Compartilhar via


Troubleshooting Windows Vista 802.11 Wireless Connections

Applies To: Windows Vista

This document is designed to assist network administrators, help desk personnel, and developers who work with IEEE 802.11 wireless services and Windows Vista®. This document describes how to troubleshoot connectivity problems for wireless clients running Windows Vista that are attempting to make 802.1X authenticated connections to Microsoft® Windows Server® 2003 domain networks.

This document also provides some troubleshooting information for wireless clients running Windows Vista® that are attempting to make wireless connections to small office or home office (SOHO) networks.

There is also information for developers and Microsoft support personnel about how to generate and use advanced tracing reports for debugging.

SOHO wireless networks

For SOHO wireless networks, this document focuses on a typical network deployment that uses:

  • a high-speed modem for Internet connectivity

  • a wireless router

  • one or more computers running Windows XP or Windows Vista with wired IEEE 802.3 Ethernet connections to the wireless router

  • one or more IEEE 802.11 wireless computers running Windows Vista

802.1X-authenticating domain networks

For 802.1X-authenticating domain networks, this document assumes the following services are in place to support wireless clients:

  • Windows Server 2003 Active Directory® with:

    • Domain Name System (DNS)

    • Active Directory Users and Computers

    • Group Policy Domain Policy

  • Microsoft certification authority (Certificate Services), or a RADIUS Server certificate purchased from a non-Microsoft certification authority (CA)

  • Internet Authentication Service (IAS) (a Remote Authentication Dial-in User Service (RADIUS) server)

  • Dynamic Host Configuration Protocol (DHCP)

  • One or more IEEE 802.1X-compliant wireless access points (APs) to provide 802.1X authenticated network access

In this document

This document is divided into several sections:

Section 1: Troubleshooting client connectivity

This section provides a summary of the troubleshooting approach used in this document.

Section 2: Wireless infrastructure components

This section describes the wireless-related components that are typically found in Windows Server 2003 domain networks. It also describes the main wireless components for SOHO wireless networks.

Section 3: The authentication process

This section provides an overview of the main phases involved in establishing 802.1X authenticated 802.11 wireless connections. It is crucial to understand these concepts when troubleshooting connectivity problems and performing root-cause analysis in an 802.1X-authenticating wireless environment.

Note

Because there are so many EAP authentication methods and types, it is not practical to provide information for every EAP deployment. The examples and conceptual information in this section are for an authentication process that uses PEAP-MS-CHAP v2.

Section 4: Network Diagnostics Framework

This section contains information about the features and capabilities of the Network Diagnostics Framework related to wireless, including the Wireless Diagnostics wizard.

Section 5: Netsh commands for wireless LAN

This section demonstrates, using step-by-step procedures, how to use netsh wlan to return detailed information about wireless network adapter capabilities and settings, and wireless profile configuration. There are also examples of the information generated by running two netsh wlan troubleshooting commands.

Section 6: Investigative questions and quick lists for common connectivity problems

This section provides a list of questions that you should consider when trying to determine the cause of wireless connectivity problems. It also contains tables with error conditions and common causes.

Section 7: Event logs, diagnostics logs, and wireless tracing reports

This section describes information found in logs and reports in Windows Vista, including:

  • Basic System Event logs

  • Operational logs

  • Wireless Tracing reports

Appendices

The appendices in this document contain information about Windows Vista wireless features or components for advanced users, and examples that are too long for the main body of this document:

  • Appendix A: Detailed EAP and PEAP-MS-CHAP v2 operations

  • Appendix B: Windows Vista DLLs and function descriptions

  • Appendix C: Using netsh wlan to manage tracing

  • Appendix D: Trace File examples

  • Appendix E: Mapping of reason codes to event messages

Section 1: Troubleshooting client connectivity

Troubleshooting is a process of finding the source of problems, and then resolving those problems. Due to the complicated nature of wireless technologies, the process of identifying and correcting problems can also be complicated. You can make the troubleshooting process easier by understanding your network environment, gathering useful information, and applying a consistent method when determining the cause of connectivity errors.

The following are the recommended troubleshooting steps.

  • Understand your wireless infrastructure components and the main phases of the wireless connection process. This understanding is the foundation of a good troubleshooting process.

  • Run the Wireless Diagnostics wizard in Windows Vista when connectivity fails. In many cases, the Wireless Diagnostics wizard can either solve your problem automatically or walk you through a process to solve it.

  • Use the netsh wlan command to gather information about wireless client configuration settings and hardware capabilities.

  • Review basic investigative questions to determine what types of issues you should be looking for.

  • Review common or likely problems in the quick lists to see if you can quickly identify the problem.

  • Investigate event, operational, and diagnostics logs and reports. The logs and reports that are generated by wireless components provide detailed information that can help you to diagnose complex wireless connection and authentication issues.

Section 2: Wireless infrastructure components

This section describes the functions of the main components and services that are deployed to support an 802.1X-authenticating 802.11 wireless network.

The following table compares key differences between SOHO and Active Directory domain wireless network deployments.

SOHO workgroup Active Directory domain

Does not require any computers running Windows Server 2003.

Requires at least one computer running Windows Server 2003.

Supports Windows XP Home Edition operating system.

Does not support Windows XP Home Edition.

Relatively easy for a novice user to deploy.

More difficult to deploy. Deployment is not intended for the average home or small office user.

Requires a wireless AP or wireless router.

Requires one or more wireless APs that support 802.1X authentication.

Provides wireless network access security only through:

  • WPA2 PSK - TKIP/AES Wi-Fi Protected Access Version 2 Personal (WPA2-Personal) with preshared key (PSK) authentication with Temporal Key Integrity Protocol (TKIP) encryption (preferred).

  • WPA-PSK - TKIP/AES Wi-Fi Protected Access (WPA) Personal with preshared key (PSK) authentication with TKIP encryption (preferred).

    Note
    The options to select TKIP or AES for WPA-PSK depend on whether the network adapter supports TKIP or AES.

  • Open-system/WEP Open system authentication with Wired Equivalent Privacy (WEP).

    Note

    Due to known security issues with WEP encryption, it is recommended that you use only WPA2-Personal-PSK (preferred) or WPA PSK.

Provides strong wireless network access protection using:

  • WPA2-Enterprise with Advanced Encryption Standard (AES) or TKIP.

  • WPA-Enterprise with AES or TKIP.

  • Active Directory accounts.

  • RADIUS infrastructure with servers running IAS.

  • Certificates.

  • 802.1X authentication with EAP methods.

Does not require the purchase of a server certificate.

Requires the purchase of a server certificate or deployment of a public key infrastructure (PKI).

Does not provide centralized management of user accounts or user authentication.

Anyone who has access to the wired network, or to the wireless shared secret (the text string that serves as a password between the wireless AP and other wireless devices) can join the workgroup and access network resources.

Provides centralized management of user accounts and user authentication, using Active Directory user accounts database and IAS.

Users and computers must have accounts in Active Directory, and must provide password-based credentials to log on to the network. In addition, mutual authentication occurs with PEAP-MS-CHAP v2 when client computers authenticate the IAS server's certificate.

Provides limited methods to control or manage workgroup members.

Provides methods to manage domain member accounts. Controls can be fine-tuned.

SOHO networks

There are many services and hardware devices available for SOHO deployments. The following illustration shows the main components of a common SOHO wireless deployment.

Internet service provider (ISP)

A company that provides individuals or companies access to the Internet. An ISP provides a telephone number (for dial-up connections), a user name, a password, or other connection information so users can connect their computers to the ISP's computers. In some cases, an ISP might require the unique Media Access Control (MAC) address of your high-speed modem, and will then use DHCP to configure the address on the public connection of your router. In this case, you can still configure your network client addresses using the DHCP service that is built into your router.

Modem

A device that transmits computer information over a media such as a telephone line or coaxial cable.

Wireless router

A networking device whose primary function is to provide Internet and SOHO network access to your IEEE 802.11 wireless and IEEE 802.3 wired Ethernet computers and devices. Wireless routers commonly provide the following services:

  • A public-facing connection that connects to a modem, and in turn, to the Internet.

  • A network hub that can connect several IEEE 802.3 wired Ethernet devices, such as computers and printers.

  • An IEEE 802.11 wireless AP, capable of supporting multiple wireless computers.

  • DHCP addressing for wired and wireless client computers. DHCP addressing enables network traffic to be routed to the correct wireless or wired network device.

Domain networks

There are many ways to deploy wireless in a domain network. The following illustration shows components that are found in an Active Directory domain that provides 802.1X authenticated wireless access.

Note

This illustration is provided as an example only. It does not reflect best practices. For information about Microsoft CAs and PKI, see Public Key Infrastructure for Windows Server 2003 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=83694).

Windows Server 2003 Active Directory

The Windows-based directory service that stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.

Domain Name System

A hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.

Active Directory Users and Computers

An administrative tool used by an administrator to perform day-to-day Active Directory administration tasks. The tasks that can be performed with this tool include creating, deleting, modifying, moving, and setting permissions on objects stored in the directory. Examples of objects in Active Directory are organizational units (OUs), users, contacts, groups, computers, printers, and shared file objects.

Group Policy

The infrastructure that enables directory-based change and configuration management of user and computer settings, including security and user data. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify policy settings for registry-based policies, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and OUs—you can apply the GPO's policy settings to the users and computers in those Active Directory containers. To create an individual GPO, use the Group Policy Object Editor. To manage Group Policy objects across an enterprise, you can use the Group Policy Management console.

To best support wireless clients running Windows Vista, it is recommended that you upgrade your Active Directory schema with the schema extension for Windows Vista Wireless Group Policy. The schema enables you to configure independent wireless policies specifically for wireless computers running Windows Vista. Deploying the schema extension will not affect an existing wireless policy for Windows XP.

To update your Windows Server 2003 Group Policy schema, follow the procedures in Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70195).

Certificates

For PEAP-MS-CHAPv2, administrators can deploy certificate services on the network to issue a RADIUS server certificate, or purchase a RADIUS server certificate from a non-Microsoft CA.

EAP-TLS requires a PKI deployment to issue computer certificates to the RADIUS servers, and user and client certificates to wireless clients.

Note

PEAP-MS-CHAPv2 is easier to deploy than other authentication methods, such as EAP-TLS, for several reasons. First, PEAP does not require the deployment of a PKI; only the RADIUS server is required to have a server certificate installed. Nor does PEAP require smart cards or another type of client certificate to validate connecting clients.
The result is a user-friendly experience in which network clients must provide only their account credentials (user name and password) for authentication. The account credentials are then verified against the account that exists in the user accounts database (such as Active Directory).
From a security standpoint, PEAP MS-CHAP-v2 relies on passwords for authentication, which can be stolen or guessed. With EAP-TLS authentication, the certificate that is used for authentication cannot be easily forged.

Certificate

A digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.

Certification authority

An entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.

Microsoft Certificate Services

A software service that issues certificates for a CA. It provides customizable services for issuing and managing certificates for the enterprise. Certificates can be used to provide authentication support, including secure e-mail, Web-based authentication, and smart-card authentication.

Internet Authentication Service (IAS)

The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy, which provides authentication and accounting for network access.

IAS Remote Access Policy

A set of conditions and connection parameters that define the characteristics of the incoming connection and the set of constraints imposed on it. Remote access policy determines whether a connection attempt is authorized to be accepted.

Dynamic Host Configuration Protocol (DHCP)

A TCP/IP service protocol that offers dynamic leased configuration of host IP addresses and distributes other configuration parameters to eligible network clients. DHCP provides safe, reliable, and simple TCP/IP network configuration; it prevents address conflicts, and helps conserve the use of client IP addresses on the network.

DHCP uses a client/server model where the DHCP server maintains centralized management of IP addresses that are used on the network. DHCP-supporting clients can then request and obtain a lease of an IP address from a DHCP server as part of their network boot process.

Wireless APs (IAS RADIUS clients)

One or more 802.1X-compliant wireless APs must be configured as RADIUS clients so that they can communicate with the IAS RADIUS server. Add all wireless APs as RADIUS clients to the IAS server(s). You will need to know the IP address of each wireless AP to add them as RADIUS clients to IAS.

The wireless access point is configured as a RADIUS client to the IAS server deployed on the organization local area network (LAN). The wireless access points must meet the following requirements for 802.1X wireless deployments:

Recommendations

  • For consistency and ease of deployment, it is recommended that you deploy wireless APs of the same brand and model.

The following table lists some common wireless AP configuration items.

Note

The names of the configuration items for wireless access points can vary by brand and model, and might be different from those listed in the table. See your wireless AP documentation for configuration-specific details.

Wireless AP Configuration Items Configuration Item Information

SSID

The name of the wireless network (for example, WiFiTest).

This is the name that is displayed to wireless clients. In Windows Vista, the SSID is the name displayed in Connect to a network when the computer detects the wireless AP SSID beacon broadcast.

Recommendation:

All wireless APs that are part of the same wireless network should use the same SSID.

Suppress SSID Beacon Broadcast

Most wireless APs provide the configuration option to suppress the SSID beacon broadcast.

Important
Enabling this option can create a security risk because wireless clients that are configured to connect to a network that suppresses the SSID broadcast will send probes for the network, advertising the wireless configuration of the wireless client. By default, this setting is not enabled.

To connect to wireless networks that are not broadcasting the SSID, wireless clients that are running Windows Vista must be configured by enabling the Connect even if the network is not broadcasting setting. Both the Windows Vista Wireless Network (IEEE 802.11) Policies Group Policy extension and the Manually connect to a wireless network wizard (in Connect to a network) provide access to this setting.

Wireless AP IP Address (Static)

For each wireless AP, configure a unique static IP address that falls within the exclusion range specified in the DHCP scope of the subnet on which the wireless AP is deployed.

DNS name

Some wireless APs can be configured with a DNS name provided that the DNS service on the network can resolve AP DNS names to an IP address.

For each wireless AP that supports this feature, enter a unique name for DNS resolution.

802.1X Authentication

Configure IEEE 802.1X authentication with WPA2-Enterprise or WPA-Enterprise, depending on which authentication is supported by all of your wireless devices.

Note

Due to known security issues with WEP encryption, it is recommended that you use only WPA2 (preferred) or WPA.

Note

Centralized configuration of WPA2 is supported in Windows Server 2003 with SP1 Active Directory Wireless Policy Group Policy. Wireless and wired clients running Windows Vista have enhanced features that can be configured through Group Policy settings. For more information, see Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70195).

Wireless AP Subnet Mask

Configure this to match the subnet mask of the attached subnet.

Disable Wireless AP DHCP Service

If the network is providing DHCP, the DHCP service built into the wireless AP should be disabled.

RADIUS Shared Secret

Use a unique RADIUS shared secret for each wireless AP. Each shared secret should be a random sequence of uppercase and lowercase letters, numbers, and punctuation that is at least 22 characters long. To ensure randomness, use a random character generation program to create shared secrets to configure on the server running IAS and the wireless AP. You will need to match the shared secret for each wireless AP when you configure them as RADIUS clients in the applicable IAS Remote Access Policy.

