Troubleshooting Windows Vista 802.11 Wireless Connections
Applies To: Windows Vista
This document is designed to assist network administrators, help desk personnel, and developers who work with IEEE 802.11 wireless services and Windows Vista®. This document describes how to troubleshoot connectivity problems for wireless clients running Windows Vista that are attempting to make 802.1X authenticated connections to Microsoft® Windows Server® 2003 domain networks.
This document also provides some troubleshooting information for wireless clients running Windows Vista® that are attempting to make wireless connections to small office or home office (SOHO) networks.
There is also information for developers and Microsoft support personnel about how to generate and use advanced tracing reports for debugging.
SOHO wireless networks
For SOHO wireless networks, this document focuses on a typical network deployment that uses:
a high-speed modem for Internet connectivity
a wireless router
one or more computers running Windows XP or Windows Vista with wired IEEE 802.3 Ethernet connections to the wireless router
one or more IEEE 802.11 wireless computers running Windows Vista
802.1X-authenticating domain networks
For 802.1X-authenticating domain networks, this document assumes the following services are in place to support wireless clients:
Windows Server 2003 Active Directory® with:
Domain Name System (DNS)
Active Directory Users and Computers
Group Policy Domain Policy
Microsoft certification authority (Certificate Services), or a RADIUS Server certificate purchased from a non-Microsoft certification authority (CA)
Internet Authentication Service (IAS) (a Remote Authentication Dial-in User Service (RADIUS) server)
Dynamic Host Configuration Protocol (DHCP)
One or more IEEE 802.1X-compliant wireless access points (APs) to provide 802.1X authenticated network access
In this document
This document is divided into several sections:
Section 1: Troubleshooting client connectivity
This section provides a summary of the troubleshooting approach used in this document.
Section 2: Wireless infrastructure components
This section describes the wireless-related components that are typically found in Windows Server 2003 domain networks. It also describes the main wireless components for SOHO wireless networks.
Section 3: The authentication process
This section provides an overview of the main phases involved in establishing 802.1X authenticated 802.11 wireless connections. It is crucial to understand these concepts when troubleshooting connectivity problems and performing root-cause analysis in an 802.1X-authenticating wireless environment.
Note
Because there are so many EAP authentication methods and types, it is not practical to provide information for every EAP deployment. The examples and conceptual information in this section are for an authentication process that uses PEAP-MS-CHAP v2.
Section 4: Network Diagnostics Framework
This section contains information about the features and capabilities of the Network Diagnostics Framework related to wireless, including the Wireless Diagnostics wizard.
Section 5: Netsh commands for wireless LAN
This section demonstrates, using step-by-step procedures, how to use netsh wlan to return detailed information about wireless network adapter capabilities and settings, and wireless profile configuration. There are also examples of the information generated by running two netsh wlan troubleshooting commands.
Section 6: Investigative questions and quick lists for common connectivity problems
This section provides a list of questions that you should consider when trying to determine the cause of wireless connectivity problems. It also contains tables with error conditions and common causes.
Section 7: Event logs, diagnostics logs, and wireless tracing reports
This section describes information found in logs and reports in Windows Vista, including:
Basic System Event logs
Operational logs
Wireless Tracing reports
Appendices
The appendices in this document contain information about Windows Vista wireless features or components for advanced users, and examples that are too long for the main body of this document:
Appendix A: Detailed EAP and PEAP-MS-CHAP v2 operations
Appendix B: Windows Vista DLLs and function descriptions
Appendix C: Using netsh wlan to manage tracing
Appendix D: Trace File examples
Appendix E: Mapping of reason codes to event messages
Section 1: Troubleshooting client connectivity
Troubleshooting is a process of finding the source of problems, and then resolving those problems. Due to the complicated nature of wireless technologies, the process of identifying and correcting problems can also be complicated. You can make the troubleshooting process easier by understanding your network environment, gathering useful information, and applying a consistent method when determining the cause of connectivity errors.
The following are the recommended troubleshooting steps.
Understand your wireless infrastructure components and the main phases of the wireless connection process. This understanding is the foundation of a good troubleshooting process.
Run the Wireless Diagnostics wizard in Windows Vista when connectivity fails. In many cases, the Wireless Diagnostics wizard can either solve your problem automatically or walk you through a process to solve it.
Use the netsh wlan command to gather information about wireless client configuration settings and hardware capabilities.
Review basic investigative questions to determine what types of issues you should be looking for.
Review common or likely problems in the quick lists to see if you can quickly identify the problem.
