Intermittant failure validating PEAP security

Unanswered Question
Sep 30th, 2010

I have 2 devices using the WPC600N wireless adapter which are set up and working normally in a account that has the Cisco Radius server using WPA with TKIP data encryption & it's using PEAP authentication. I’m using windows Zero wireless to configure the adapter. XP Pro SP3 all updates current.  One of the devices usually sits in one location while one roams around the facility, both successfully negotiates various access points and validates through a Radius server without issue. When one of the devices roams around the facility it is intermittently rejected by the Radius Server. It can take anywhere from a day to 3 weeks for it to occur but when it does the operator sees that status as indicating “validating” for the network adapter.  I’ve determined that when this occurs the radius server is not recognizing my user name and password.  If I re-boot the PC I'll get a pop up request to manually input the user name and password again and it will accept it and go on working from there once again to repeat the whole situation in a matter of days or within a week or two. It doesn't happen on the one that sits in one location even though it has to validate as it powers off and on regularly through the day, so I suspect the roaming has some effect. This is a large facility with multiple networks that are "bridged?"  together for a continuous wireless environment.  Multiple other devices are working normally in this facility.  On the Radius server they will usually get an error stating "Radius Extension DLL rejected user" The IT staff at this location speculate that my PC or the adapter is "forgetting" it's user credentials because it asked for them to be input again upon a re-boot. I suspect that since the Radius server had not recognized me that the pc is naturally asking me to again input the user name and password like it did the first time I validated with it. (chicken before the egg problem) How can I determine if my device is sending the correct credentials and is getting blocked by the server or if my device is not sending the correct credentials over to the radius server? Any ideas what this error message  really means or is it stating the obvious, hat I was rejected but not as to why I was rejected? One more thing, I configured my laptop with the smae set up and walked around the facility and it eventually gave me the same problem and caused the same error ont eh Radius Server further pointing to the problem being on the Radius server side or the network in general.

Any assistance at all would be greatly appreciated with this head scratcher, thank you in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Serge Yasmine Tue, 10/05/2010 - 03:25

Hi Steve,

The message: Radius Extension DLL rejected user means indicate indeed a failure on the authentication process while roaming. Now why this happened is going to be hard to pin-point without looking at the ACS logs.

I advise that you increase logging level to full on the ACS and once you get this reproduced note the timestamp of the error and then get a from ACS and have a look at that timestamp inside RDS.log and auth.log

There will be extra information showing on why this radius authentication got rejected.



StephenM2 Wed, 10/06/2010 - 06:00

Hi Serge,

Thanks for your response it makes sense. The only problem I'll have doing this is that the Radius server and network belongs to the facility not my company. I'm the company that has the device that occasionally can't validate through their network security. Naturally they feel that their network is "perfect" without fail, unfortunately I think otherwise. Thus far I've configured 3 separate devices on this network one of which is my service laptop and they all fail in the exact same mannaer as they roam around the facility. To me this points in the direction of the network but proving it is the challenge. Particularly on my side. My next move is going to be to get a different network card, the Cisco AirNet card was suggested to me as possible a better fit since the network is a Cisco network and I was told that the Linksys card I'm using isn't Cisco ACS certified and the Cisco card is. Once I’ve done that I would have to wait and see if it fails again and if so I’ll hopefully have more leverage to push back on the facilities IT that there is an issue on their network.


Serge Yasmine Wed, 10/06/2010 - 06:16

Hi Steven, not sure if changing the client adapter would help here, since the problem is happening on radius side. Maybe dot1x suplicant can come to play though. But anyway, it will help you to isolate that the problem is not from client/wireless side and that it resides on ACS and that ACS need to be troubleshoot.

Good luck!

StephenM2 Wed, 10/06/2010 - 06:47

Agreed, I doun't it will make any differance, it's more of a move to cover all the bases I can controll.

take care,



This Discussion



Trending Topics - Security & Network