Important

It is recommended that you record the shared secret for each wireless AP, and store the record in a secure location, such as an office safe.

RADIUS Server IP Addresses

Enter the IP addresses of your servers running IAS.

UDP Port(s)

By default, IAS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages.

Recommendation:

Unless you have reason to do so, do not change the default RADIUS UDP ports settings.

Vendor Specific Attributes (VSAs)

Some wireless APs require that the IAS RADIUS server is configured with specific attributes in order to provide full wireless AP functionality.

VSAs are added to an IAS Remote Access Policy.

Wireless client computer(s)

A computer running Windows Vista that has an IEEE 802.11 wireless adapter and a corresponding wireless adapter driver designed for Windows Vista installed.

The Windows Vista 802.1X and wireless components have been redesigned with an emphasis on extensibility and security. In the Windows XP wireless supplicant model, the Wireless Zero Configuration service and supporting dynamic-link libraries (DLLs) handle all primary functions associated with connecting and maintaining a connection. The initial design had some limitations, such as an inability to add new features and the lack of extensibility. Therefore, the Windows Vista wireless components are completely redesigned; the major functions are separated into individual components. Further, independent hardware vendors (IHVs) are now able, through a consistent interface, to extend services and features specific to their needs.

Windows XP, Windows Server 2003, and Windows Vista have built-in support for IEEE 802.11-based wireless networking and IEEE 802.1X authentication using EAP.

Section 3: The authentication process

This section provides an overview of the components and the processes involved in establishing 802.11 wireless connections to 802.1X authenticating infrastructure networks.

Note

For a more detailed explanation of EAP and PEAP-MS-CHAPv2 processes, see Appendix A: Detailed EAP and PEAP-MS-CHAP v2 operations.

Wireless connection phases overview

Given its popularity as the authentication method for wireless 802.1X deployments, this section provides an overview of the main phases that take place in 802.1X-authenticated wireless connections that use PEAP-MS-CHAP v2. The phases are numbered in the order in which they occur; a diagram is included to illustrate, by number, where each phase occurs on the network. In this section, the phases are separated into two sections. The first section provides the phases required for the wireless client to associate with the wireless access point. The second section lists the phases involved with 802.1X authentication.

When a wireless network adapter is turned on, it begins to scan across the wireless frequencies (spectrum) for wireless APs and other wireless clients. Scanning is an active process in which the wireless adapter sends Probe-Request frames on all channels of the ISM frequency range and listens for the Probe-Response frames sent by wireless APs and other wireless clients. After scanning, Windows instructs the wireless adapter to connect to a network, based on the configured preferences.

This choice is made automatically by using the SSID of a known or preferred wireless network and the wireless AP with the best signal strength (the highest signal-to-noise ratio). Next, the wireless client negotiates the use of a logical wireless port with the chosen wireless AP. This process is known as association.

The wireless client’s configuration settings determine whether the wireless client prefers to connect with infrastructure or ad-hoc mode networks. By default, a wireless client running Windows Vista, Windows XP, or Windows Server 2003 prefers infrastructure mode wireless networks over ad-hoc mode wireless networks. If the signal strength of the wireless AP is too low, if the error rate is too high, or if instructed by the operating system, the wireless client scans for other wireless APs to determine whether a different wireless AP can provide a stronger signal to the same wireless network. If so, the wireless client negotiates a connection with that wireless AP. This process is known as roaming.

  1. Scanning: The client scans for an AP using a probe request.

  2. Association: The client associates with the AP:

    • The AP registers the client’s MAC address and assigns a unique virtual port that is mapped to that MAC address.

    • The client registers the MAC address of the AP as the only device to which it is permitted to associate (until such time that it disassociates and then reassociates with another AP or wireless device).

  3. Access Request: Using its 802.1X uncontrolled port, the AP forwards a RADIUS Access-Request message to the RADIUS (IAS) server.

Note

TCP/IP frames generated by the wireless client can only be sent to the network through the controlled port. The client cannot send frames using the controlled port until it is authenticated and authorized.

  1. EAP: If the server running IAS does not reject the Access-Request, the EAP authentication method is negotiated between the client and IAS.

    After the negotiation is complete, the AP forwards messages between the client and the server running IAS.

Note

There are many EAP authentication types. Both EAP-TLS and PEAP-MS-CHAPv2 are supported natively in Windows Server 2003, Windows XP, and Windows Vista.

Note

When PEAP is used, a TLS session is first created between the access client and the server running IAS; authentication then occurs through the secure TLS session.

  1. Authentication: After the EAP authentication method is agreed upon between the client and IAS, the server running IAS sends its server certificate chain to the client computer as proof of identity. The client computer uses the IAS server certificate to authenticate the server running IAS. Successful PEAP-MS-CHAP v2 authentication requires that the client trusts the server running IAS after validating the IAS server certificate chain. For the client to trust the server running IAS, the root CA certificate of the issuing CA of the server certificate must be installed in the Trusted Root Certification Authorities certificate store on client computer.

    After the client authenticates the server, the client sends password-based user credentials to the server running IAS, which verifies the client credentials against the user accounts database in Active Directory.

    • If the credentials are not valid, IAS sends an Access-Reject message to the AP in response to the connection request.

    • If the credentials are valid, the server running IAS proceeds to the authorization phase.

  2. Authorization: The server running IAS performs authorization, as follows:

    1. IAS checks the user or computer account dial-in properties in Active Directory.

    2. IAS then attempts to find a remote access policy that matches the connection request. If a matching remote access policy is found, IAS authorizes the connection request based on that policy.

  3. Access-Accept: If the authorization is successful, IAS sends the AP an Access-Accept message. If authorization is not successful, IAS sends an Access-Reject message.

  4. 802.1X controlled port: As part of authentication, 802.1x dynamically generates session keys from which it further derives encryption keys to secure the wireless connection. The encryption keys are configured on both the wireless AP and the client; all subsequent data traffic is protected. The wireless AP enables the controlled port; traffic from the wireless client is allowed to traverse the port.

  5. DHCP Address Request: The client sends a DHCP address request through the 802.1X controlled port to the network. If a DHCP server responds, the client obtains an IP address.

  6. Group Policy Applied: If configured, updated Group Policy is applied on the client during domain logon operations; this includes the Wireless Network (IEEE 802.11)Policies Group Policy extension.

Note

For computers already configured with Wireless Network (IEEE 802.11) Policies, Group Policy is applied when the computer is started, and whenever an updated policy is downloaded. If Group Policy is updated on the server while the computer is turned off, the last known policy (which might be stale) is immediately applied when the computer is started. If the 802.1X settings on the computer enable IAS to authorize the computer for network access, updated policies are downloaded and applied when the computer connects to the network, prior to user authentication. If 802.1X settings on the computer cannot enable IAS to authorize the computer for network access at startup, then application of updated policies occurs immediately after user authentication.

  1. Network Access The client is able to access network resources, contingent upon any applied restrictions.

Section 4: Network Diagnostics Framework

In Windows Vista, when a user experiences a network problem, Windows Vista will provide the user with the ability to diagnose and repair the problem. The diagnostic assessment and resolution steps that are provided to the user are in the application or user interface (UI) itself. During the diagnosis, the Network Diagnostics Framework (NDF) will analyze why the user’s task has failed, and will either present a solution to the problem, or list possible causes and steps that the user can to take to fix the problem. The solution can be a process that is run automatically by Windows Vista, or it might be a request that the user manually perform a step. The resolution steps can involve configuration changes, or in some cases, contacting Microsoft Customer Service and Support and providing a report of the problem from the computer.

Wireless diagnostics overview

Wireless diagnostics are used to identify and correct troubleshooting wireless connectivity issues. Connectivity issues can include such things as failed connections and intermittent connectivity. Wireless diagnostics works with NDF, which, in turn, is part of Windows Diagnostics Infrastructure (WDI). The role of wireless diagnostics is to collect and analyze information about wireless connectivity, to provide the results of the analysis, and to provide the user with repair options.

Wireless diagnostics purpose and design

The following describes the design approach of wireless diagnostics in Windows Vista:

  • Inform the user about what has happened, or what is causing the problem.

  • Be sure that the user can understand the information and that the information is appropriate in the context of what the user is doing.

  • Instruct the user about how to fix the problem.

  • Provide options instead of errors.

  • Provide better support when diagnostics cannot present a solution.

  • Provide best-effort analysis of collected data.

  • Avoid asking the user for data that is available on the computer.

  • Direct the customer to someone who can help.

All diagnostics are prescriptive in nature, and solutions are corrective when possible. The design is also based on the principle that the solutions will not put the computer at risk.

Categorization of wireless issues

802.11 wireless diagnostics examines and diagnoses two categories of connectivity issues:

  • Wireless (802.11) connectivity or configuration issues. These can include security issues associated with 802.11, such as the use of WEP keys for encryption or authentication.

Note

Due to known security issues with WEP encryption, it is recommended that you use only WPA2-Personal (preferred) or WPA.

  • Layer 2 security issues. These can include issues such as certificate failures, 802.1X issues, and EAP authentication failure.

Top wireless issues covered by wireless diagnostics

The following are the top wireless issues:

  • Incorrect network key (WEP or WPA(2)-PSK).

  • Radio off (software or hardware switch).

  • Problem with the network adapter, hardware, or drivers.

  • 1X certificate failures.

  • 1X erroneously enabled or not enabled.

  • Authentication infrastructure (for example, the RADIUS server) is not responding.

  • 1X discovery failures.

  • No visible networks, either because none are in range or because radio is off.

  • Frequent roams, swapping of connections.

  • Incompatible hardware or capability mismatch (that is, the client network adapter does not support settings required by AP).

  • Bad signal and connectivity, too far from the wireless AP, poor device placement (due to obstructions, for example), interference resulting in poor performance and throughput.

  • Wireless is connected, but cannot get an IP address.

Parts of wireless diagnostics

For the purposes of this document, wireless diagnostics are divided into two parts:

  • Wireless Diagnostics wizard. The Wireless Diagnostics wizard is similar to a configuration wizard. It can assist users by either fixing connectivity problems, or by providing the user with a next-step action. Although the primary focus is on identifying and resolving client-side connectivity problems, the Wireless Diagnostics wizard will attempt to analyze end-to-end network health, as seen from the client perspective and with client user rights, and attempt to determine if the problem is related to network services or infrastructure components.

    Running the Wireless Diagnostics wizard should be the first step when you are trying to resolve wireless connectivity problems. Users can access an interactive Wireless Diagnostics wizard in several locations in the UI, which is discussed in Starting the Wireless Diagnostics wizard.

  • Diagnostics logs and reports. In addition to providing the interactive Wireless Diagnostic wizard, wireless diagnostics also logs information in event logs, operational logs, and wireless tracing reports. These logs and reports capture detailed information about wireless status and activity, connection attempts, system state, and the network environment.

    IT administrators can automatically collect logged information from the client computers and store it for analysis in a central location using MOM integration, or a similar tool. Administrators can also use this information for planning purposes.

    Microsoft Customer Service and Support personnel and developers can generate wireless tracing reports for advanced troubleshooting and debugging.

    Information about the logs and reports that are generated by wireless diagnostics is discussed in Section 7: Event logs, diagnostics logs, and wireless tracing reports. Samples of diagnostic logs are provided in Appendix D: Trace File examples.

The remainder of this section contains information about the Wireless Diagnostics wizard.

Starting the Wireless Diagnostics wizard

The Wireless Diagnostics wizard is part of Network Diagnostics. You can start the Wireless Diagnostics wizard from several places on a client running Windows Vista. Accessing these entry points will start Network Diagnostics, which will then start the Wireless Diagnostics wizard, if appropriate. This section includes several procedures for starting the Wireless Diagnostics wizard.

Using the Network and Sharing Center notification area icon

The icon for the Network and Sharing Center is located to the left of the clock in the notification area.

Note

When you position the mouse pointer directly over the Network and Sharing Center notification area icon, the Currently connected to notification will appear. If the computer running Windows Vista is not connected to a network or another computer, the Network and Sharing Center icon is displayed with an X to indicate that your computer is not connected.

To start the Diagnostics wizard by using the Diagnose and repair option of the Network and Sharing Center notification area icon

  • Right-click the Network and Sharing Center icon in the notification area, and then click Diagnose and repair.

Using the Diagnose network problems option in Network and Sharing Center

To start the Diagnostics wizard by using the Diagnose and repair option in the Network and Sharing Center

  1. Click Start, click Network, and in the menu, click Network and Sharing Center.

  2. In the left pane, click Diagnose and repair.

Using the Diagnose and repair option in Network and Sharing Center (option 2)

To start the Diagnostics wizard by using the Diagnose and repair option in the Network and Sharing Center

  1. Click Start, click Connect to, and in Connect to a network, click Open Network and Sharing Center.

  2. In Network and Sharing Center, in the left-hand pane, click Diagnose and repair.

Using the Repair option for a network connection icon in Network Connections

Network Connections provides several methods for starting diagnostics.

To start the Wireless Diagnostics wizard by using the Diagnose options for a Network Connections icon

  1. Open Network Connections by using one of the following methods:

    • Click the Network and Sharing Center icon in the notification area, click Network and Sharing Center, and then in the left pane of Network and Sharing Center, click Manage network connections.

    • Click Start, click Network, click Network and Sharing Center, and then click Manage network connections.

    • Click Start, click Connect to, click Open Network and Sharing Center, and then click Manage network connections.

  2. In LAN or High-Speed Internet, select the network connection you want, and then do one of the following:

    • Click Diagnose this connection.

    • Right-click the connection item, and then click Diagnose.

    • For wireless connections, attempt to connect to the network you want. Right-click the connection icon, and then click Connect/Disconnect. In Select a network to connect to, select the desired wireless network, and then click Connect.

      If the connection attempt is unsuccessful, the Connect to a network dialog box provides an option to diagnose the problem. Click Diagnose the problem to start the Wireless Diagnostics wizard.

Using Connect to a network

To start the Wireless Diagnostics wizard by using Connect to a network

  • Click Start, click Connect to, and in Connect to a network, do one of the following:

    1. In Select a network to connect to, select a wireless network, and then click Connect. If the connection attempt fails, the Connect to a network dialog box indicates that Windows cannot connect to the target resource. Click Diagnose the problem to open the Wireless Diagnostics wizard.

    2. In Select a network to connect to, right-click the wireless network for which you want to diagnose the connectivity, and then click Diagnose.

Additional entry points

Internet Explorer: If Internet Explorer fails to connect to the target resource, it displays:

  • a message indicating that it cannot display the Web page.

  • a list of the most likely causes.

  • links to run Network Diagnostics and get online help information.