Investigate event, operational, and diagnostics logs and reports. The logs and reports that are generated by wireless components provide detailed information that can help you to diagnose complex wireless connection and authentication issues.
Section 2: Wireless infrastructure components
This section describes the functions of the main components and services that are deployed to support an 802.1X-authenticating 802.11 wireless network.
The following table compares key differences between SOHO and Active Directory domain wireless network deployments.
| SOHO workgroup | Active Directory domain | ||
|---|---|---|---|
Does not require any computers running Windows Server 2003. |
Requires at least one computer running Windows Server 2003. |
||
Supports Windows XP Home Edition operating system. |
Does not support Windows XP Home Edition. |
||
Relatively easy for a novice user to deploy. |
More difficult to deploy. Deployment is not intended for the average home or small office user. |
||
Requires a wireless AP or wireless router. |
Requires one or more wireless APs that support 802.1X authentication. |
||
Provides wireless network access security only through:
|
Provides strong wireless network access protection using:
|
||
Does not require the purchase of a server certificate. |
Requires the purchase of a server certificate or deployment of a public key infrastructure (PKI). |
||
Does not provide centralized management of user accounts or user authentication. Anyone who has access to the wired network, or to the wireless shared secret (the text string that serves as a password between the wireless AP and other wireless devices) can join the workgroup and access network resources. |
Provides centralized management of user accounts and user authentication, using Active Directory user accounts database and IAS. Users and computers must have accounts in Active Directory, and must provide password-based credentials to log on to the network. In addition, mutual authentication occurs with PEAP-MS-CHAP v2 when client computers authenticate the IAS server's certificate. |
||
Provides limited methods to control or manage workgroup members. |
Provides methods to manage domain member accounts. Controls can be fine-tuned. |
.gif)
NoteSOHO networks
There are many services and hardware devices available for SOHO deployments. The following illustration shows the main components of a common SOHO wireless deployment.
.gif)
Internet service provider (ISP)
A company that provides individuals or companies access to the Internet. An ISP provides a telephone number (for dial-up connections), a user name, a password, or other connection information so users can connect their computers to the ISP's computers. In some cases, an ISP might require the unique Media Access Control (MAC) address of your high-speed modem, and will then use DHCP to configure the address on the public connection of your router. In this case, you can still configure your network client addresses using the DHCP service that is built into your router.
Modem
A device that transmits computer information over a media such as a telephone line or coaxial cable.
Wireless router
A networking device whose primary function is to provide Internet and SOHO network access to your IEEE 802.11 wireless and IEEE 802.3 wired Ethernet computers and devices. Wireless routers commonly provide the following services:
A public-facing connection that connects to a modem, and in turn, to the Internet.
A network hub that can connect several IEEE 802.3 wired Ethernet devices, such as computers and printers.
An IEEE 802.11 wireless AP, capable of supporting multiple wireless computers.
DHCP addressing for wired and wireless client computers. DHCP addressing enables network traffic to be routed to the correct wireless or wired network device.
Domain networks
There are many ways to deploy wireless in a domain network. The following illustration shows components that are found in an Active Directory domain that provides 802.1X authenticated wireless access.
.gif)
Note
This illustration is provided as an example only. It does not reflect best practices. For information about Microsoft CAs and PKI, see Public Key Infrastructure for Windows Server 2003 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=83694).
Windows Server 2003 Active Directory
The Windows-based directory service that stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.
Domain Name System
A hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.
Active Directory Users and Computers
An administrative tool used by an administrator to perform day-to-day Active Directory administration tasks. The tasks that can be performed with this tool include creating, deleting, modifying, moving, and setting permissions on objects stored in the directory. Examples of objects in Active Directory are organizational units (OUs), users, contacts, groups, computers, printers, and shared file objects.
Group Policy
The infrastructure that enables directory-based change and configuration management of user and computer settings, including security and user data. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify policy settings for registry-based policies, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and OUs—you can apply the GPO's policy settings to the users and computers in those Active Directory containers. To create an individual GPO, use the Group Policy Object Editor. To manage Group Policy objects across an enterprise, you can use the Group Policy Management console.
To best support wireless clients running Windows Vista, it is recommended that you upgrade your Active Directory schema with the schema extension for Windows Vista Wireless Group Policy. The schema enables you to configure independent wireless policies specifically for wireless computers running Windows Vista. Deploying the schema extension will not affect an existing wireless policy for Windows XP.
To update your Windows Server 2003 Group Policy schema, follow the procedures in Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70195).
