The Network Connections folder and the messages displayed in the notification area of the task bar provide information about the state of the wireless network availability as well as client authentication and connection status. If authentication of a client requires additional information from the user, such as selecting one of multiple user certificates, a text balloon appears to instruct the user. Within the Network Connections folder, the text under the name of the connection corresponding to the wireless network adapter describes the state of the authentication.

For wireless clients running Windows XP, when you click the wireless connection, the Details dialog box displays the authentication status, the Internet Protocol (IP) address configuration, and information about the connected wireless network and the current association. When you obtain status on the connection, you can view information such as the signal speed on the General tab and the IP address configuration on the Support tab.

If the wireless adapter is assigned an Automatic Private IP Addressing (APIPA) address in the range 169.254.0.0/16 or the configured alternate static IP address, the wireless client is still associated with the wireless AP, but either authentication has failed or the Dynamic Host Configuration Protocol (DHCP) server is not available. If the authentication fails and the association is still in place, the wireless adapter is enabled and Transmission Control Protocol/Internet Protocol (TCP/IP) performs its normal configuration process. If a DHCP server is not found (either authenticated or not), Windows XP automatically configures an APIPA or alternate static address.

For a wireless client running Windows 2000, you can use the Network and Dial-up Connections folder to view whether the connection corresponding to your wireless network adapter is authenticated. If authentication is successful, the connection icon appears normal. If authentication has failed, the connection icon has a red X through it. To view the IP address configuration of the connection corresponding to the wireless network adapter, type ipconfig at a command prompt.

Windows XP, Windows Server 2003, and Windows 2000 have an extensive tracing capability that you can use to troubleshoot complex problems for specific components related to wireless client authentication. You can enable the components in Windows to log tracing information to files using the netsh command for specific components or for all components. For more detailed information, see “Netsh,” in the section “802.11 Wireless Authentication Infrastructure” later in this document.

You can use Microsoft Network Monitor, available in Microsoft Systems Management Server, Windows 2000 Server, and Windows Server 2003, or a commercial packet analyzer (also known as a network sniffer), to capture and view the authentication and data traffic sent and received by a wireless network adapter.

For Windows wireless client authentication, you can use Network Monitor to capture the set of frames exchanged between the wireless client computer and the wireless AP during the wireless authentication process. You can then use Network Monitor to view the individual frames and determine why the authentication failed.

Network Monitor includes 802.1X, EAPOL, and EAP parsers. A parser is a component included with Network Monitor that can separate the fields of a protocol header and display their structure and values. Without a parser, Network Monitor displays the hexadecimal bytes of a header, which you must parse manually.

In Windows 2000 Server and Windows Server 2003, Network Monitor is installed as an optional management and monitoring tool using Control Panel's Add or Remove Programs. After it is installed, you can run Network Monitor from the Administrative Tools folder.

In Windows Server 2003, you can use the new Wireless Monitor snap-in to view wireless AP or wireless client information. There are two main views of information in the Wireless Monitor snap-in:

• Access Point Information
  
  
• Wireless Client Information
  
  

When you click Access Point Information in the console tree, the wireless network adapter scans for the available wireless APs within range and then displays them in the details pane.

You can use the list of wireless APs to determine the visibility and parameters (such as signal strength, channel, and data rates) of specific wireless APs for a specific location.

When you click Wireless Client Information in the console tree, the list of wireless events for the Wireless Zero Configuration service and the EAPOL component displays in the details pane.

You can use these events to determine how the Wireless Zero Configuration service chooses to connect to a specific wireless AP and explore the details of the authentication process.

Most wireless APs have one or more indicators, status lights that are visible on the housing of the wireless AP, from which you can obtain a quick assessment of the wireless AP's hardware status. For example, you might see the following:

• An indicator to show that the wireless AP has electrical power.
  
  
• An indicator to show general operation status. For example, the indicator might show whether the wireless AP is associated with any wireless clients.
  
  
• An indicator to show wireless network traffic. This indicator might blink for each frame received on the wireless network.
  
  
• An indicator to show data collisions. If the blinking of this indicator seems excessive, evaluate the performance of the link by using methods suggested by the wireless AP vendor.
  
  
• An indicator to show wired network traffic. This indicator might blink for each frame received on the wired network.
  