You can click Diagnose Connection Problems to open Network Diagnostics and, as appropriate, the Wireless Diagnostics wizard.

Start Search: If an attempt to access a resource by typing a UNC (Universal Naming Convention) name in Start Search fails, the resulting error message provides a link that you can use to run Network Diagnostics and, as appropriate, the Wireless Diagnostics wizard.

To use the Start Search entry point into Diagnostics session

  1. Click Start, in Start Search, type the UNC name for the target resource, such as \\servername\sharename\directory\filename, and then press ENTER.

  2. If the attempt to access the resource is unsuccessful, when the Network Error dialog box opens, click Diagnose to open Network Diagnostics.

In some cases, running the Wireless Diagnostics wizard will not fix the problem. In these situations, your next step is to use the netsh wlan commands documented in the next section to gather information that will be useful for troubleshooting.

Section 5: Netsh commands for wireless LAN

The netsh commands for wireless local area network in Windows Vista provide a lightweight alternative to Group Policy to configure and manage wireless connectivity and security settings. Netsh wlan is also a useful tool for troubleshooting wireless connectivity problems.

You can run the netsh wlan commands directly from the Windows Vista command prompt by typing netsh wlan followed by the command, or by switching to the wlan context by using the following instructions.

Entering the netsh wlan context

To enter the netsh context for wlan

  1. Click Start, click Run, type cmd, and then click OK.

  2. At the command prompt, type netsh, and then press ENTER.

  3. Type wlan, and then press ENTER.

Using netsh wlan to gather troubleshooting information

The primary netsh wlan command for troubleshooting is show all, which you can use to gather the wireless profile configuration on multiple interfaces, and to collect data about the capabilities of the network cards and driver versions. For example, you can use the netsh wlan show all command to quickly determine:

  • whether the wireless network adapter supports the authentication and cipher standard required on your network.

  • if Auto-configuration (WLAN AutoConfig) logic is enabled.

  • whether 802.1X is enabled.

  • which EAP type is applied.

Running the netsh wlan show commands can uncover some types of configuration errors that result in connectivity problems.

The following procedures demonstrate how to use netsh wlan commands to gather troubleshooting information. After each procedure, you will find an example of the information that is rendered by the command.

Note

The complete Netsh command line reference for netsh wlan is available from the Microsoft TechNet Web site at Netsh Commands for Wireless Local Area Network (WLAN) [https://go.microsoft.com/fwlink/?LinkId=81752], and from the Microsoft Download Center at Netsh Commands for Wireless Local Area Network (WLAN) [https://go.microsoft.com/fwlink/?LinkId=81753].

show all

The show all command combines the following netsh wlan show commands:

  • show drivers - Displays the properties of the wireless adapter drivers on the computer.

  • show interfaces - Displays a list of the current wireless interfaces on the computer

  • show settings - Displays the current global settings of the wireless LAN, including the information rendered by these two netsh wlan commands:

    • show autoconfig - Displays whether the wireless WLAN AutoConfig Service is enabled or disabled.

    • show blockednetworks - Displays whether blocked network settings are set to be displayed or hidden.

  • show filters - Displays the current list of allowed and blocked wireless networks.

  • show profiles - Displays a list of wireless profiles that are configured on the computer.

  • show networks MODE=BSSID - Displays a list of wireless networks that are visible on the computer.

The following table lists usage information for the netsh wlan show all command.

Syntax:

show all

Parameters:

There are no parameters for this command.

Remarks:

Displays the entire collection of 802.11 wireless interface information, network information, and wireless settings on the system, including:

  • Wireless adapter driver information

  • Wireless interface status

  • Wireless configuration settings

  • Wireless network filters

  • Wireless network profiles list and details

  • Visible wireless networks

Example command:

  • show all

The following command sample shows the information returned by the show all command.

F:\>netsh
netsh>wlan
netsh wlan>show all
Wireless System Information Summary
(Time: 1/18/2007 9:49:37 PM)

=======================================================================
============================== SHOW DRIVERS ===========================
=======================================================================
Interface name: Wireless Network Connection
    Driver                    : Broadcom 802.11g Network Adapter
    Vendor                    : Broadcom
    Provider                  : Microsoft
    Date                      : 6/21/2006
    Version                   : 4.82.28.56
    INF file                  : F:\Windows\INF\netbc6.inf
    Files                     : 1 total
                                F:\Windows\system32\DRIVERS\BCMWL6.SYS
    Type                      : Native Wi-Fi Driver
    Radio types supported     : 802.11g 802.11b
    Authentication and cipher supported in infrastructure mode:
                                Open            None
                                Open            WEP
                                Shared          None
                                Shared          WEP
                                WPA2-Enterprise TKIP
                                WPA2-Personal   TKIP
                                WPA2-Enterprise CCMP
                                WPA2-Personal   CCMP
                                WPA-Enterprise  TKIP
                                WPA-Personal    TKIP
                                WPA-Enterprise  CCMP
                                WPA-Personal    CCMP
    Authentication and cipher supported in ad-hoc mode:
                                Open            None
                                Open            WEP

=======================================================================
============================= SHOW INTERFACES =========================
=======================================================================
There is 1 interface on the system:
    Name                 : Wireless Network Connection
    Description          : Broadcom 802.11g Network Adapter
    GUID                 : 0dcf87d3-bed3-4518-ba99-f1066edb3d87
    Physical Address     : 00:14:bf:74:6d:c3
    State                : connected
    SSID                 : WIR_TST_Lab
    BSSID                : 00:18:39:5a:5f:01
    Network Type         : Infrastructure
    Radio Type           : 802.11g
    Authentication       : WPA2-Enterprise
    Cipher               : CCMP
    Connection Mode      : Auto Connect
    Channel              : 6
    Receive Rate (Mbps)  : 54
    Transmit Rate (Mbps) : 54
    Signal               : 94%
    Profile              : PEAP

=======================================================================
============================= SHOW SETTINGS ===========================
=======================================================================
Wireless LAN settings
---------------------
    Show blocked networks in visible network list: No.
    Auto configuration logic is enabled on interface "Wireless Network 
Connection".

=======================================================================
============================== SHOW FILTERS ===========================
=======================================================================
Allow list on the system (group policy)
---------------------------------------
    SSID: "WIR_TST_Lab", Type: Infrastructure
    SSID: "GUEST", Type: Infrastructure
Allow list on the system (user)
-------------------------------
    <None>
Block list on the system (group policy)
---------------------------------------
    SSID: "WSUA-EAP", Type: Infrastructure
    SSID: "Home", Type: Adhoc
    SSID: "", Type: Adhoc
Block list on the system (user)
-------------------------------
    <None>

=======================================================================
=========================== SHOW CREATEALLUSER ========================
=======================================================================
Everyone is allowed to create all user profiles.

=======================================================================
============================= SHOW PROFILES ===========================
=======================================================================
Profiles on interface Wireless Network Connection:
Group Policy Profiles (read only)
---------------------------------
    PEAP

User Profiles
-------------
    <None>

=======================================================================
========================== SHOW PROFILES NAME=* =======================
=======================================================================
Profile PEAP on interface Wireless Network Connection:
=======================================================================
Applied: Group Policy Profile
Profile Information
-------------------
    Version                : 1
    Type                   : Wireless LAN
    Name                   : PEAP
    Control options        :
        Connection mode    : Connect automatically
        Network broadcast  : Connect only if this network is broadcasting
        AutoSwitch         : Switch to more preferred network if 
possible
Connectivity settings
---------------------
    Number of SSIDs        : 1
    SSID name              : "WIR_TST_Lab"
    Network type           : Infrastructure
    Radio type             : [ Any Radio Type ]
    Vendor extension       : Not present
Security settings
-----------------
    Authentication         : WPA2-Enterprise
    Cipher                 : CCMP
    Security key           : Absent
    802.1X                 : Enabled
    EAP type               : Protected EAP (PEAP)
    802.1X auth credential : Machine or user credential
    Cache user information : Yes

=======================================================================
======================= SHOW NETWORKS MODE=BSSID ======================
=======================================================================
Interface Name : Wireless Network Connection
There are 3 networks currently visible.
SSID 1 : WIR_TST_Lab
    Network type            : Infrastructure
    Authentication          : WPA2-Enterprise
    Encryption              : CCMP
    BSSID 1                 : 00:18:39:5a:5f:01
         Signal             : 97%
         Radio Type         : 802.11g
         Channel            : 6
         Basic Rates (Mbps) : 1 2 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54
    BSSID 2                 : 00:18:39:5a:5f:01
         Signal             : 97%
         Radio Type         : 802.11g
         Channel            : 6
         Basic Rates (Mbps) : 1 2 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54

SSID 2 : TST_WLAN
    Network type            : Infrastructure
    Authentication          : Open
    Encryption              : WEP
    BSSID 1                 : 00:0b:86:da:4b:a0
         Signal             : 20%
         Radio Type         : 802.11g
         Channel            : 6
         Basic Rates (Mbps) : 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54
    BSSID 2                 : 00:0b:86:db:1b:40
         Signal             : 0%
         Radio Type         : 802.11g
         Channel            : 8
         Basic Rates (Mbps) : 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54
    BSSID 3                 : 00:0b:86:db:30:80
         Signal             : 8%
         Radio Type         : 802.11g
         Channel            : 11
         Basic Rates (Mbps) : 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54

SSID 3 : TST_GUEST
    Network type            : Infrastructure
    Authentication          : Open
    Encryption              : None
    BSSID 1                 : 00:0b:86:da:4b:a1
         Signal             : 28%
         Radio Type         : 802.11g
         Channel            : 6
         Basic Rates (Mbps) : 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54
    BSSID 2                 : 00:0b:86:db:30:81
         Signal             : 8%
         Radio Type         : 802.11g
         Channel            : 11
         Basic Rates (Mbps) : 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54
    BSSID 3                 : 00:0b:86:da:57:a1
         Signal             : 68%
         Radio Type         : 802.11g
         Channel            : 11
         Basic Rates (Mbps) : 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54

netsh wlan>
show tracing

You can use show tracing to determine whether wireless tracing is enabled or disabled.

Syntax:

show tracing

Parameters:

There are no parameters for this command.

Remarks:

Displayed information includes:

  • Tracing state (enabled or disabled)

  • Tracing persistence state (running or not running)

  • Trace log file location (for example, "c:\Windows\system32\logfiles\WirelessAutoLog\")

Example command:

  • show tracing

The following command sample shows the information returned by the show tracing command.

F:\netsh
Netsh>wlan
Netsh wlan>show tracing
Wireless tracing is currently stopped.
Last trace logs are stored in "F:\Windows\tracing\wireless"
netsh wlan>

Section 6: Investigative questions and quick lists for common connectivity problems

When troubleshooting wireless connectivity, ask the following questions to help define the problem.

Is the problem isolated to a single computer? If so:
  • Has the computer previously connected successfully to the network?

  • Can other computers on the same subnet reach targeted resources?

  • Is the computer in a media disconnected state?

    • Many portable devices have an external switch to turn off the wireless antenna. Is the external switch turned off?

    • Is the wireless adapter disabled in Network Connections?

    • Is the wireless adapter hardware malfunctioning?

    • Is the computer attempting to connect to a wireless AP or wireless router that is either unplugged from its power source or malfunctioning?

  • Can you identify configuration changes on the computer between the time the computer most recently connected successfully to the wireless network and when the connection failed?

  • Review the status details of the local area connection in Network Connections. Is there information in Network Connection Details that indicates the source or nature of the connectivity problem?

Note

To open the details for a local area connection, in Network Connections, right-click the local area connection icon, click Status, and then click Details.

  - Is there a value listed for **Connection-specific DNS Suffix**? Is the value the same as the name of your domain?  
      
  - In a DHCP network, are the TCP/IP properties of the local area connection configured for dynamic addressing? If so, **Yes** will be displayed in **DHCP Enabled**.  
      
  - Are both the IPv4 address and IPv4 subnet mask in the same range as those defined for the network subnet? Or, is the IPv4 address in **Autoconfiguration IPv4 Address** listed in the range of 169.254.0.1 through 169.254.255.254 with a subnet mask of 255.255.0.0?  
      

Note

TCP/IP addresses in the range of 169.254.0.1 through 169.254.255.254 are Automatic Private IP Addressing (APIPA) addresses. When the TCP/IP protocol is configured for dynamic addressing and a DHCP server is not available, APIPA automatically configures a unique IP address from the 169.254.x.x range (where x is an integer between 1 and 254).

  - Is there information in **Lease Obtained** or **Lease Expires**?  
      
  - Are the correct IP addresses displayed for the DHCP, DNS, and WINS servers?  
      
Are multiple computers presenting the same symptoms? If so:
  • What do those computers have in common?

    • Do those computers connect to a common wireless AP?

    • Do the computers connect through one or more wireless APs that, in turn, connect to a common network switch?

    • Are the computers on the same subnet?

    • Do the computers or users belong to a common Active Directory security group?

    • Do the computers or users belong to an Active Directory security group that is controlled through a common IAS remote access policy?

    • Do the computers all obtain their TCP/IP addresses from the same DHCP server?

    • Is the connectivity outage constant or intermittent?

  • Can you identify changes in your network between the time the computers connected to the network successfully and the time when connections began to fail?

Review the location and timing of the problem to help narrow the scope of the problem. In addition, examine the failures systematically by referring to the sequence of steps used to establish communications, as described in Section 3: The authentication process.

Quick lists for common connectivity problems

This section provides a series of tables and lists that can help you to quickly identify conditions that can cause connectivity problems. The quick lists are presented in two categories: by symptom and by network type.

Quick lists by symptom

  • Symptom: Inability to connect

  • Symptom: Intermittent connectivity

  • Symptom: Incorrect, missing, or stale visible networks

  • Symptom: Wireless client has associated, but no there is no valid IP address configuration or no network connectivity

  • Symptom: Wireless connection problems when performing a suspend and resume with a laptop computer

  • Symptom: Wireless Networks tab is not present for the properties of the wireless network adapter in the Network Connections folder or there are no visible wireless networks

Quick lists by network type

  • General network connectivity problems

  • Domain network connectivity problems

  • 802 1X-authenticated network connectivity problems

Quick lists by symptom

The following series of tables present common symptoms, their causes, and likely solutions.

Symptom: Inability to connect
Possible Causes Corrective Measures
  • Improperly functioning or outdated wireless network adapter driver.

  • Incorrect or incompatible wireless network configuration. For example, shared key authentication is configured on the wireless AP and the wireless client is attempting open system authentication.

  • Inadvertent media access control (MAC) address filtering.

  • The wireless network name is not visible.

  • The wireless AP and wireless network adapter are not using the same 802.11 standard (for example, you are using an 802.11b network adapter and a 802.11a wireless AP).

  • Radio frequency (RF) interference from nearby devices, such as cordless phone and Bluetooth devices.

  • Wireless client is at the periphery of the RF range of the wireless AP.