Certificates
For PEAP-MS-CHAPv2, administrators can deploy certificate services on the network to issue a RADIUS server certificate, or purchase a RADIUS server certificate from a non-Microsoft CA.
EAP-TLS requires a PKI deployment to issue computer certificates to the RADIUS servers, and user and client certificates to wireless clients.
Note
PEAP-MS-CHAPv2 is easier to deploy than other authentication methods, such as EAP-TLS, for several reasons. First, PEAP does not require the deployment of a PKI; only the RADIUS server is required to have a server certificate installed. Nor does PEAP require smart cards or another type of client certificate to validate connecting clients.
The result is a user-friendly experience in which network clients must provide only their account credentials (user name and password) for authentication. The account credentials are then verified against the account that exists in the user accounts database (such as Active Directory).
From a security standpoint, PEAP MS-CHAP-v2 relies on passwords for authentication, which can be stolen or guessed. With EAP-TLS authentication, the certificate that is used for authentication cannot be easily forged.
Certificate
A digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.
Certification authority
An entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.
Microsoft Certificate Services
A software service that issues certificates for a CA. It provides customizable services for issuing and managing certificates for the enterprise. Certificates can be used to provide authentication support, including secure e-mail, Web-based authentication, and smart-card authentication.
Internet Authentication Service (IAS)
The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy, which provides authentication and accounting for network access.
IAS Remote Access Policy
A set of conditions and connection parameters that define the characteristics of the incoming connection and the set of constraints imposed on it. Remote access policy determines whether a connection attempt is authorized to be accepted.
Dynamic Host Configuration Protocol (DHCP)
A TCP/IP service protocol that offers dynamic leased configuration of host IP addresses and distributes other configuration parameters to eligible network clients. DHCP provides safe, reliable, and simple TCP/IP network configuration; it prevents address conflicts, and helps conserve the use of client IP addresses on the network.
DHCP uses a client/server model where the DHCP server maintains centralized management of IP addresses that are used on the network. DHCP-supporting clients can then request and obtain a lease of an IP address from a DHCP server as part of their network boot process.
Wireless APs (IAS RADIUS clients)
One or more 802.1X-compliant wireless APs must be configured as RADIUS clients so that they can communicate with the IAS RADIUS server. Add all wireless APs as RADIUS clients to the IAS server(s). You will need to know the IP address of each wireless AP to add them as RADIUS clients to IAS.
The wireless access point is configured as a RADIUS client to the IAS server deployed on the organization local area network (LAN). The wireless access points must meet the following requirements for 802.1X wireless deployments:
Support for the IEEE 802.1X standard for authentication.
Support for Wi-Fi Protected Access 2 (WPA2)–Enterprise or WPA-Enterprise. Support for Wi-Fi Protected Access2 (WPA2)-Enterprise is preferred. WPA2-Enterprise is supported by Windows Vista and Windows XP with Service Pack 2 (SP2). For more information, see Description of the Wireless Client Update for Windows XP with Service Pack 2 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=83697).
Recommendations
- For consistency and ease of deployment, it is recommended that you deploy wireless APs of the same brand and model.
The following table lists some common wireless AP configuration items.
Note
The names of the configuration items for wireless access points can vary by brand and model, and might be different from those listed in the table. See your wireless AP documentation for configuration-specific details.
| Wireless AP Configuration Items | Configuration Item Information | ||
|---|---|---|---|
SSID |
The name of the wireless network (for example, WiFiTest). This is the name that is displayed to wireless clients. In Windows Vista, the SSID is the name displayed in Connect to a network when the computer detects the wireless AP SSID beacon broadcast. Recommendation: All wireless APs that are part of the same wireless network should use the same SSID. |
||
Suppress SSID Beacon Broadcast |
Most wireless APs provide the configuration option to suppress the SSID beacon broadcast.
To connect to wireless networks that are not broadcasting the SSID, wireless clients that are running Windows Vista must be configured by enabling the Connect even if the network is not broadcasting setting. Both the Windows Vista Wireless Network (IEEE 802.11) Policies Group Policy extension and the Manually connect to a wireless network wizard (in Connect to a network) provide access to this setting. |
||
Wireless AP IP Address (Static) |
For each wireless AP, configure a unique static IP address that falls within the exclusion range specified in the DHCP scope of the subnet on which the wireless AP is deployed. |
||
DNS name |
Some wireless APs can be configured with a DNS name provided that the DNS service on the network can resolve AP DNS names to an IP address. For each wireless AP that supports this feature, enter a unique name for DNS resolution. |
||
802.1X Authentication |
Configure IEEE 802.1X authentication with WPA2-Enterprise or WPA-Enterprise, depending on which authentication is supported by all of your wireless devices. Note Due to known security issues with WEP encryption, it is recommended that you use only WPA2 (preferred) or WPA.
