix? is to enable "infrastructure-ssid optional" to the SSID configuration.

These two changes to the configuration have worked for me when WPA has not worked from a client. As hiding the SSID does not provide any additional security once you you have a good encryption scheme in place, because anyone who would try to hack your wireless will be using a sniffer and discover your SSID from one of the other four packets where it is in plain text.

rseiler · ‎08-30-2007

I disagree, broadcasting the ssid is asking for it. While a 'hacker' could figure out the SSID by watching another user successfully associate (it is not in every packet or broadcast otherwise), it still prevents passers by from connecting to it.

The correct solution to this problem is by installing the appropriate Microsoft hotfix for zero config. Note that Microsoft Update (Windows Update is deprecated) DOES NOT install hotfixes for Windows issues, just security fixes.

There is a well known issue with MS zero config never or sporadically connecting to SSID(s) that are not broadcast. This is an issue with XPSP2 and Vista. It is NOT fixed in Vista at this time and it appears that the Vista zero config did not include many post-XPSP2 fixes. KB917021 fixes this (and many other) zero config issues. This hotfix replaces KB893357.

Also note that KB885453 may also be required if you are using a non-Microsoft RADIUS server (such as Cisco ACS). This hotfix addresses an issue with a single user not able to authenticate more than once or on multiple devices simultaneously.

I have had no issues in over a year with both of these hotfixes applied and a hidden SSID.