  

Alternatively, the wireless AP might have a liquid crystal display (LCD) panel display that shows icons indicating its current status. Consult your wireless AP documentation for information about panel indicators and their interpretation.

Site survey software is used to determine the coverage volume and where the data rate changes for each wireless AP. An administrator can use site survey software during the deployment of wireless APs to determine their optimal placement. It is typically installed on a wireless-capable portable computer from a CD provided by the wireless AP vendor or the wireless network adapter vendor.

If wireless clients cannot connect to a specific wireless AP, use the site survey software to perform a site survey for that wireless AP. There might have been a change in the devices that create interference and objects that interfere with signal propagation because the original site survey and wireless AP placement was done.

Many wireless APs include a Simple Network Management Protocol (SNMP) agent that supports the following SNMP Management Information Bases (MIBs):

• IEEE 802.11 MIB
  
  
• IEEE 802.1 Port Access Entity (PAE ) MIB
  
  
• SNMP MIB (described in RFC 1157)
  
  
• SNMP MIB II (described in RFC 1213)
  
  
• Ethernet Interface MIB (described in RFC 1398)
  
  
• SNMP Bridge MIB (described in RFC 1493)
  
  
• Remote Network Monitoring MIB (described in RFC 1757)
  
  
• RADIUS Authentication Client MIB (described in RFC 2618)
  
  

The SNMP agent on the wireless AP can be used in conjunction with your existing SNMP-based network management infrastructure to monitor your wireless APs, set trap conditions, and monitor loads on your wireless APs. In SNMP, trap conditions specify which events will trigger a message to be sent by the SNMP agent to a management system, indicating that the event has occurred on the host running the agent.

The purpose of the diagnostics is to ensure that the wireless AP is operating properly (from a hardware standpoint) and to validate its current configuration. However, the exact diagnostic facilities of a wireless AP vary from one wireless AP to another.

Diagnostics for wireless APs can be of the following forms:

• Software or a Web site provided by the wireless AP vendor.
  
  
• A command-line tool or facility, such as terminal access to the wireless AP.
  
  

To troubleshoot IAS authentication attempts, view events in the Windows event logs. Ensure that event logging is enabled for all types of IAS events (such as rejected, discarded, and successful authentication events). Event logging for all these types of events are enabled by default for both Windows Server 2003 IAS and Windows 2000 IAS.

IAS events are stored in the system event log, which can be viewed in the Event Viewer snap-in. Here is an example of a successful IAS authentication event (Event ID 1).

User client@example.com was granted access.
Fully-Qualified-User-Name =example.com/Users/Client
NAS-IP-Address =10.7.0.4
NAS-Identifier =<not present>
Client-Friendly-Name =Building 7 Wireless AP
Client-IP-Address =10.7.0.4
NAS-Port-Type =Wireless-IEEE 802.11
NAS-Port =6
Policy-Name =Wireless Remote Access Policy
Authentication-Type =EAP
EAP-Type =Smart Card or other Certificate

To view s failed IAS authentication event, view all events that have Event ID 2.

Viewing the IAS events in the system event log is one of the most useful troubleshooting tools for obtaining information about failed authentications. The IAS events are also helpful when troubleshooting remote access policies. When you have multiple remote access policies configured, the Policy-Name field in the event description records the name of the remote access policy that either accepted or rejected the connection attempt.

Network Monitor is useful for checking whether RADIUS messages are being exchanged, and for determining the RADIUS attributes of each message.

You can use Microsoft Network Monitor—available in Microsoft Systems Management Server, Windows 2000 Server, and Windows Server 2003 — or a commercial packet analyzer (also known as a network sniffer) to capture and view RADIUS authentication and accounting messages that are sent to and from the IAS RADIUS server or an IAS RADIUS proxy. Network Monitor includes a RADIUS parser that you can use to view the attributes of a RADIUS message and trouble-shoot connection issues.

Secure channel (SChannel) is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols. SSL and TLS are the Internet standard for secure transactions.

By default, SChannel logs only error messages in the system event log. To log errors, warnings, informational, and successful events, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging registry value to 4 (as a DWORD type). With SChannel logging recording all events, it is possible to obtain more information about the certificate exchange and validation process on the IAS server during EAP-TLS authentication.