Note Centralized configuration of WPA2 is supported in Windows Server 2003 with SP1 Active Directory Wireless Policy Group Policy. Wireless and wired clients running Windows Vista have enhanced features that can be configured through Group Policy settings. For more information, see Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70195).
|
||
Wireless AP Subnet Mask |
Configure this to match the subnet mask of the attached subnet. |
||
Disable Wireless AP DHCP Service |
If the network is providing DHCP, the DHCP service built into the wireless AP should be disabled. |
||
RADIUS Shared Secret |
Use a unique RADIUS shared secret for each wireless AP. Each shared secret should be a random sequence of uppercase and lowercase letters, numbers, and punctuation that is at least 22 characters long. To ensure randomness, use a random character generation program to create shared secrets to configure on the server running IAS and the wireless AP. You will need to match the shared secret for each wireless AP when you configure them as RADIUS clients in the applicable IAS Remote Access Policy. Important It is recommended that you record the shared secret for each wireless AP, and store the record in a secure location, such as an office safe.
|
||
RADIUS Server IP Addresses |
Enter the IP addresses of your servers running IAS. |
||
UDP Port(s) |
By default, IAS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages. Recommendation: Unless you have reason to do so, do not change the default RADIUS UDP ports settings. |
||
Vendor Specific Attributes (VSAs) |
Some wireless APs require that the IAS RADIUS server is configured with specific attributes in order to provide full wireless AP functionality. VSAs are added to an IAS Remote Access Policy. |
.gif)
ImportantWireless client computer(s)
A computer running Windows Vista that has an IEEE 802.11 wireless adapter and a corresponding wireless adapter driver designed for Windows Vista installed.
The Windows Vista 802.1X and wireless components have been redesigned with an emphasis on extensibility and security. In the Windows XP wireless supplicant model, the Wireless Zero Configuration service and supporting dynamic-link libraries (DLLs) handle all primary functions associated with connecting and maintaining a connection. The initial design had some limitations, such as an inability to add new features and the lack of extensibility. Therefore, the Windows Vista wireless components are completely redesigned; the major functions are separated into individual components. Further, independent hardware vendors (IHVs) are now able, through a consistent interface, to extend services and features specific to their needs.
Windows XP, Windows Server 2003, and Windows Vista have built-in support for IEEE 802.11-based wireless networking and IEEE 802.1X authentication using EAP.
Section 3: The authentication process
This section provides an overview of the components and the processes involved in establishing 802.11 wireless connections to 802.1X authenticating infrastructure networks.
Note
For a more detailed explanation of EAP and PEAP-MS-CHAPv2 processes, see Appendix A: Detailed EAP and PEAP-MS-CHAP v2 operations.
Wireless connection phases overview
Given its popularity as the authentication method for wireless 802.1X deployments, this section provides an overview of the main phases that take place in 802.1X-authenticated wireless connections that use PEAP-MS-CHAP v2. The phases are numbered in the order in which they occur; a diagram is included to illustrate, by number, where each phase occurs on the network. In this section, the phases are separated into two sections. The first section provides the phases required for the wireless client to associate with the wireless access point. The second section lists the phases involved with 802.1X authentication.
Association with the wireless AP and link-layer authentication
When a wireless network adapter is turned on, it begins to scan across the wireless frequencies (spectrum) for wireless APs and other wireless clients. Scanning is an active process in which the wireless adapter sends Probe-Request frames on all channels of the ISM frequency range and listens for the Probe-Response frames sent by wireless APs and other wireless clients. After scanning, Windows instructs the wireless adapter to connect to a network, based on the configured preferences.
This choice is made automatically by using the SSID of a known or preferred wireless network and the wireless AP with the best signal strength (the highest signal-to-noise ratio). Next, the wireless client negotiates the use of a logical wireless port with the chosen wireless AP. This process is known as association.
The wireless client’s configuration settings determine whether the wireless client prefers to connect with infrastructure or ad-hoc mode networks. By default, a wireless client running Windows Vista, Windows XP, or Windows Server 2003 prefers infrastructure mode wireless networks over ad-hoc mode wireless networks. If the signal strength of the wireless AP is too low, if the error rate is too high, or if instructed by the operating system, the wireless client scans for other wireless APs to determine whether a different wireless AP can provide a stronger signal to the same wireless network. If so, the wireless client negotiates a connection with that wireless AP. This process is known as roaming.