  • Verify that the wireless network configurations between the wireless client and wireless AP are compatible.

  • Review the wireless network environment and network topology.

  • Double-check the steps you followed during configuration. User error is a common source of incorrect configuration.

  • Obtain and install the most recent version of the wireless network adapter driver.

  • Enable logging and look at the Wireless trace logs.

    For information about generating trace logs, see Wireless trace logs.

Symptom: Intermittent connectivity
Possible Causes Corrective Measures
  • Improperly functioning or outdated wireless network adapter driver.

  • Improperly functioning wireless AP.

  • Obtain and install the most recent version of the wireless network adapter driver.

  • Look for unexpected disconnects in the Wireless trace logs.

    For information about generating trace logs, see Wireless trace logs.

Symptom: Incorrect, missing, or stale visible networks
Possible Causes Corrective Measures
  • Improperly functioning or outdated wireless network adapter driver.

  • Improperly functioning radio equipment on wireless AP or wireless network adapter.

  • Malfunctioning wireless network adapter drivers are unable to detect and register visible networks. Look through the wireless trace logs to see if the wireless network adapter has registered any visible networks.

    For information about generating trace logs, see Wireless trace logs.

  • Obtain and install the most recent version of the wireless network adapter driver.

  • Run diagnostic functions on the wireless network adapter or wireless AP.

Symptom: Wireless client has associated, but no there is no valid IP address configuration or no network connectivity
Possible Causes Corrective Measures
  • Authentication problem.

  • Incorrect encryption key.

  • Corrupt, expired, or missing certificates.

  • Improperly functioning wireless AP.

  • Verify that the wireless network configurations between the wireless client and wireless AP are compatible.

  • If you are using a static WEP key, verify that it has been correctly configured.

    Note
    Due to known security issues with WEP encryption, it is recommended that you use only WPA2-Personal (preferred) or WPA.

  • Verify whether other computers connected to the wireless AP have the same problem. If all wireless clients of the same wireless AP have the same problem, check the wireless AP settings.

  • IEEE 802.1X authentication might be failing. Look in the OneX Trace file for entries that indicate authentication has failed, as in the following example:

    "The authentication failed because there is a problem with the user account"

Symptom: Wireless connection problems when performing a suspend and resume with a laptop computer
Possible Causes Corrective Measures
  • Improperly functioning or outdated wireless network adapter driver.

  • Obtain and install the most recent version of the wireless network adapter driver.

    Look in the wireless trace logs for wireless network adapter driver errors. For information about generating trace logs, see Wireless trace logs.

Symptom: Wireless Networks tab is not present for the properties of the wireless network adapter in the Network Connections folder or there are no visible wireless networks
Possible Causes Corrective Measures
  • The WLAN AutoConfig Service is not running.

  • Improperly functioning or outdated wireless network adapter driver.

  • On a laptop computer, the wireless radio button might be in the off position.

  • Check to see if the WLAN AutoConfig Service is running by using the netsh wlan set autoconfig command.

  • Using the Services snap-in, confirm that the WLAN AutoConfig Service is configured to start automatically.

  • A wireless network adapter driver that fails in the early stages of service startup can cause the WLAN AutoConfig Service not to initialize on that interface.

Quick lists by network type

The following quick lists are not exhaustive catalogs of connectivity problems. They provide information about the types of conditions that can cause connectivity problems.

For the purposes of this document, network connectivity problems fall into three groups:

  • General network connectivity problems

  • Domain network connectivity problems

  • 802.1X-authenticated network connectivity problems

General network connectivity problems

These types of problems can occur on networks ranging from SOHO workgroup-based networks to enterprise networks:

Note

In Windows Vista, Windows Network Diagnostics can frequently determine the cause of these types of errors, and either fix the problem or provide next-step user actions.

  • A wireless setting mismatch exists between the wireless AP and the wireless client. For example, the network key configured on the client does not match the network key configured on the wireless AP, or the wireless AP is configured to use WPA2-Personal and the client is configured with WPA-Personal.

  • The wireless adapter is disabled in Network Connections.

  • The external switch that controls the wireless antenna is turned off.

  • The wireless network adapter is malfunctioning.

  • Network clients configured with static IP addresses are not configured using the same IP address or subnet mask.

  • The DHCP service is enabled on the wireless router to provide addressing to network clients, but one or more network clients are configured with a static IP address.

  • Excluding networks on which client computers are configured with static addresses, the TCP/IP properties of the local area connection are not configured for dynamic addressing.

  • The DHCP server is disconnected from the network, powered off, or the service is not running. In a SOHO network, the DHCP service is typically provided by the wireless router or by Internet Connection Sharing (ICS).

  • In a SOHO network:

    • In a new wireless network or when replacing your modem or wireless AP, you have not registered your modem with your ISP, or your router Media Access Control (MAC) address. Modem or router registration varies by ISP.

    • Your ISP requires that the public (Internet) connection of your router is configured by the DHCP server on the ISP's network, but you have not configured the public connection on the router to accept DHCP leases. For example, you have configured the public connection on the wireless router with a static IP address.

Domain network connectivity problems

In addition to the general network connectivity problems, these types of problems commonly occur on domain networks, ranging from small organizations to enterprise networks:

Active Directory
  • The user does not have an account in Active Directory Users and Computers.

  • The dial-in properties of the user account or computer account in Active Directory Users and Computers is set to Deny access.

  • The user account has expired.

  • The user is attempting a connection at a prohibited time, as specified in the logon hours of the user account (the default setting is Logon Permitted for all hours).

  • The user is attempting a prohibited connection by using a computer not specified in the Log On To setting of the user account properties, and the default setting All computers is not selected.

  • The DNS service is stopped or is not configured.

  • The domain controller is offline.

Users and Computers
  • The client computer is not joined to the domain.

  • The client is attempting to log on to the domain with non-domain credentials.

DHCP
  • The DHCP scope is full, and can no longer lease addresses to requesting clients.

  • The IP address of the DHCP server was changed and now DHCP clients cannot get IP addresses.

  • The DHCP server is stopped.

  • On a newly configured DHCP server:

    • The DHCP server is not authorized in Active Directory.

    • The IP address range is incorrectly specified.

    • The DHCP service is stopped.

    • The DHCP scope is not activated.

    • The DHCP server is not on the same subnet as the clients.

    • The DHCP server is offline.

802.1X-authenticated network connectivity problems

This section provides examples of configuration problems that are specific to networks that deploy 802.1X-authenticating wireless APs and IAS for 802.1X-authenticated connections. In an 802.1X network, the following examples should be considered in addition to the examples listed in the previous two sections.

Active Directory Problems
  • The Active Directory domain functional level is not raised to Windows Server 2003. IAS RADIUS settings require the Windows Server 2003 domain functional level.

Important

If domain controllers on your network are running Windows NT 4.0 and earlier, then do not raise the domain functional level to Windows 2000 native. After the domain functional level is set to Windows 2000 native, it cannot be changed back to Windows 2000 mixed. If domain controllers on your network are running Windows 2000 or Windows NT 4.0 and earlier, then do not raise the domain functional level to Windows Server 2003. After the domain functional level is set to Windows Server 2003, it cannot be changed back to Windows 2000 mixed or Windows 2000 native.

  • In Active Directory Users and Computers, the dial-in properties of the user account are not configured to Control access through Remote Access Policy.

  • The IAS remote access policy grants access for members of an Active Directory security group. However, the user is not a member of the security group that is specified in the remote access policy.

  • The authentication method specified in the Wireless Network (IEEE 802.11) Policies does not match the authentication method specified in the IAS remote access policy.

    For example, if network clients running Windows Vista are configured by the Wireless Network (IEEE 802.11) Policies to use PEAP-MS-CHAPv2 authentication, but there is not a matching IAS remote access policy that specifies PEAP-MS-CHAPv2 authentication, the mismatch will prevent client authentication.

Client
  • The WLAN AutoConfig Service is not running.

Note

By default, the WLAN AutoConfig Service startup type is set to start automatically. You can start the service in the Services console, by running the netsh wlan set autoconfig command on individual computers or in a script, or by configuring the service in Windows Server 2008 Group Policy.

  • In an 802.1X authenticating network with PEAP, EAP-TLS, or PEAP-TLS deployed, the user has chosen not to trust the server certificate when prompted.

  • Using EAP-TLS authentication, the client does not have a certificate that contains the Client Authentication purpose in the Enhanced Key Usage extension and is configured according to minimum client certificate requirements.

Certificate Services
  • For EAP-TLS deployments, the user does not have a client certificate.

  • The client does not have a corresponding root CA certificate that matches the issuing CA of the IAS server certificate.

IAS (RADIUS)
  • The RADIUS shared secret on the wireless AP does not match the shared secret configured for RADIUS clients in IAS.

  • The IAS remote access policy properties are configured to reject the user or computer requests. For example:

    • On the Settings tab, the properties of the policy are set to Deny remote access permission.

    • On the Dial-in Constraints tab of the remote access policy, time restrictions prohibiting the connection are configured using the Allow access only on these days and at these times setting.

    • On the Dial-in Constraints tab, an incorrect media type is specified in Allow access only through these media (NAS-Port-Type).

  • A mismatch exists between the trusted root certification authority that issued the RADIUS server certificate that is specified in the IAS remote access policy, and the trusted root certification authority that is specified in the properties of the selected EAP type in the Wireless Network (IEEE 802.11) Policies.

  • The wireless AP (RADIUS Client) vendor-specific attributes are configured incorrectly.

  • The IP address of the RADIUS client (wireless AP) specified in IAS is incorrect.

  • The IAS server certificate has expired.

  • The IAS service is stopped.

  • EAP is configured differently in the applicable remote access policy from the way it is configured in the Wired Network (IEEE 802.11) Policy in Active Directory.

  • On a newly configured IAS server:

    • IAS is not registered in Active Directory.

    • The IAS service is not running.

    • The IAS server does not have a server certificate.

Wireless AP
  • The wireless AP does not have the correct or latest firmware.

  • The IP address of the wireless AP is incorrectly configured for the subnet.

  • The wireless AP does not specify the correct address of the IAS RADIUS server.

  • 802.1X is not enabled on the switch.

  • The RADIUS shared secret configured on the wireless AP does not match the shared secret configured on the RADIUS server.

Wireless user troubleshooting quick list

Wireless users can follow these steps to solve several common problems associated with wireless connections:

  • Many portable computers have a switch that can be used to turn the 802.11 wireless network adapter antenna on and off. Be sure that the switch is turned on. For more information, see the product documentation for your portable computing device.

  • Make sure that the wireless adapter has not been disabled in Network Connections. You can enable a wireless adapter through the UI by right-clicking a wireless adapter icon, and then selecting Enable.

    Wireless adapters that have been disabled in Network Connections do not appear in the notification area and can only be enabled in Network Connections.

  • Use WLAN AutoConfig to configure wireless network settings. When enabled, WLAN AutoConfig allows you to connect to an existing wireless network, change wireless network connection settings, configure a connection to a new wireless network, and specify preferred wireless networks. It also notifies you when new wireless networks are available. When you switch wireless networks, your wireless network adapter settings will be dynamically updated to match the settings of that new network and a network connection attempt will be made.

  • If you are connecting to a wireless network for the first time, WLAN AutoConfig will configure basic network settings, if the service is enabled. However, you might need to configure additional settings, such as the data encryption type or network key, if they are not automatically configured for your account through the Wireless Network (IEEE 802.11) Policies in Active Directory. You might also need to request account permissions from your network administrator.

  • Check to see if the desired wireless network appears in the network list. Right-click the network center icon, and then click Connect to a network. If the desired wireless network does not appear under Select a network to connect to, you might be outside of the broadcast range of that network or the network might be suppressing the beaconing signal. First, try to relocate the wireless device to a location that receives a stronger signal. To refresh the network list and get the most current list of wireless networks that are advertising within reception range of your computer, right-click the Network Center icon, click Connect to a network, and then click the Refresh button.

Note

Some infrastructure networks suppress the beaconing signal because they do not want to advertise the availability of their wireless network. In Windows Vista, hidden networks appear under Choose a wireless network as Unnamed Network, indicating that a hidden SSID is present. You can connect to these networks if you manually configure a wireless profile with all of the correct network settings, such as the SSID, network key, network authentication and encryption, and enable the setting Connect even if the network is not broadcasting.

Important

Enabling the Connect even if the network is not broadcasting setting can create a security risk. When Connect even if the network is not broadcasting is enabled, wireless clients will probe for, and attempt connections to, any wireless network. By default, this setting is not enabled.

  • Check to see if there is a wireless warning icon in the notification area. You can click the warning icon to get information about the error as well as possible remedies. If you used Connect to a network to open the list of available wireless networks, under Select a network to connect to, check for a warning where the wireless network is displayed. You can click the warning link text to get information about the warning and possible remedies.

  • If you have previously connected successfully to a network, but connection attempts to that network now fail, right-click the wireless icon, and then click Diagnose.

Section 7: Event logs, diagnostics logs, and wireless tracing reports

This section contains information about how to locate and review data collected in the following logs and reports:

  • Basic event logging (Event Viewer and system logs)

  • Operational logging (Applications and Services, WLAN-AutoConfig operational logs)

  • Wireless tracing reports (Wireless Diagnostics)

Event Viewer and system logs

You can use the WLAN AutoConfig events captured in the Event Viewer to track the start and stop state of the WLAN AutoConfig Service. You can use these logs to determine whether the WLAN AutoConfig Service is functioning correctly.

To access the Event Viewer

To access the Event Viewer

  1. On a computer equipped with a 802.11 wireless adapter, click Start, right-click Computer, and then click Manage.

  2. In the Computer Management console, click Event Viewer, click Windows Logs, and then click System. This will open the System Event logs.

  3. In the details pane, filter the view by source or service type.

  4. In the Source column, navigate to WLAN AutoConfig events to view wireless events.

Example system event logs

The following examples show the type of information reported in the Event Viewer.

Example 1

WLAN AutoConfig service has successfully started.

Example 2

WLAN AutoConfig service has successfully stopped.

Applications and Services WLAN AutoConfig operational log

The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure.

Opening the WLAN AutoConfig operational log

To access the WLAN AutoConfig operational log

  1. On a computer equipped with a 802.11 wireless adapter, click Start, right-click Computer, and then click Manage.

  2. In the Computer Management console, click Event Viewer, click Applications and Services, and then click Microsoft, as shown in the following figure:

  3. Click Windows, click WLAN-AutoConfig, and then click Operational, as shown in the following figure:

  4. In the details pane, click the event to display the logged information.

Example WLAN AutoConfig operational logs

The following examples illustrate the type of information reported in the WLAN AutoConfig operational log.

Example 1

WLAN AutoConfig service has successfully connected to a wireless 
network.

Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Automatic connection with a profile
Profile Name: PEAP
SSID: WIR_TST_Lab
BSS Type: Infrastructure
BSSID: 00:18:39:5A:5F:01
PHY Type: 802.11g
Authentication: WPA2-Enterprise
Encryption: AES
802.1X Enabled: Yes

Example2

WLAN AutoConfig service failed to connect to a wireless network.

Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Automatic connection with a profile
Profile Name: PEAP
SSID: WIR_TST_Lab
BSS Type: Infrastructure
Failure Reason:802.1X authentication did not complete within configured 
time

Example3

WLAN AutoConfig service failed to connect to a wireless network.

Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Automatic connection with a profile
Profile Name: PEAP
SSID: WIR_TST_Lab
BSS Type: Infrastructure
Failure Reason:Driver disconnected while associating.

Example 4

WLAN AutoConfig service failed to connect to a wireless network.

Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Automatic connection with a profile
Profile Name: PEAP
SSID: WIR_TST_Lab
BSS Type: Infrastructure
Failure Reason:There was no response to the EAP Response Identity 
packet

Example 5

WLAN AutoConfig service failed to connect to a wireless network.

Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Connection to a secure network without a profile
Profile Name: WIR_TST_Lab
SSID: WIR_TST_Lab
BSS Type: Infrastructure
Failure Reason:The specific network is not available.

Wireless Diagnostics and wireless tracing reports

Sometimes the basic Event Viewer system logs and operational logs cannot provide enough information for you to diagnose a connection issue. To continue troubleshooting, you need more information about which processes are occurring with individual wireless components. You can use Wireless Diagnostics to generate the Microsoft Wireless Diagnostics Report, which contains numerous reports.

Most of the information generated by the Microsoft Wireless Diagnostics Report is intended for developers and administrators. However, the summary information in the Diagnostics Results section of the report can help network administrators, help desk personnel, and advanced users who are troubleshooting wireless connectivity problems.

The following list follows the structure of the Microsoft Wireless Diagnostics Report, and summarizes the purpose and content of each part of the report:

  • Diagnostic Results - This portion of the Microsoft Wireless Diagnostics Report provides symptom, cause, event details, and suggested resolutions.

  • Wireless Networking Troubleshooting information - Intended for Microsoft Customer Service and Support and developers, this report contains the following information:

    • Software Configuration - contains relevant details about the Windows Vista operating system, and wireless networking system files.

    • Hardware Configuration - contains information about the computer make and model, and wireless network adapter information.

    • System State - enumerates the state of system services at the time the Microsoft Wireless Diagnostics Report was generated, and provides current user and environment information.

    • Wireless Network Configuration - contains information about wireless network configuration profiles.

    • Connection Attempts - lists details about the each aspect of connection attempt that was processed during the generation of the current instance of the Microsoft Wireless Diagnostics Report.

    • Wireless Trace - contains Wireless trace logs and event logs. These logs are mainly used by developers and Microsoft Customer Service and Support personnel.

  • CPU - provides statistics about CPU usage.

  • Network Diagnostics - contains additional debugging and diagnostic details for developers and Microsoft Customer Service and Support personnel.

Generating Microsoft Wireless Diagnostics Report

Generating the Microsoft Wireless Diagnostics Report is a three-step process: enable wireless tracing, reproduce the wireless connectivity error, and then stop wireless tracing.

When tracing is enabled, it runs silently in the background while the problem is re-created. When the logging is turned off, a process will run that will automatically compile the Microsoft Wireless Diagnostics Report.

To generate a Microsoft Wireless Diagnostics Report

  1. On a computer equipped with a 802.11 wireless adapter, click Start, right-click Computer, and then click Manage.

  2. In the Computer Management console, click Reliability and Performance, click Data Collector sets, click System, right-click Wireless Diagnostics, and then click Start. This will start the wireless diagnostic tracing. This is shown in the following figure:

  3. Attempt to connect to the wireless network to reproduce the error condition.

  4. Right-click Wireless Diagnostics, and then click Stop to stop the wireless diagnostic tracing.

  5. Click Reports, click System, click Wireless Diagnostics, and then click Wireless to open the top level of the Microsoft Wireless Diagnostics Report. This is shown in the following figure.

Diagnostics Results

The Diagnostics Results section of the Microsoft Wireless Diagnostics Report provides summary information about the symptom, cause, and resolution of the connectivity problem. Network administrators, help desk personnel, and advanced users can use this information to help troubleshoot and resolve wireless connectivity problems.

The following examples illustrate the type of diagnostic information that wireless tracing generates in Diagnostics Results.

Example1:

Symptom: The user successfully connected to a wireless network. 
Cause: The most recent wireless network connection attempt was 
successful. 
Details: The user connected to the wireless network with the following 
SSID: WIR_TST_Lab 
Resolution: No resoultion required.

Example2:

Symptom: The user failed to connect to the desired wireless network. 
Cause: The reason for the failure of the most recent wireless network 
connection attempt is: User has cancelled the operation. 
Details: The user attempted to connect to the wireless network with the 
SSID: WIR_TST_Lab 
Resolution: Confirm that both the wireless network adapter and the 
wireless network access point are using the same version of the 802.11 
protocol. 
Also, confirm that both the wireless network adapter and the wireless 
network access point are using the same encryption scheme.

Wireless trace logs

The wireless trace logs that are generated in the Microsoft Wireless Diagnostics Report are a set of files that contain highly-detailed information about specific aspects of wireless service-related components in Windows Vista. The wireless trace logs are intended to be used by help desk personnel and developers for advanced troubleshooting and debugging issues.

To open wireless trace logs

  1. In the Microsoft Wireless Diagnostics Report, open Wireless Networking Troubleshooting Information. This is shown in the following figure:

  2. Click Wireless Trace, as shown in the following figure:

The following wireless trace files are generated when you enable wireless tracing.

  • OneX Trace (onex.txt): 802.1X library communication – conversation with EapHost

  • Diagnostics Helper Class Trace (diaghc.txt)

  • Wlan Trace (wlan.txt): This log gathers the output from the following components: AutoConfig, the FAT and RNFW MSM, Native WiFi Intermediate driver, and the Diagnostics core

  • Msmsec Trace (msmsec.txt): 802.11 security module

  • Extensibility Trace (ext.txt): Extensibility framework logging

  • Native Wifi Driver Trace (nwifi.txt)

  • Wireless GP Trace (wlangp.txt)

  • Layer 2 Network Access Trace (L2nacp.txt): Single Sign On (SSO)

  • Wireless AutoConfiguration Event Log (not a text file)

  • Wireless Diagnostics Event Log (not a text file)

The reading of diagnostic logs is not an exact science. Sometimes the most useful troubleshooting information obtained from a trace log is an observed behavior pattern, rather than a specific error. For this reason, it is important that you understand the layout and relationship of the wireless components that are discussed in Section 2: Wireless infrastructure components and Section 3: The authentication process.

Trace logs frequently capture redundant information; multiple logs will note the same events, but from a different perspective. For example, the MSMSEC, WLAN, and OneX logs all record connection events, but report different information. This is helpful for determining where a problem occurred and in which phase of the connection process.

The following shows the typical layout of a trace file:

[0] 12:50:01.256 TX=54 Mbps RX=54 Mbps
[0] 12:50:11.396 TX=54 Mbps RX=54 Mbps
[0] 12:50:18.978 Receive 1X packet: FrameSeq# 4077: 00-18-39-5A-5F-01 
==> 00-14-BF-74-6D-C3 STATUS_SUCCESS
[0] 12:50:18.978 1X Packet: Unknown version 2, type 0 
0000  01080005 01                          .....
[3796] 12:50:18.982 Send 1X packet: 00-14-BF-74-6D-C3 ==> 
00-18-39-5A-
5F-01
[3796] 12:50:18.982 PPP-EAP: EAPCODE_0x00000002(Response) Id=0x08 
EAPTYPE_0x00000001(Identity) len=15 
0000  4558414D 504C455C 47504164 6D696E    EXAMPLE\GPAdmin
[3796] 12:50:18.982 Send Security Packet: NDIS_PACKET=85672320
[0] 12:50:18.983 Send Security Packet Completion: STATUS_SUCCESS 
NDIS_PACKET=85672320
[0] 12:50:18.994 Receive 1X packet: FrameSeq# 4078: 00-18-39-5A-5F-01 
==> 00-14-BF-74-6D-C3 STATUS_SUCCESS

Two-page samples of each of the three main troubleshooting and debugging trace files are included in Appendix D: Trace File examples:

  • OneX Trace file

  • Wlan Trace file

  • Msmsec Trace file

What to look for in wireless trace files

The two main things to look for in the wireless trace files are keywords and reason codes. The following two lists provide keyword and reason code examples:

Keywords

The types of keywords to look for are error, failed, failure, or rejected.

  • [2476] 12:51:42.130 Port(37): Received a failure indication from the local Eap dll with error code 0x80420105 and reason code 0x80420105

  • [2476] 12:51:42.130 Port(37): Eap error info contains winError=0x80420105, reasonCode=0x80420105, EapMethod(Type=25), rootCauseString=The

  • authentication failed because the user certificate required for this network was rejected by the server

  • [2476] 12:51:42.130 Port(37): The auth failed. Deleting all cached UI

  • [3796] 12:51:42.142 [Strings] RC=<1:The authentication failed because the user certificate required for this network was rejected by the

  • server>, ep=<1:Provide valid user credentials for this network connection

  • [1592] 10:51:00.840 [Strings] RC=<1:The authentication failed because there is a problem with the user account

  • [1136] 12:51:42.130 Port <37> Peer 00:18:39:5A:5F:01 AuthMgr Transition AUTHENTICATING (7) --> AUTH FAILED (10)

  • [1136] 12:51:42.130 Port<37> 05AF04F0 Complete Processing Event <MSMSEC_PORT_PRIVATE_EVENT_AUTH_ONEX_FAILURE>

Reason codes:
  • [2344] 10:35:03.812 INFO: Is Network Compatible = 0x00000000(false), Security Incompatible reason=262174

  • [2476] 12:51:42.142 Post Connect Security has FAILED with reason code: 327685

  • [1388] 10:50:38.342 SL: Profile = PEAP, reason code = 0

  • [3796] 12:51:42.142 SecNotif[Update:1] OneXAuthStatus=<4>, Reason=<327685>, dwError=<-2143158011>

  • [1388] 10:50:58.070 Post Connect Security has FAILED with reason code: 327686

  • [3796] 12:51:42.646 ACM: Connection failed. Interface = Broadcom 802.11g Network Adapter, reason code = 327685

  • [2332] 10:35:10.267 DiagnoseMsmSecCapabilityMatchFailure: WLAN_REASON_CODE_MSMSEC_CAPABILITY_PROFILE_AUTH

  • You can look up reason codes or #def names values in the tables in Appendix E: Mapping of reason codes to event messages to find their associated event message or friendly string.

Appendices

The following appendices are provided in this section:

Appendix A: Detailed EAP and PEAP-MS-CHAP v2 operations

Appendix B: Windows Vista DLLs and function descriptions

Appendix C: Using netsh wlan to manage tracing

Appendix D: Trace File examples

Appendix E: Mapping of reason codes to event messages

Appendix A: Detailed EAP and PEAP-MS-CHAP v2 operations

This section describes the detailed operations of EAP and Protected EAP (PEAP) MS-CHAPv2 authentication.

802.1X EAP authentication phases

This section provides information about the 802.1X EAP authentication phases.

With EAP, the specific authentication mechanism is not chosen during the association phases of the connection; instead, each peer negotiates to perform EAP during the connection authentication phase. When the connection authentication phase is reached, the peers negotiate the use of a specific EAP authentication scheme known as an EAP method or EAP type.

EAP over RADIUS is used in environments where RADIUS is the authentication provider. An advantage of using EAP over RADIUS is that EAP types do not need to be installed at each network access server (in the case of wireless, access points), only at the RADIUS server. However, the access server must support the negotiation of EAP as an authentication protocol and the passing of EAP messages to a RADIUS server. In a typical deployment of EAP over RADIUS, the wireless AP is configured to use EAP and to use RADIUS as its authentication provider. Because EAP is part of the IEEE 802.1X standard, you must enable IEEE 802.1X authentication to enable a wireless AP to use EAP.

EAP over RADIUS is not an EAP type; it is the passing of EAP messages of any EAP type by the access server to a RADIUS server for the purpose of authentication. An EAP message sent between the access client and access server is formatted as the EAP-Message RADIUS attribute and sent in a RADIUS message between the access server and the RADIUS server. The wireless AP becomes a pass–through device, passing the EAP message between the access (wireless) client and the RADIUS server. EAP messages are processed by the access client and the RADIUS server, not by the wireless AP.

PEAP-MS-CHAPv2 requires a certificate on each RADIUS server, but not on the wireless client. IAS servers must have a certificate installed in their Local Computer certificate store. Instead of deploying a PKI, you can purchase individual certificates from a non-Microsoft CA to install on your IAS servers. To ensure that wireless clients can validate the IAS server certificate chain, the root CA certificate of the CA that issues the IAS server certificates must be installed on each wireless client.

Windows XP, Windows Server 2003, and Windows Vista include the root CA certificates of many non-Microsoft CAs. If you purchase your IAS server certificates from a non-Microsoft CA for which your Windows clients do not include a corresponding root CA certificate, you must install the root CA certificate on each wireless client. If you purchase your IAS server certificates from a non-Microsoft CA that corresponds to an included root CA certificate, no additional wireless client configuration is required.

Part 1: Creating the TLS channel and authentication method negotiation

The following process creates the TLS channel:

  1. If the wireless AP observes a new wireless client associating with it, the wireless AP transmits an EAP-Request/Identity message to the wireless client. Alternatively, when a wireless client associates with a new wireless AP, it transmits an EAP-Start message. If the IEEE 802.1X process on the wireless AP receives an EAP-Start message from a wireless client, it transmits an EAP-Request/Identity message to the wireless client.

  2. The wireless client responds with an EAP-Response/Identity message that contains the identity (user name or computer name) of the wireless client.

  3. The EAP-Response/Identity message is sent by the wireless AP to the RADIUS server. From this point on, the logical communication occurs between the RADIUS server and the wireless client by using the wireless AP as a pass-through device.

  4. The RADIUS server sends and EAP request/Start PEAP message to the wireless client.

  5. The wireless client and the RADIUS server exchange a series of TLS messages through which the cipher suite for the TLS channel is negotiated and the RADIUS server sends a certificate chain to the wireless client for authentication.

At the end of PEAP negotiation:

  • The RADIUS server has authenticated itself to the wireless client.

  • Both the wireless client and RADIUS server have determined mutual encryption keys for the PEAP-TLS channel by using public key cryptography, not passwords.

  • All subsequent EAP messages sent between the wireless client and the RADIUS server are encrypted.

Part 2: PEAP-MS-CHAP-v2

This section examines the PEAP-MS-CHAPv2 operation of 802.1X authentication and authorization.