Windows Server 2003 and Windows 2000 have an extensive tracing capability that creates tracing files that describe the internal behavior of Windows components during the wireless client authentication and authorization process. This information is typically most useful to Microsoft support engineers, who might request that you create trace files for a connection attempt during their investigation of a support issue. You can enable the components in Windows Server 2003 to log tracing information to files by using the netsh command for specific components or for all components. To enable and disable tracing for a specific component, use the following command:

              netsh ras set tracing 
              component
               enabled|disabled
            

In the preceding command, component is any of the items in the list of components found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing for the IASRAD component, use the following command:

              netsh ras set tracing iasrad enabled
            

To obtain detailed information about the EAP authentication process for Windows XP or Windows Server 2003, enable tracing for only the EAP over LAN (EAPOL) and Remote Access Service Transport Level Security (RASTLS) components. To enable tracing for EAPOL, use the following command:

              netsh ras set tracing eapol enabled
            

To enable tracing for RASTLS, use the following command:

              netsh ras set tracing rastls enabled
            

After these commands are issued, try the authentication process again and view the Eapol.log and Rastls.log files in the SystemRoot\Tracing folder. To disable tracing for EAPOL and RASTLS, use the following respective commands:

              netsh ras set tracing eapol disabled 
netsh ras set tracing rastls disabled

To obtain detailed information about the EAP authentication process for Windows 2000, enable tracing for the RASTLS component.

Although you can enable tracing for individual components of IAS, it is generally easier to turn tracing on for all the IAS components at once; and Microsoft support engineers typically want to see all the trace files, rather than the trace file for an individual component. To enable tracing for all components, use the following command:

              netsh ras set tracing * enabled
            

To disable tracing for all components, use the following command:

              netsh ras set tracing * disabled
            

The log files that are generated are stored in the SystemRoot\tracing folder.

Note

• Tracing consumes system resources and should be used sparingly during the investigation of a support issue. After the trace is done or the problem is identified, you should disable tracing. Do not leave tracing enabled on multiprocessor computers.
  
  

You can use the Simple Network Management Protocol (SNMP) agent software included with Windows 2000 Server and Windows Server 2003 to monitor status information for your IAS server from an SNMP snap-in. IAS supports the RADIUS Authentication Server MIB (RFC 2619) and the RADIUS Accounting Server MIB (RFC 2621). Use AddRemove Programs in Control Panel to install the SNMP agent. The SNMP agent can be used in conjunction with your existing SNMP-based network management infrastructure to monitor your IAS RADIUS servers or proxies.

You can use the Performance Logs And Alerts snap-in to monitor counters, create logs, and set alerts for specific IAS components and program processes. You can also use charts and reports to determine how efficiently your server uses IAS and to both identify and troubleshoot potential problems.

You can use the Performance Logs And Alerts snap-in to monitor counters within the following IAS-related performance objects:

• IAS Accounting Clients
  
  
• IAS Accounting Proxy
  
  
• IAS Accounting Server
  
  
• IAS Authentication Clients
  
  
• IAS Authentication Proxy
  
  
• IAS Authentication Server
  
  
• IAS Remote Accounting Servers
  
  
• IAS Remote Authentication Servers
  
  

For more information about how to use the Performance Logs And Alerts snap-in, see Help and Support Center for Windows Server 2003.

The setting of the AuthMode registry entry controls the computer and user authentication behavior of Windows XP and Windows Server 2003.

The setting of the SupplicantMode registry entry specifies the transmission behavior of the EAPOL-Start message when authenticating.

In the Group Policy snap-in, you can configure wireless policies by using the Computer Configuration/Windows Settings/Security Settings/Wireless Network (IEEE 802.11) Policies node.

Note

• These policy settings do not apply to wireless clients running Windows XP (prior to SP1) or Microsoft 802.1X Authentication Client.
  
  

By default, there are no Group Policy objects (GPOs) in the Wireless Network (IEEE 802.11) Policies node. You can create only a single wireless network policy for each Group Policy object.

The properties of a wireless network policy consist of a General tab and a Preferred Networks tab.

On the General tab, you can view the options as described in the following table.