Scanning: The client scans for an AP using a probe request.
Association: The client associates with the AP:
The AP registers the client’s MAC address and assigns a unique virtual port that is mapped to that MAC address.
The client registers the MAC address of the AP as the only device to which it is permitted to associate (until such time that it disassociates and then reassociates with another AP or wireless device).
.gif)
Access Request: Using its 802.1X uncontrolled port, the AP forwards a RADIUS Access-Request message to the RADIUS (IAS) server.
Note
TCP/IP frames generated by the wireless client can only be sent to the network through the controlled port. The client cannot send frames using the controlled port until it is authenticated and authorized.
EAP: If the server running IAS does not reject the Access-Request, the EAP authentication method is negotiated between the client and IAS.
After the negotiation is complete, the AP forwards messages between the client and the server running IAS.
Note
There are many EAP authentication types. Both EAP-TLS and PEAP-MS-CHAPv2 are supported natively in Windows Server 2003, Windows XP, and Windows Vista.
Note
When PEAP is used, a TLS session is first created between the access client and the server running IAS; authentication then occurs through the secure TLS session.
Authentication: After the EAP authentication method is agreed upon between the client and IAS, the server running IAS sends its server certificate chain to the client computer as proof of identity. The client computer uses the IAS server certificate to authenticate the server running IAS. Successful PEAP-MS-CHAP v2 authentication requires that the client trusts the server running IAS after validating the IAS server certificate chain. For the client to trust the server running IAS, the root CA certificate of the issuing CA of the server certificate must be installed in the Trusted Root Certification Authorities certificate store on client computer.
After the client authenticates the server, the client sends password-based user credentials to the server running IAS, which verifies the client credentials against the user accounts database in Active Directory.
If the credentials are not valid, IAS sends an Access-Reject message to the AP in response to the connection request.
If the credentials are valid, the server running IAS proceeds to the authorization phase.
Authorization: The server running IAS performs authorization, as follows:
IAS checks the user or computer account dial-in properties in Active Directory.
IAS then attempts to find a remote access policy that matches the connection request. If a matching remote access policy is found, IAS authorizes the connection request based on that policy.
Access-Accept: If the authorization is successful, IAS sends the AP an Access-Accept message. If authorization is not successful, IAS sends an Access-Reject message.
.gif)
802.1X controlled port: As part of authentication, 802.1x dynamically generates session keys from which it further derives encryption keys to secure the wireless connection. The encryption keys are configured on both the wireless AP and the client; all subsequent data traffic is protected. The wireless AP enables the controlled port; traffic from the wireless client is allowed to traverse the port.
DHCP Address Request: The client sends a DHCP address request through the 802.1X controlled port to the network. If a DHCP server responds, the client obtains an IP address.
Group Policy Applied: If configured, updated Group Policy is applied on the client during domain logon operations; this includes the Wireless Network (IEEE 802.11)Policies Group Policy extension.
Note
For computers already configured with Wireless Network (IEEE 802.11) Policies, Group Policy is applied when the computer is started, and whenever an updated policy is downloaded. If Group Policy is updated on the server while the computer is turned off, the last known policy (which might be stale) is immediately applied when the computer is started. If the 802.1X settings on the computer enable IAS to authorize the computer for network access, updated policies are downloaded and applied when the computer connects to the network, prior to user authentication. If 802.1X settings on the computer cannot enable IAS to authorize the computer for network access at startup, then application of updated policies occurs immediately after user authentication.
Network Access The client is able to access network resources, contingent upon any applied restrictions.
.gif)
Section 4: Network Diagnostics Framework
In Windows Vista, when a user experiences a network problem, Windows Vista will provide the user with the ability to diagnose and repair the problem. The diagnostic assessment and resolution steps that are provided to the user are in the application or user interface (UI) itself. During the diagnosis, the Network Diagnostics Framework (NDF) will analyze why the user’s task has failed, and will either present a solution to the problem, or list possible causes and steps that the user can to take to fix the problem. The solution can be a process that is run automatically by Windows Vista, or it might be a request that the user manually perform a step. The resolution steps can involve configuration changes, or in some cases, contacting Microsoft Customer Service and Support and providing a report of the problem from the computer.
.gif)
Wireless diagnostics overview
Wireless diagnostics are used to identify and correct troubleshooting wireless connectivity issues. Connectivity issues can include such things as failed connections and intermittent connectivity. Wireless diagnostics works with NDF, which, in turn, is part of Windows Diagnostics Infrastructure (WDI). The role of wireless diagnostics is to collect and analyze information about wireless connectivity, to provide the results of the analysis, and to provide the user with repair options.