After the PEAP-TLS channel is created, PEAP-MS-CHAP-v2 performs the following steps to authenticate the wireless client, based on user name and password credentials:

  1. The RADIUS server sends an EAP-Request/Identity message.

  2. The wireless client responds with an EAP-Response/Identity message that contains the identity (user or computer name) of the wireless client.

  3. The RADIUS server sends an EAP-Request/EAP-MS-CHAPv2 Challenge message that contains a challenge string.

  4. The wireless client responds with an EAP-Response/EAP-MS-CHAPv2 Response message that contains both the response to the RADIUS server challenge string and a challenge string for the RADIUS server.

  5. The RADIUS server verifies the client credentials against the user accounts database, and if a matching record is found, sends an EAP-Request/EAP-MS-CHAPv2 Success message. The EAP-Request/EAP-MS-CHAPv2 Success message indicates that the wireless client response is correct, and contains the response to the wireless client challenge string.

  6. The wireless client responds with an EAP-Response/EAP-MS-CHAPv2 Ack message, indicating that the RADIUS server response is correct.

  7. The RADIUS server sends an EAP-Success message.

At the end of this mutual authentication exchange:

  • The wireless client has provided proof of knowledge of the correct password (the response to the RADIUS server challenge string).

  • The RADIUS server has provided proof of knowledge of the correct password (the response to the wireless client challenge string).

  • The entire exchange has been encrypted through the TLS channel created in the first part of the PEAP authentication.

At this point, the 802.1X controlled port on the AP allows the wireless client’s traffic to traverse the controlled port. The client sends a DHCP "address request" through the 802.1X controlled port to the network. If a DHCP server responds, the client obtains an IP address. If configured, the Wireless Network (IEEE 802.11) Policies are applied or refreshed. Provided the client has the correct permissions, the client is able to access network resources.

Appendix B: Windows Vista DLLs and function descriptions

Main DLLs

wlanui.dll – WLAN UI implements the Windows Vista supplicant UI for creating and editing wireless profiles settings.

wlanapi.dll - Public API to interface with Auto Configuration Module (ACM).

wlansvc.dll – 802.11 AutoConfiguration service is the core service for Windows Vista. It is responsible for discovering, connecting, and disconnecting from wireless networks. It also handles passing the appropriate configuration information to the 802.11. Media Specific Module (MSM).

wlanmsm.dll – 802.11 Media Specific Module manages communication between Security Module, the IHV Security Manager and Native Wi-Fi and FAT (legacy) network drivers. It is the bridge between the media specific drivers is the interface between the It is also responsible for bridging associations.

Supporting DLLs

wlancfg.dll - Command Line Interface (CLI) provides all scripting and command line configuration functionality. For example, profile import and export functions, profile configuration manipulation, blocked lists export, etc, can all be displayed through the Netsh interface.

l2nacp.dll - Single Sign On (SSO) Manager is responsible for prompting for additional credentials and interacting with the Logon UI and the ACM. (l2na refers to layer 2 network authentication.)

wlangpui.dll – Group Policy UI implements the UI for wireless Group Policy settings.

wlangpclnt.dll – Group Policy Client is responsible for downloading the WLAN Group Policy object (GPO) settings from Active Directory and plumbing the settings to the ACM.

wlanhlp.dll – WLAN private API.

wlansec.dll – WLAN Security module manages communications with 802.1X Authentication Module and MFM. It is responsible for handling key exchanges, pre-authentication, and Pairwise Master Key caching.

onex.dll - 802.1X Authentication Module is responsible for managing the communication between the Security Module and the various EAP methods (native or other) through the EAPHost API.

wlanext.exe - IHV Security Manager interfaces to other IHV plug-ins for client connectivity and security settings. The application runs in its own separate process.

wlandlg.dll – Implements the interactive UI dialog boxes and notifications during the connection process, such as “Enter key here.”

Additional DLLs

The following DLLs are associated with the Windows Vista supplicant, but are outside the scope of this document.

  • wlanconn.dll

  • wlanhc.dll

  • wlaninst.dll

  • wlanmm.dll

  • wlanmmhc.dll

  • l2sechc.dll

Appendix C: Using netsh wlan to manage tracing

You can start tracing for Wireless LAN (Wireless AutoConfig and related components) by using Performance Monitor or the netsh wlan set tracing command. By default, wireless LAN tracing is enabled until it is manually stopped or the system is restarted. In some cases, you must enable tracing at startup so that you can troubleshoot and debug issues that might take place before user logs on. In other words, traces are needed when the wireless service starts at boot time before user logon and tracing, when enabled must persist after a system reboot.

When logging must resume when the computer is restarted, use the command-line interface to enable WLAN tracing at startup.

Using this command, WLAN tracing will start immediately and will continue even after the computer is restarted. When the system reboots, the tracing will start shortly after the WLAN AutoConfig service starts; any pre-existing wireless trace logs and files will be overwritten.

Wireless tracing detail

There are three subfolders in the wireless folder: Config, EventLog, and Traces.

In the wireless\config folder, there are three logs that contain information about the wireless environment:

Osinfo.txt – This log contains information about the operating system, such as SKU, whether the system is a single or multiprocessor computer, the versions of the wireless binaries, and whether the installation is a clean build or an upgrade.

Adapterinfo.txt – This log captures information about the network card driver, such as date, version, and provider. If multiple cards exist, the information will exist for all wireless interfaces.

Envinfo.txt – This is the most useful of the config logs. It contains all of the information about the wireless environment, including information about the type of driver (Native versus Fat), adapter capabilities, radio types supported, loaded profiles on the adapters, visible BSSIDs, and the computer certificate. Future versions will display the logged-on user’s certificate. All of the data in this log can be gathered individually by using the following show commands:

  • Show Drivers

  • Show Interfaces

  • Show settings

  • Show Filters

  • Show Profiles

  • Show networks

To set persistent WLAN tracing

  1. Click Start, and in Start Search, type cmd.

  2. In Programs, right-click the cmd icon and select Run as administrator to start command prompt with administrator credentials.

Note

To run the netsh wlan set tracing command, you must run cmd with elevated privileges.

  1. At the command prompt, type netsh wlan set tra persistent, and then press ENTER.

After running the command you will receive a message similar to the following:

Persistent wireless tracing has been enabled.

Trace logs will be stored in C:\Windows\tracing\wireless

Note

Tracing for WLAN remains on until stopped with the netsh wlan set tra no command.

The following procedure shows the steps used to collect wireless trace sets.

To collect wireless related trace sets

  1. Click Start, and in Start Search, type cmd.

  2. In Programs, right-click the cmd icon, and select Run as administrator to start command prompt with administrator credentials.

  3. At the command prompt, type netsh wlan set tra yes, and then press ENTER.

  4. Reproduce your WLAN problem or errant condition.

  5. In the command prompt, type netsh wlan set tra no, and then press ENTER to stop wireless tracing and create the tracing logs.

Appendix D: Trace File examples

The trace files that are generated by wireless diagnostics capture detailed information about connection processes. Because the connection process for 802.1X authenticated wireless access is complicated, the resulting logs can be quite lengthy. Accordingly, the example trace files in this appendix have had sections of text removed to limit the length of each example to about two pages. The string "+++++++Text Removed+++++++" is used to indicate locations where text was removed from the original trace file.

OneX Trace file

Wlan Trace file

Msmsec Trace file

OneX Trace file

[1176] 10:50:39.034 OneXCreateSupplicantPort
[1176] 10:50:39.037 Port(9): Setting the quarantine state to 0
[1176] 10:50:39.037 Port(9): Setting the Eap method backend support to 
BackendSupportUnknown
[1176] 10:50:39.037 Port(9): EapEndSession called for eap type 0
[1176] 10:50:39.037 Port(9): Setting a 1x profile of size 206
[1176] 10:50:39.037 Port(9): Resetting the fProfileChanged flag
[1176] 10:50:39.037 Port(9): Resetting the fDiscoveryLocalUser flag
[1176] 10:50:39.037 Finished initializing a new port with id = 9 and 
friendly name = Broadcom 802.11g Network Adapter
[3784] 10:50:39.037 OneXUpdatePortProfile
[3784] 10:50:39.040 Port(9): Update port profile called with profile of 
size 206
[3784] 10:50:39.040 OneXSetRuntimeState
[3784] 10:50:39.040 OneXStartAuthentication
[1388] 10:50:39.041 Port(9): ProcessOneXEvent: Event [ConfigChanged]
[1388] 10:50:39.041 Port(9): Start processing local event: 
(PAEConfigChanged)
[1388] 10:50:39.041 Port(9): Processing local event complete: 
(PAEConfigChanged)
[1388] 10:50:39.041 Port(9): Draining the event queue (SupplicantQueue)
[1388] 10:50:39.041 Port(9): Processing global event complete: 
(ConfigChanged)
[1388] 10:50:39.041 Port(9): ProcessOneXEvent: Event [SetRuntimeState]
[1388] 10:50:39.041 Port(9): Start processing local event: 
(PAESetRuntimeState)
[1388] 10:50:39.041 Port(9): Set runtime state containing a user token
[1388] 10:50:39.041 Port(9): Processing local event complete: 
(PAESetRuntimeState)
[1388] 10:50:39.041 Port(9): Draining the event queue (SupplicantQueue)
[1388] 10:50:39.041 Port(9): Processing global event complete: 
(SetRuntimeState)
[1388] 10:50:39.041 Port(9): ProcessOneXEvent: Event [StartAuth]
[1388] 10:50:39.041 Port(9): Start processing local event: 
(PAEStartAuth)
[1388] 10:50:39.041 Port(9): Starting a new 802.1X authentication (MSM 
initiated)
[1388] 10:50:39.041 Port(9): StateSpaeAuthNotStarted ----> 
StateSpaeStartAuth
[1388] 10:50:39.041 Port(9): Sending notification = (ResultUpdate) to 
MSM
[1388] 10:50:39.041 Port(9): Updating MSM with OneX Result
[1388] 10:50:39.041 Port(9): Processing local event complete: 
(PAEStartAuth)
[1388] 10:50:39.041 Port(9): Start processing local event: 
(BackendStartBackend)
[1388] 10:50:39.041 Port(9): StateSBackendNotStarted ----> 
StateSBackendDeactivated
[1388] 10:50:39.041 Port(9): Processing local event complete: 
(BackendStartBackend)
[1388] 10:50:39.041 Port(9): Start processing local event: (PAEUCT)
[1388] 10:50:39.041 Port(9): A user token has been specified to be 
used. Proposing user auth
[1388] 10:50:39.041 Port(9): Identified OneX credentials. Using User 
Auth
[4092] 10:50:39.041 OneXIndicatePacket
[1388] 10:50:39.042 Port(9): User name = GPAdmin, domain name = EXAMPLE
[1388] 10:50:39.042 Port(9): 802.1X user identified. auth identity = 
User Auth, sessionId = 1, username=GPAdmin, domain=EXAMPLE
[1388] 10:50:39.042 Port(9): StateSpaeStartAuth ----> 
StateSpaeInitialize
+++++++Text Removed+++++++
[1388] 10:50:54.057 Port(9): Sending notification = (AuthRestarted) to 
MSM
[1388] 10:50:54.057 Port(9): Sending OneX packet of size 5 to MSM
[1388] 10:50:54.057 Port(9): Sent an Eapol start packet
+++++++Text Removed+++++++
[3712] 10:50:59.997 Port(10): Eap error info contains 
winError=0x40420110, reasonCode=0x40420110, EapMethod(Type=0), rootCauseString=The authentication failed because there is a problem 
with the user account
+++++++Text Removed+++++++

Wlan Trace file

[400] 10:50:34.229 Could not find the interface using the given GUID, 
error 87.
[400] 10:50:34.418 Could not find the interface using the given GUID, 
error 87.
[2276] 10:50:35.916 Could not find the interface using the given GUID, 
error 87.
[400] 10:50:35.933 ACM: bypass access validation, because radio state 
is accessed from console session 1.
[400] 10:50:35.934 Refresh Scan Results
[400] 10:50:35.934 Number of Unique Networks: 5
[400] 10:50:35.934 ACM: network is not permitted.
[400] 10:50:35.934 Network WSUA-EAP (1) is not permitted by the network 
filters.
[400] 10:50:35.934 =============================  Diag Event 
=============================
[400] 10:50:35.934 --> Fn
[400] 10:50:35.935 ***** Event[004D7DB8:00000000]: [ACM: Scan RESULT 
(MSM) = 7] --> <0> pIntf=<004D6898> *****
[400] 10:50:35.935 --> Fn
[400] 10:50:35.935 WDiagProcessAcmScanResult[MSM]:  <5> MSM 
ScannedSsids
[400] 10:50:35.935 [1]  3*<WIR_TST_Lab>, Status=<1:0>, BSS=<1>, 
Phy=<6>, Priv:Auth:Ciph:Cap=<1:6:4:12582912>
[400] 10:50:35.935 [2]  2*<linksys>, Status=<1:0>, BSS=<1>, 
Phy=<6>, Priv:Auth:Ciph:Cap=<0:1:0:0>
[400] 10:50:35.935 [3]  24*<TSTWLAN>, Status=<1:0>, BSS=<1>, 
Phy=<6>, Priv:Auth:Ciph:Cap=<1:1:257:0>
[400] 10:50:35.935 [4]  26*<TSTGUEST>, Status=<1:0>, BSS=<1>, 
Phy=<6>, Priv:Auth:Ciph:Cap=<0:1:0:0>
[400] 10:50:35.935 [5]  3*<WSUA-EAP>, Status=<0:163843>, BSS=<1>, 
Phy=<6>, Priv:Auth:Ciph:Cap=<1:1:257:0>
[400] 10:50:35.935 --> Fn
+++++++Text Removed+++++++
[2276] 10:50:38.330 INFO: Is Network Compatible = 0x00000001(true), 
Security Incompatible reason=0
[2276] 10:50:38.331 INFO: Profile is Compatible: 0x00000001(true) with 
Reason: 0
[2276] 10:50:38.341 ACM: clean runtime info. Flags = 4294967295, 
conervatively unblock = 0
[2276] 10:50:38.341 ACM: Profile PEAP is unfailed.
[2276] 10:50:38.341 ACM: All SSIDs in the profile.
[2276] 10:50:38.341 ACM: Profile PEAP is unblocked.
[2276] 10:50:38.341 ACM: All SSIDs in the profile.
[2276] 10:50:38.341 ACM: got connection request, mode = 0, flags = 0, 
profile name = PEAP, session = 1.
[1388] 10:50:38.341 ST: current state = Failed, trigger = Manually 
connect (Command), next state = Manual connect (Manual Connect).
[1388] 10:50:38.341 =============================  Diag Event 
=============================
+++++++Text Removed+++++++
[1388] 10:50:38.344 [0000000C --> 36] ==> Connecting to <PEAP->WIR_TST_Lab>, bIsDisc:dwDiscIndex=<0:0>
+++++++Text Removed+++++++
[4092] 10:50:39.047 INFO: Received 802.11 PACKET
[4092] 10:50:39.051 =============================  Diag Event 
=============================
+++++++Text Removed+++++++
[1388] 10:50:58.070 Post Connect Security has FAILED with reason code: 
327686
[1388] 10:50:58.070 INFO: FSM Current state Authenticating[4], event 
Post_Security_Failure[16]
+++++++Text Removed+++++++
[1388] 10:50:58.070 Found PortSessionId 10, security session 00010001
[3896] 10:50:58.586 WDiagConnectCompletion:  Result=<50006>, ReasonCode=<50006>, Dot11Status=<0>, Sec Packets Rx : Tx = <2 : 4>
[3896] 10:50:58.586 *** Authentication FAILed <50006>,
+++++++Text Removed+++++++
[3896] 10:51:00.003 [Strings] RC=<1:The authentication failed 
because there is a problem with the user account
>, Rep=<1:Contact your network administrator for further assistance
>
+++++++Test Removed+++++++