General Settings of a Wireless Network Policy

On the Preferred Networks tab, you can view the options as described in the following table.

Preferred Network Options of a Wireless Network Policy

The properties of a preferred wireless network consist of a Network Properties tab and an IEEE 802.1X tab.

On the Network Properties tab, you can view and configure the settings of a wireless network for a Windows wireless client that supports the Wireless Zero Configuration service. The settings are:

• Network Name (SSID). Displays the names of networks that are within the reception range of the wireless adapter on your computer. If selected, a network key is used to encrypt data while it is transmitted over the network.
  
  
• Description. This option allows you to type a description for the preferred wireless network.
  
  
• Data Encryption (WEP Enabled). Specifies whether Wired Equivalent Privacy (WEP) is enabled for this preferred wireless network.
  
  
• Network Authentication (Shared Mode). Specifies whether a network key is used to authenticate to this preferred wireless network. Under the 802.11 standard for wireless networks, when a network key is used for authentication, the network is operating in shared key authentication mode. If a network key is not used for authentication, the network is operating in open system mode.
  
  
• The Key Is Provided Automatically. Specifies whether a network key is automatically provided for this preferred wireless network. For example, if 802.1X is being used for dynamic key distribution.
  
  
• This Is A Computer-to-Computer (Ad Hoc) Network; Wireless Access Points Are Not Used. Specifies whether the preferred wireless network is a computer-to-computer (ad hoc) network, not an access point (infrastructure) network.
  
  

On the IEEE 802.1X tab, you can view and configure the following settings (which are equivalent to the authentication settings of a Windows wireless client):

• Enable Network Access Control Using IEEE 802.1X. Specifies whether 802.1X authentication is enabled. If selected, credentials such as smart cards, certificates, and passwords are used for authentication.
  
  
• EAP Type and Settings. Specifies the Extensible Authentication Protocol (EAP) type that is to be used.
  
  
• Authenticate As Guest When User Or Computer Information Is Unavailable. Specifies whether the computer attempts authentication to the network when a user is not logged on.
  
  
• Authenticate As Computer When Computer Information Is Available. Specifies whether the computer attempts authentication to the network as a guest when user or computer information is not available.
  
  

The following are additional settings on the IEEE 802.1X tab that do not appear on authentication settings of a Windows wireless client:

• EAPOL-Start Message. This option allows you to specify the transmission behavior of the EAPOL-Start message when authenticating. These settings set the SupplicantMode registry setting. You can select from the following:
  
  
  • Do Not Transmit
    
    
  • Transmit
    
    
  • Transmit Per 802.1X
    
    
• Max Start. This option allows you to specify the number of successive EAPOL-Start messages that are sent out when no response is received to the initial EAPOL-Start messages.
  
  
• Start Period. This option allows you to specify the interval, in seconds, between the retransmission of EAPOL-Start messages when no response is received to the previously sent EAPOL-Start message.
  
  
• Held Period. This option allows you to specify the period, in seconds, for which the authenticating client will not perform any 802.1X authentication activity after it has received an authentication failure indication from the authenticator.
  
  
• Authentication Period. This option allows you to specify the interval, in seconds, for which the authenticating client will wait before retransmitting any 802.1X requests after end-to-end 802.1X authentication has been initiated.
  
  
• Computer Authentication. This option allows you to specify how computer authentication works with user authentication. These settings set the AuthMode registry setting. There are three possible settings:
  
  
  • With User Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained using the computer credentials. If a user travels to a new wireless access point, authentication is performed using the user credentials.
    
    
  • With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context (computer credentials when no user is logged on and user credentials when a user is logged on).
    
    
  • Computer Only. Authentication is always performed using the computer credentials. User authentication is never performed.
    
    
  For more information about Group Policy settings, see the Group Policy Settings Reference for Windows Server 2003.
  
  

To use the new Wi-Fi Protected Access (WPA) standard for wireless clients running Windows XP (SP1 and later) and Windows Server 2003 that are using a wireless network adapter that supports the WZC service, you must obtain and install the free download WPA Wireless Security Update. It updates the wireless network configuration dialog boxes to support new WPA options. An update to the properties of the Wireless Network (IEEE 802.11) Policies to allow configuration of WPA options is being investigated.