Wireless diagnostics purpose and design
The following describes the design approach of wireless diagnostics in Windows Vista:
Inform the user about what has happened, or what is causing the problem.
Be sure that the user can understand the information and that the information is appropriate in the context of what the user is doing.
Instruct the user about how to fix the problem.
Provide options instead of errors.
Provide better support when diagnostics cannot present a solution.
Provide best-effort analysis of collected data.
Avoid asking the user for data that is available on the computer.
Direct the customer to someone who can help.
All diagnostics are prescriptive in nature, and solutions are corrective when possible. The design is also based on the principle that the solutions will not put the computer at risk.
Categorization of wireless issues
802.11 wireless diagnostics examines and diagnoses two categories of connectivity issues:
- Wireless (802.11) connectivity or configuration issues. These can include security issues associated with 802.11, such as the use of WEP keys for encryption or authentication.
Note
Due to known security issues with WEP encryption, it is recommended that you use only WPA2-Personal (preferred) or WPA.
- Layer 2 security issues. These can include issues such as certificate failures, 802.1X issues, and EAP authentication failure.
Top wireless issues covered by wireless diagnostics
The following are the top wireless issues:
Incorrect network key (WEP or WPA(2)-PSK).
Radio off (software or hardware switch).
Problem with the network adapter, hardware, or drivers.
1X certificate failures.
1X erroneously enabled or not enabled.
Authentication infrastructure (for example, the RADIUS server) is not responding.
1X discovery failures.
No visible networks, either because none are in range or because radio is off.
Frequent roams, swapping of connections.
Incompatible hardware or capability mismatch (that is, the client network adapter does not support settings required by AP).
Bad signal and connectivity, too far from the wireless AP, poor device placement (due to obstructions, for example), interference resulting in poor performance and throughput.
Wireless is connected, but cannot get an IP address.
Parts of wireless diagnostics
For the purposes of this document, wireless diagnostics are divided into two parts:
Wireless Diagnostics wizard. The Wireless Diagnostics wizard is similar to a configuration wizard. It can assist users by either fixing connectivity problems, or by providing the user with a next-step action. Although the primary focus is on identifying and resolving client-side connectivity problems, the Wireless Diagnostics wizard will attempt to analyze end-to-end network health, as seen from the client perspective and with client user rights, and attempt to determine if the problem is related to network services or infrastructure components.
Running the Wireless Diagnostics wizard should be the first step when you are trying to resolve wireless connectivity problems. Users can access an interactive Wireless Diagnostics wizard in several locations in the UI, which is discussed in Starting the Wireless Diagnostics wizard.
Diagnostics logs and reports. In addition to providing the interactive Wireless Diagnostic wizard, wireless diagnostics also logs information in event logs, operational logs, and wireless tracing reports. These logs and reports capture detailed information about wireless status and activity, connection attempts, system state, and the network environment.
IT administrators can automatically collect logged information from the client computers and store it for analysis in a central location using MOM integration, or a similar tool. Administrators can also use this information for planning purposes.
Microsoft Customer Service and Support personnel and developers can generate wireless tracing reports for advanced troubleshooting and debugging.
Information about the logs and reports that are generated by wireless diagnostics is discussed in Section 7: Event logs, diagnostics logs, and wireless tracing reports. Samples of diagnostic logs are provided in Appendix D: Trace File examples.
The remainder of this section contains information about the Wireless Diagnostics wizard.
Starting the Wireless Diagnostics wizard
The Wireless Diagnostics wizard is part of Network Diagnostics. You can start the Wireless Diagnostics wizard from several places on a client running Windows Vista. Accessing these entry points will start Network Diagnostics, which will then start the Wireless Diagnostics wizard, if appropriate. This section includes several procedures for starting the Wireless Diagnostics wizard.
Using the Network and Sharing Center notification area icon
The icon for the Network and Sharing Center is located to the left of the clock in the notification area.
Note
When you position the mouse pointer directly over the Network and Sharing Center notification area icon, the Currently connected to notification will appear. If the computer running Windows Vista is not connected to a network or another computer, the Network and Sharing Center icon is displayed with an X to indicate that your computer is not connected.
To start the Diagnostics wizard by using the Diagnose and repair option of the Network and Sharing Center notification area icon
- Right-click the Network and Sharing Center icon in the notification area, and then click Diagnose and repair.