Msmsec Trace file

 [1388] 10:50:38.345 Received StopSecurity on Adapter 004E67A8 
00:14:BF:74:6D:C3
[1388] 10:50:38.345 Invalid state 1 for action 3
[1388] 10:50:38.345 SecMgrStopSecurity failed, Error 5023
[3784] 10:50:38.346 Adapter<1> MSM Connect notification, Network 
"WIR_TST_Lab", hMSMSec 004E67A8, Completion context 0000000C
[3784] 10:50:38.346 Adapter<1> Received PreAssociateSecurity on Adapter 
004E67A8 00:14:BF:74:6D:C3
[3784] 10:50:38.346 Infrastructure Auth WPA2-Enterprise (6), Cipher AES 
(4), OneX Enabled
[3784] 10:50:38.346 EAP Type 25, Vendor ID 0, Vendor Type 0, Author ID 
0
[3784] 10:50:38.346 Creating connect profile
[3784] 10:50:38.346 PMK Cache <<ENABLED>>
[3784] 10:50:38.346 PreAuth not enabled in profile
[3784] 10:50:38.346 PreAuth: Not enabled.
[3784] 10:50:38.346 MSM Connect Completion context: Old 00000000, New 
0000000C
[3784] 10:50:38.346 Adapter<1> Set notification session to 0000000C, 
old 00000000
[3784] 10:50:38.346 Adapter<1> 00:14:BF:74:6D:C3 Transition INITIALIZED 
(1) --> PROCESSING_PREASSOCIATE (2)
[3784] 10:50:38.346 Performing Action PreAssociate Completion (2) on 
Adapter 004E67A8 00:14:BF:74:6D:C3
[3784] 10:50:38.346 Adapter<1> PreAssociate completion on Adapter 
004E67A8 00:14:BF:74:6D:C3
[3784] 10:50:38.346 Setting Auth Algo WPA2-Enterprise (6)
[3784] 10:50:38.346 Setting Ucast Cipher Algo AES (4)
[3784] 10:50:38.346 Set privacy 1
[3784] 10:50:38.346 Set exclude unencrypted 1
[3784] 10:50:38.346 Profile does not require static keys
[3784] 10:50:38.346 Exempt ethertype 8e88
[3784] 10:50:38.346 Register ethertype 8e88
[3784] 10:50:38.346 Ethertype exemption/registration completed
[3784] 10:50:38.346 Adapter<1> 00:14:BF:74:6D:C3 Transition 
PROCESSING_PREASSOCIATE (2) --> PREASSOCIATE_DONE (3)
[3784] 10:50:38.346 Sending notification (SRC Security 0x2 : Code 
0x10001) to MSM for session 0000000C, Data size 32
[3784] 10:50:38.346 Adapter<1> Connect Completion, Status Success (0, 
0), MSM Handle 004D7DB8, Context 0000000C
[1176] 10:50:39.037 Adapter<1> MSM Port up notification, hMSMSec 
004E67A8, MSM context 00010001
[1176] 10:50:39.037 Adapter<1> Port up for peer 00:18:39:5A:5F:01
+++++++Text Removed+++++++
[3784] 10:50:39.041 Port<10> 02F74528 Start Processing Event 
<MSMSEC_PORT_PRIVATE_EVENT_SEC_ACTIVATE>
[3784] 10:50:39.041 RSN IE transmitted, but no PMKIDs, checking for 
Fast roam anyway
[3784] 10:50:39.041 Can't do fast roaming when PMK Cache is not valid
[3784] 10:50:39.041 PMKID didn't match or no auth params/PMK available
[3784] 10:50:39.041 FAST ROAMING is Disabled
+++++++Removed Text+++++++
[3784] 10:50:39.041 Port<10> Peer 00:18:39:5A:5F:01 SecMgr Transition 
ACTIVE (2) --> START AUTH (3)
[3784] 10:50:39.041 Port<10> 02F74528 Complete Processing Event 
<MSMSEC_PORT_PRIVATE_EVENT_SEC_PMK_NOT_SENT>
[3784] 10:50:39.041 Port<10> 02F74528 Start Processing Event 
<MSMSEC_PORT_PRIVATE_EVENT_AUTH_ACTIVATE_UNAUTHENTICATED>
[1176] 10:50:39.041 Sending notification (SRC Security 0x2 : Code 
0x10002) to MSM for session 0000000C, Data size 368
[3784] 10:50:39.044 Port<10> Queued Event (MSMSEC_PORT_PRIVATE_EVENT_AUTH_UCT) in port (0x02F74528) queue (Port 
Private Queue)
[3784] 10:50:39.044 Port <10> Peer 00:18:39:5A:5F:01 AuthMgr Transition 
ENABLED (3) --> START AUTH (6)
[3784] 10:50:39.044 Port<10> 02F74528 Complete Processing Event 
<MSMSEC_PORT_PRIVATE_EVENT_AUTH_ACTIVATE_UNAUTHENTICATED>
[1176] 10:50:39.044 Adapter<1> Receive packet, hMSMSec 004E67A8
[3784] 10:50:39.044 Port<10> 02F74528 Start Processing Event 
<MSMSEC_PORT_PRIVATE_EVENT_SEC_UCT>
[1176] 10:50:39.044 Adapter<1> Rx from 00:18:39:5A:5F:01, Ethertype 
0X8E88, size 9
[3784] 10:50:39.044 Port<10> Peer 00:18:39:5A:5F:01 SecMgr Transition 
START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+++++++Removed Text+++++++
[1388] 10:50:58.070 Port<10> 1x Update result callback
[1388] 10:50:58.070 Port<10> Explicit failure from 802.1X, (Reason 
50006, Error 0)
[1388] 10:50:58.070 Port<10> Queued Event (MSMSEC_PORT_PUBLIC_EVENT_AUTH_ONEX_FAILURE) in port (0x02F74528) queue 
(Port Public Queue)
+++++++Text Removed+++++++
[3712] 10:51:00.522 Adapter<1> Reset notification session
[3712] 10:51:00.522 Adapter<1> 00:14:BF:74:6D:C3 Transition 
STOPPING_SECURITY (4) --> INITIALIZED (1)
[3712] 10:51:00.522 Adapter<1> MSM Disconnect notification, hMSMSec 
004E67A8
[3712] 10:51:00.522 Invalidating cache when cache is not valid!
[3712] 10:51:00.522 PMK Cache <<INVALID>>

Appendix E: Mapping of reason codes to event messages

  • 0

  • 131073 - 131074

  • 151553 - 151566

  • 163841 - 163854

  • 196609 - 196613

  • 217088 - 217105

  • 229377 - 229394

  • 262145 - 262178

  • 282624 - 282645

  • 327681 - 327696

  • 524289 - 524309

  • 65537

0
REASON_CODE Value #def name Event Message Friendly String

0

WLAN_REASON_CODE_

SUCCESS

The operation succeeds.

131073 - 131074
REASON_CODE Value #def name Event Message Friendly String

131073

WLAN_REASON_CODE_

NETWORK_NOT_COMPATIBLE

The wireless network is not compatible.

131074

WLAN_REASON_CODE_

PROFILE_NOT_COMPATIBLE

The profile for the wireless network is not compatible.

151553 - 151566
REASON_CODE Value #def name Event Message Friendly String

151553

WLAN_REASON_CODE_

NO_AUTO_CONNECTION

The profile specifies no auto connection.

151554

WLAN_REASON_CODE_

NOT_VISIBLE

The wireless network is not visible.

151555

WLAN_REASON_CODE_

GP_DENIED

The wireless network is blocked by group policy.

151556

WLAN_REASON_CODE_

USER_DENIED

The wireless network is blocked by the user.

151557

WLAN_REASON_CODE_

BSS_TYPE_NOT_ALLOWED

The basic service set (BSS) type is not allowed on this wireless adapter.

151558

WLAN_REASON_CODE_

IN_FAILED_LIST

The wireless network is in the failed list.

151559

WLAN_REASON_CODE_

IN_BLOCKED_LIST

The wireless network is in the blocked list.

151560

WLAN_REASON_CODE_

SSID_LIST_TOO_LONG

The size of the service set identifiers (SSID) list exceeds the maximum size supported by the adapter.

151561

WLAN_REASON_CODE_

CONNECT_CALL_FAIL

The Media Specific Module (MSM) connect call fails.

151562

WLAN_REASON_CODE_

SCAN_CALL_FAIL

The MSM scan call fails.

151563

WLAN_REASON_CODE_

NETWORK_NOT_AVAILABLE

The specified network is not available.

151564

WLAN_REASON_CODE_

PROFILE_CHANGED_OR_

DELETED

The profile was changed or deleted before the connection was established.

151565

WLAN_REASON_CODE_

KEY_MISMATCH

The profile key does not match the network key.

151566

WLAN_REASON_CODE_

USER_NOT_RESPOND

The user is not responding.

163841 - 163854
REASON_CODE Value #def name Event Message Friendly String

163841

WLAN_REASON_CODE_

NO_AUTO_CONNECTION

The profile specifies no auto connection.

163842

WLAN_REASON_CODE_

NOT_VISIBLE

The wireless network is not visible.

163843

WLAN_REASON_CODE_

GP_DENIED

The wireless network is blocked by the group policy.

163844

WLAN_REASON_CODE_

USER_DENIED

The wireless network is blocked by the user.

163845

WLAN_REASON_CODE_

BSS_TYPE_NOT_ALLOWED

The BSS type is not allowed on this wireless adapter.

163846

WLAN_REASON_CODE_

IN_FAILED_LIST

The wireless network is in the failed list.

163847

WLAN_REASON_CODE_

IN_BLOCKED_LIST

The wireless network is in the blocked list.

163848

WLAN_REASON_CODE_

SSID_LIST_TOO_LONG

The size of the SSID list exceeds the maximum size supported by the adapter.

163849

WLAN_REASON_CODE_

CONNECT_CALL_FAIL

The MSM connect call failed.

163850

WLAN_REASON_CODE_

SCAN_CALL_FAIL

The MSM scan call failed.

163851

WLAN_REASON_CODE_

NETWORK_NOT_AVAILABLE

The specific network is not available.

163852

WLAN_REASON_CODE_

PROFILE_CHANGED_

OR_DELETED

The profile used for the connection is changed or deleted.

163853

WLAN_REASON_CODE_

KEY_MISMATCH

The password is probably not correct for the network.

163854

WLAN_REASON_CODE_

USER_NOT_RESPOND

User did not provide information needed for the connection.

196609 - 196613
REASON_CODE Value #def name Event Message Friendly String

196609

WLAN_REASON_CODE_

UNSUPPORTED_SECURITY_

SET_BY_OS

The security settings are not supported by the operating system.

196610

WLAN_REASON_CODE_

UNSUPPORTED_SECURITY_

SET

The security settings are not supported.

196611

WLAN_REASON_CODE_

BSS_TYPE_UNMATCH

The BSS type does not match.

196612

WLAN_REASON_CODE_

PHY_TYPE_UNMATCH

The PHY type does not match.

196613

WLAN_REASON_CODE_

DATARATE_UNMATCH

The data rate does not match.

217088 - 217105
REASON_CODE Value #def name Event Message Friendly String

217088

WLAN_REASON_CODE_

USER_CANCELLED

User has cancelled the operation.

217089

WLAN_REASON_CODE_

ASSOCIATION_FAILURE

Driver disconnected while associating.

217090

WLAN_REASON_CODE_

ASSOCIATION_TIMEOUT

Association timed out.

217091

WLAN_REASON_CODE_

PRE_SECURITY_FAILURE

Pre-association security failure.

217092

WLAN_REASON_CODE_

START_SECURITY_FAILURE

Failed to start security after association.

217093

WLAN_REASON_CODE_

SECURITY_FAILURE

Security ends up with failure.

217094

WLAN_REASON_CODE_

SECURITY_TIMEOUT

Security operation times out.

217095

WLAN_REASON_CODE_

ROAMING_FAILURE

Driver disconnected while roaming.

217096

WLAN_REASON_CODE_

ROAMING_SECURITY_

FAILURE

Failed to start security for roaming.

217097

WLAN_REASON_CODE_

ADHOC_SECURITY_FAILURE

Failed to start security for ad hoc peer.

217098

WLAN_REASON_CODE_

DRIVER_DISCONNECTED

Driver disconnected.

217099

WLAN_REASON_CODE_

DRIVER_OPERATION_

FAILURE

Driver failed to perform some operations.

217100

WLAN_REASON_CODE_

IHV_NOT_AVAILABLE

The IHV service is not available.

217101

WLAN_REASON_CODE_

IHV_NOT_RESPONDING

The response from the IHV service timed out.

217102

WLAN_REASON_CODE_

DISCONNECT_TIMEOUT

Timed out waiting for the driver to disconnect.

217103

WLAN_REASON_CODE_

INTERNAL_FAILURE

An internal error prevented the operation from being completed.

217104

WLAN_REASON_CODE_

UI_REQUEST_TIMEOUT

A user interface request timed out.

217105

WLAN_REASON_CODE_

TOO_MANY_SECURITY_

ATTEMPTS

Roaming too often. Post security was not completed after 5 attempts.

229377 - 229394
REASON_CODE Value #def name Event Message Friendly String

229377

WLAN_REASON_CODE_

USER_CANCELLED

User has cancelled the operation.

229378

WLAN_REASON_CODE_

ASSOCIATION_FAILURE

Driver disconnected while associating.

229379

WLAN_REASON_CODE_

ASSOCIATION_TIMEOUT

Association times out.

229380

WLAN_REASON_CODE_

PRE_SECURITY_FAILURE

Pre-association security failed.

229381

WLAN_REASON_CODE_

START_SECURITY_FAILURE

Failed to start security after association.