Using the Diagnose network problems option in Network and Sharing Center
To start the Diagnostics wizard by using the Diagnose and repair option in the Network and Sharing Center
Click Start, click Network, and in the menu, click Network and Sharing Center.
In the left pane, click Diagnose and repair.
Using the Diagnose and repair option in Network and Sharing Center (option 2)
To start the Diagnostics wizard by using the Diagnose and repair option in the Network and Sharing Center
Click Start, click Connect to, and in Connect to a network, click Open Network and Sharing Center.
In Network and Sharing Center, in the left-hand pane, click Diagnose and repair.
Using the Repair option for a network connection icon in Network Connections
Network Connections provides several methods for starting diagnostics.
To start the Wireless Diagnostics wizard by using the Diagnose options for a Network Connections icon
Open Network Connections by using one of the following methods:
Click the Network and Sharing Center icon in the notification area, click Network and Sharing Center, and then in the left pane of Network and Sharing Center, click Manage network connections.
Click Start, click Network, click Network and Sharing Center, and then click Manage network connections.
Click Start, click Connect to, click Open Network and Sharing Center, and then click Manage network connections.
In LAN or High-Speed Internet, select the network connection you want, and then do one of the following:
Click Diagnose this connection.
Right-click the connection item, and then click Diagnose.
For wireless connections, attempt to connect to the network you want. Right-click the connection icon, and then click Connect/Disconnect. In Select a network to connect to, select the desired wireless network, and then click Connect.
If the connection attempt is unsuccessful, the Connect to a network dialog box provides an option to diagnose the problem. Click Diagnose the problem to start the Wireless Diagnostics wizard.
Using Connect to a network
To start the Wireless Diagnostics wizard by using Connect to a network
Click Start, click Connect to, and in Connect to a network, do one of the following:
In Select a network to connect to, select a wireless network, and then click Connect. If the connection attempt fails, the Connect to a network dialog box indicates that Windows cannot connect to the target resource. Click Diagnose the problem to open the Wireless Diagnostics wizard.
In Select a network to connect to, right-click the wireless network for which you want to diagnose the connectivity, and then click Diagnose.
Additional entry points
Internet Explorer: If Internet Explorer fails to connect to the target resource, it displays:
a message indicating that it cannot display the Web page.
a list of the most likely causes.
links to run Network Diagnostics and get online help information.
You can click Diagnose Connection Problems to open Network Diagnostics and, as appropriate, the Wireless Diagnostics wizard.
Start Search: If an attempt to access a resource by typing a UNC (Universal Naming Convention) name in Start Search fails, the resulting error message provides a link that you can use to run Network Diagnostics and, as appropriate, the Wireless Diagnostics wizard.
To use the Start Search entry point into Diagnostics session
Click Start, in Start Search, type the UNC name for the target resource, such as \\servername\sharename\directory\filename, and then press ENTER.
If the attempt to access the resource is unsuccessful, when the Network Error dialog box opens, click Diagnose to open Network Diagnostics.
In some cases, running the Wireless Diagnostics wizard will not fix the problem. In these situations, your next step is to use the netsh wlan commands documented in the next section to gather information that will be useful for troubleshooting.
Section 5: Netsh commands for wireless LAN
The netsh commands for wireless local area network in Windows Vista provide a lightweight alternative to Group Policy to configure and manage wireless connectivity and security settings. Netsh wlan is also a useful tool for troubleshooting wireless connectivity problems.
You can run the netsh wlan commands directly from the Windows Vista command prompt by typing netsh wlan followed by the command, or by switching to the wlan context by using the following instructions.
Entering the netsh wlan context
To enter the netsh context for wlan
Click Start, click Run, type cmd, and then click OK.
At the command prompt, type netsh, and then press ENTER.
Type wlan, and then press ENTER.
Using netsh wlan to gather troubleshooting information
The primary netsh wlan command for troubleshooting is show all, which you can use to gather the wireless profile configuration on multiple interfaces, and to collect data about the capabilities of the network cards and driver versions. For example, you can use the netsh wlan show all command to quickly determine:
whether the wireless network adapter supports the authentication and cipher standard required on your network.
if Auto-configuration (WLAN AutoConfig) logic is enabled.
whether 802.1X is enabled.
which EAP type is applied.
Running the netsh wlan show commands can uncover some types of configuration errors that result in connectivity problems.
The following procedures demonstrate how to use netsh wlan commands to gather troubleshooting information. After each procedure, you will find an example of the information that is rendered by the command.