229382

WLAN_REASON_CODE_

SECURITY_FAILURE

Security ends up with failure.

229383

WLAN_REASON_CODE_

SECURITY_TIMEOUT

Security operation times out.

229384

WLAN_REASON_CODE_

ROAMING_FAILURE

Driver disconnected while roaming.

229385

WLAN_REASON_CODE_

ROAMING_SECURITY_

FAILURE

Failed to start security for roaming.

229386

WLAN_REASON_CODE_

ADHOC_SECURITY_FAILURE

Failed to start security for Adhoc peer.

229387

WLAN_REASON_CODE_

DRIVER_DISCONNECTED

Driver disconnected.

229388

WLAN_REASON_CODE_

DRIVER_OPERATION_

FAILURE

Driver failed to perform some operations.

229389

WLAN_REASON_CODE_

IHV_NOT_AVAILABLE

The IHV service is not available.

229390

WLAN_REASON_CODE_

IHV_NOT_RESPONDING

IHV service timed out.

229391

WLAN_REASON_CODE_

DISCONNECT_TIMEOUT

Driver disconnect timed out.

229392

WLAN_REASON_CODE_

INTERNAL_FAILURE

Internal failure prevented the operation from completing.

229393

WLAN_REASON_CODE_

UI_REQUEST_TIMEOUT

UI request timed out.

229394

WLAN_REASON_CODE_

TOO_MANY_SECURITY_

ATTEMPTS

Roaming too often, security is not completed after several attempts.

262145 - 262178
REASON_CODE Value #def name Event Message Friendly String

262145

WLAN_REASON_CODE_

MSMSEC_PROFILE_

INVALID_KEY_INDEX

Key index specified is not valid.

262146

WLAN_REASON_CODE_

MSMSEC_PROFILE_

PSK_PRESENT

Key required, PSK present.

262147

WLAN_REASON_CODE_

MSMSEC_PROFILE_KEY_

LENGTH

Invalid key length.

262148

WLAN_REASON_CODE_

MSMSEC_PROFILE_

PSK_LENGTH

Invalid PSK length.

262149

WLAN_REASON_CODE_

MSMSEC_PROFILE_NO_

AUTH_CIPHER_SPECIFIED

No auth/cipher pairs specified.

262150

WLAN_REASON_CODE_

MSMSEC_PROFILE_TOO_

MANY_AUTH_CIPHER_

SPECIFIED

Too many auth/cipher pairs specified.

262151

WLAN_REASON_CODE_

MSMSEC_PROFILE_

DUPLICATE_AUTH_

CIPHER

Profile contains duplicate auth/cipher pair.

262152

WLAN_REASON_CODE_

MSMSEC_PROFILE_

RAWDATA_INVALID

Profile raw data is invalid.

262153

WLAN_REASON_CODE_

MSMSEC_PROFILE_INVALID

_AUTH_CIPHER

Invalid auth/cipher combination.

262154

WLAN_REASON_CODE_

MSMSEC_PROFILE_

ONEX_DISABLED

802.1X disabled when it is required to be enabled.

262155

WLAN_REASON_CODE_

MSMSEC_PROFILE_ONEX_

ENABLED

802.1X enabled when it is required to be disabled.

262156

WLAN_REASON_CODE_

MSMSEC_PROFILE_INVALID_

PMKCACHE_MODE

Invalid PMK cache mode.

262157

WLAN_REASON_CODE_

MSMSEC_PROFILE_

INVALID_PMKCACHE_SIZE

Invalid PMK cache size.

262158

WLAN_REASON_CODE_

MSMSEC_PROFILE_

INVALID_PMKCACHE_TTL

Invalid PMK cache TTL.

262159

WLAN_REASON_CODE_

MSMSEC_PROFILE_INVALID_

PREAUTH_MODE

Invalid preauth mode.

262160

WLAN_REASON_CODE_

MSMSEC_PROFILE_INVALID_

PREAUTH_THROTTLE

Invalid preauth throttle.

262161

WLAN_REASON_CODE_

MSMSEC_PROFILE_

PREAUTH_ONLY_ENABLED

Preauth enabled when PMK cache is disabled.

262162

WLAN_REASON_CODE_

MSMSEC_CAPABILITY_

NETWORK

Capability matching failed at network.

262163

WLAN_REASON_CODE_

MSMSEC_CAPABILITY_NIC

Capability matching failed at NIC.

262164

WLAN_REASON_CODE_

MSMSEC_CAPABILITY_

PROFILE

Capability matching failed at profile.

262165

WLAN_REASON_CODE_

MSMSEC_CAPABILITY_

DISCOVERY

Network does not support specified capability type.

262166

WLAN_REASON_CODE_

MSMSEC_PROFILE_

PASSPHRASE_CHAR

Passphrase contains invalid character.

262167

WLAN_REASON_CODE_

MSMSEC_PROFILE_

KEYMATERIAL_CHAR

Key material contains invalid character.

262168

WLAN_REASON_CODE_

MSMSEC_PROFILE_

WRONG_KEYTYPE

The key type specified does not match the key material.

262169

WLAN_REASON_CODE_

MSMSEC_MIXED_CELL

A mixed cell is suspected. The AP is not signalling that it is compatible with a privacy-enabled profile.

262170

WLAN_REASON_CODE_

MSMSEC_PROFILE_AUTH_

TIMERS_INVALID

The number of authentication timers or the number of timeouts specified in the profile is invalid.

262171

WLAN_REASON_CODE_

MSMSEC_PROFILE_INVALID_

GKEY_INTV

The group key update interval specified in the profile is invalid.

262172

WLAN_REASON_CODE_

MSMSEC_TRANSITION_

NETWORK

A "transition network" is suspected. Legacy 802.11 security is used for the next authentication attempt.

262173

WLAN_REASON_CODE_

MSMSEC_PROFILE_KEY_

UNMAPPED_CHAR

The key contains characters that are not in the ASCII character set.

262174

WLAN_REASON_CODE_

MSMSEC_CAPABILITY_

PROFILE_AUTH

Capability matching failed because the profile does not contain an authentication method.

262175

WLAN_REASON_CODE_

MSMSEC_CAPABILITY_

PROFILE_CIPHER

Capability matching failed because the profile does not contain a cipher algorithm.

262176

WLAN_REASON_CODE_

MSMSEC_PROFILE_

SAFE_MODE

FIPS 140-2 mode value is invalid

262177

WLAN_REASON_CODE_

MSMSEC_CAPABILITY_

PROFILE_SAFE_MODE_NIC

Profile requires FIPS 140-2 mode, not supported by NIC

262178

WLAN_REASON_CODE_

MSMSEC_CAPABILITY_

PROFILE_SAFE_MODE_NW

Profile requires FIPS 140-2 mode, not supported by network

282624 - 282645
REASON_CODE Value #def name Event Message Friendly String

282624

WLAN_REASON_CODE_

MSMSEC_UI_REQUEST_

FAILURE

Failed to queue the UI request.

282625

WLAN_REASON_CODE_

MSMSEC_AUTH_START_

TIMEOUT

802.1X authentication did not start within configured time.

282626

WLAN_REASON_CODE_

MSMSEC_AUTH_SUCCESS_

TIMEOUT

802.1X authentication did not complete within configured time.

282627

WLAN_REASON_CODE_

MSMSEC_KEY_START_

TIMEOUT

Dynamic key exchange did not start within configured time.

282628

WLAN_REASON_CODE_

MSMSEC_KEY_SUCCESS_

TIMEOUT

Dynamic key exchange did not complete within configured time.

282629

WLAN_REASON_CODE_

MSMSEC_M3_MISSING_KEY_DATA

Message 3 of 4-way handshake has no key data.

282630

WLAN_REASON_CODE_

MSMSEC_M3_MISSING_IE

Message 3 of 4-way handshake has no IE.

282631

WLAN_REASON_CODE_

MSMSEC_M3_MISSING_

GRP_KEY

Message 3 of 4-way handshake has no GRP key.

282632

WLAN_REASON_CODE_

MSMSEC_PR_IE_MATCHING

Matching security capabilities of IE in M3 failed.

282633

WLAN_REASON_CODE_

MSMSEC_SEC_IE_MATCHING

Matching security capabilities of secondary IE in M3 failed.

282634

WLAN_REASON_CODE_

MSMSEC_NO_PAIRWISE_KEY

Required a pairwise key but access point (AP) configured only group keys.

282635

WLAN_REASON_CODE_

MSMSEC_G1_MISSING_

KEY_DATA

Message 1 of group key handshake has no key data.

282636

WLAN_REASON_CODE_

MSMSEC_G1_MISSING_

GRP_KEY

Message 1 of group key handshake has no group key.

282637

WLAN_REASON_CODE_

MSMSEC_PEER_INDICATED_

INSECURE

AP reset secure bit after connection was secured.

282638

WLAN_REASON_CODE_

MSMSEC_NO_

AUTHENTICATOR

802.1X indicated that there is no authenticator, but the profile requires one.

282639

WLAN_REASON_CODE_

MSMSEC_NIC_FAILURE

Plumbing settings to NIC failed.

282640

WLAN_REASON_CODE_

MSMSEC_CANCELLED

Operation was cancelled by a caller.

282641

WLAN_REASON_CODE_

MSMSEC_KEY_FORMAT

Entered key format is not in a valid format.

282642

WLAN_REASON_CODE_

MSMSEC_DOWNGRADE_

DETECTED

A security downgrade was detected.

282643

WLAN_REASON_CODE_

MSMSEC_PSK_MISMATCH_

SUSPECTED

A PSK mismatch is suspected.

282644

WLAN_REASON_CODE_

MSMSEC_FORCED_FAILURE

There was a forced failure because the connection method was not secure.

282645

WLAN_REASON_CODE_

MSMSEC_SECURITY_UI_

FAILURE

The security UI request failed because the request could not be queued or because the user cancelled the request.

327681 - 327696
REASON_CODE Value #def name Event Message Friendly String

327681

ONEX_UNABLE_TO_

IDENTIFY_USER

Unable to identify a user for 802.1X authentication

327682

ONEX_IDENTITY_

NOT_FOUND

Unable to get the identity information for 802.1X authentication

327683

ONEX_UI_DISABLED

UI is required for the authentication but UI has been disabled for this 1X port

327684

ONEX_UI_FAILURE

UI is required for the authentication but the UI operation failed

327685

ONEX_EAP_FAILURE_

RECEIVED

Explicit Eap failure received

327686

ONEX_AUTHENTICATOR_

NO_LONGER_PRESENT

The authenticator is no longer present

327687

ONEX_NO_RESPONSE_

TO_IDENTITY

There was no response to the EAP Response Identity packet

327688

ONEX_PROFILE_VERSION_

NOT_SUPPORTED

The version of the profile is not supported

327689

ONEX_PROFILE_INVALID_

LENGTH

The profile has an invalid length field

327690

ONEX_PROFILE_

DISALLOWED_EAP_TYPE

The Eap type in the profile is not allowed for the media

327691

ONEX_PROFILE_INVALID_

EAP_TYPE_OR_FLAG

The Eap type in the profile is not valid

327692

ONEX_PROFILE_INVALID_

ONEX_FLAGS

The onex flags in the profile are invalid

327693

ONEX_PROFILE_INVALID_

TIMER_VALUE

The profile has an invalid timer value

327694

ONEX_PROFILE_INVALID_

SUPPLICANT_MODE

The supplicant mode specified in the profile is invalid

327695

ONEX_PROFILE_INVALID_

AUTH_MODE

The auth mode specified in the profile is invalid

327696

ONEX_PROFILE_INVALID_

EAP_CONNECTION_

PROPERTIES

The eap connection properties specified in the profile are invalid

524289 - 524309
REASON_CODE Value #def name Event Message Friendly String

524289

WLAN_REASON_CODE_

INVALID_PROFILE_SCHEMA

The profile is invalid according to the schema.

524290

WLAN_REASON_CODE_

PROFILE_MISSING

The WLAN profile element is missing.

524291

WLAN_REASON_CODE_

INVALID_PROFILE_NAME

The name of the profile is invalid.

524292

WLAN_REASON_CODE_

INVALID_PROFILE_TYPE

The type of the profile is invalid.

524293

WLAN_REASON_CODE_

INVALID_PHY_TYPE

The PHY type is invalid.

524294

WLAN_REASON_CODE_

MSM_SECURITY_MISSING

The MSM security settings are missing.

524295

WLAN_REASON_CODE_

IHV_SECURITY_NOT_

SUPPORTED

The IHV security settings are not supported.

524296

WLAN_REASON_CODE_

IHV_OUI_MISMATCH

The IHV profile OUI did not match with the adapter OUI.

524297

WLAN_REASON_CODE_

IHV_OUI_MISSING

The IHV OUI settings are missing.

524298

WLAN_REASON_CODE_

IHV_SETTINGS_MISSING

The IHV security settings are missing.

524299

WLAN_REASON_CODE_

CONFLICT_SECURITY

The security settings conflict.

524300

WLAN_REASON_CODE_

SECURITY_MISSING

The security settings are missing.

524301

WLAN_REASON_CODE_

INVALID_BSS_TYPE

BSS type is not valid.

524302

WLAN_REASON_CODE_

INVALID_ADHOC_

CONNECTION_MODE

Automatic connection cannot be set for an ad hoc network.

524303

WLAN_REASON_CODE_

NON_BROADCAST_SET_

FOR_ADHOC

Non-broadcast cannot be set for an ad hoc network.

524304

WLAN_REASON_CODE_

AUTO_SWITCH_SET_FOR_ADHOC

Auto-switch cannot be set for an ad hoc network.

524305

WLAN_REASON_CODE_

AUTO_SWITCH_SET_

FOR_MANUAL_CONNECTION

Auto-switch cannot be set for a manual connection profile.

524306

WLAN_REASON_CODE_

IHV_SECURITY_ONEX_MISSING

1X setting is missing for IHV security.

524307

WLAN_REASON_CODE_

PROFILE_SSID_INVALID

The SSID in the profile is invalid or missing.

524308

WLAN_REASON_CODE_

TOO_MANY_SSID

Too many SSIDs specified in the profile.

524309

WLAN_REASON_CODE_

IHV_CONNECTIVITY_

NOT_SUPPORTED

 

65537
REASON_CODE Value #def name Event Message Friendly String

65537

WLAN_REASON_CODE_

UNKNOWN

The reason is unknown.

See Also

Other Resources

Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements
Windows Vista Wireless Networking Evaluation Guide
Network Diagnostics Technologies in Windows Vista
Microsoft TechNet Wireless Networking
Wi-Fi Protected Access 2 Data Encryption and Integrity: The Cable Guy, August 2005
Wi-Fi Protected Access 2 (WPA2) Overview: The Cable Guy, May 2005
Deployment of Secure 802.11 Networks Using Microsoft Windows
Windows Server 2003 Technical Reference
Online Windows Server 2003 Product Help