Note
The complete Netsh command line reference for netsh wlan is available from the Microsoft TechNet Web site at Netsh Commands for Wireless Local Area Network (WLAN) [https://go.microsoft.com/fwlink/?LinkId=81752], and from the Microsoft Download Center at Netsh Commands for Wireless Local Area Network (WLAN) [https://go.microsoft.com/fwlink/?LinkId=81753].
show all
The show all command combines the following netsh wlan show commands:
show drivers - Displays the properties of the wireless adapter drivers on the computer.
show interfaces - Displays a list of the current wireless interfaces on the computer
show settings - Displays the current global settings of the wireless LAN, including the information rendered by these two netsh wlan commands:
show autoconfig - Displays whether the wireless WLAN AutoConfig Service is enabled or disabled.
show blockednetworks - Displays whether blocked network settings are set to be displayed or hidden.
show filters - Displays the current list of allowed and blocked wireless networks.
show profiles - Displays a list of wireless profiles that are configured on the computer.
show networks MODE=BSSID - Displays a list of wireless networks that are visible on the computer.
The following table lists usage information for the netsh wlan show all command.
Syntax: |
show all |
Parameters: |
There are no parameters for this command. |
Remarks: |
Displays the entire collection of 802.11 wireless interface information, network information, and wireless settings on the system, including:
|
Example command: |
|
The following command sample shows the information returned by the show all command.
F:\>netsh
netsh>wlan
netsh wlan>show all
Wireless System Information Summary
(Time: 1/18/2007 9:49:37 PM)
=======================================================================
============================== SHOW DRIVERS ===========================
=======================================================================
Interface name: Wireless Network Connection
Driver : Broadcom 802.11g Network Adapter
Vendor : Broadcom
Provider : Microsoft
Date : 6/21/2006
Version : 4.82.28.56
INF file : F:\Windows\INF\netbc6.inf
Files : 1 total
F:\Windows\system32\DRIVERS\BCMWL6.SYS
Type : Native Wi-Fi Driver
Radio types supported : 802.11g 802.11b
Authentication and cipher supported in infrastructure mode:
Open None
Open WEP
Shared None
Shared WEP
WPA2-Enterprise TKIP
WPA2-Personal TKIP
WPA2-Enterprise CCMP
WPA2-Personal CCMP
WPA-Enterprise TKIP
WPA-Personal TKIP
WPA-Enterprise CCMP
WPA-Personal CCMP
Authentication and cipher supported in ad-hoc mode:
Open None
Open WEP
=======================================================================
============================= SHOW INTERFACES =========================
=======================================================================
There is 1 interface on the system:
Name : Wireless Network Connection
Description : Broadcom 802.11g Network Adapter
GUID : 0dcf87d3-bed3-4518-ba99-f1066edb3d87
Physical Address : 00:14:bf:74:6d:c3
State : connected
SSID : WIR_TST_Lab
BSSID : 00:18:39:5a:5f:01
Network Type : Infrastructure
Radio Type : 802.11g
Authentication : WPA2-Enterprise
Cipher : CCMP
Connection Mode : Auto Connect
Channel : 6
Receive Rate (Mbps) : 54
Transmit Rate (Mbps) : 54
Signal : 94%
Profile : PEAP
=======================================================================
============================= SHOW SETTINGS ===========================
=======================================================================
Wireless LAN settings
---------------------
Show blocked networks in visible network list: No.
Auto configuration logic is enabled on interface "Wireless Network
Connection".
=======================================================================
============================== SHOW FILTERS ===========================
=======================================================================
Allow list on the system (group policy)
---------------------------------------
SSID: "WIR_TST_Lab", Type: Infrastructure
SSID: "GUEST", Type: Infrastructure
Allow list on the system (user)
-------------------------------
<None>
Block list on the system (group policy)
---------------------------------------
SSID: "WSUA-EAP", Type: Infrastructure
SSID: "Home", Type: Adhoc
SSID: "", Type: Adhoc
Block list on the system (user)
-------------------------------
<None>
=======================================================================
=========================== SHOW CREATEALLUSER ========================
=======================================================================
Everyone is allowed to create all user profiles.
=======================================================================
============================= SHOW PROFILES ===========================
=======================================================================
Profiles on interface Wireless Network Connection:
Group Policy Profiles (read only)
---------------------------------
PEAP
User Profiles
-------------
<None>
=======================================================================
========================== SHOW PROFILES NAME=* =======================
=======================================================================
Profile PEAP on interface Wireless Network Connection:
=======================================================================
Applied: Group Policy Profile
Profile Information
-------------------
Version : 1
Type : Wireless LAN
Name : PEAP
Control options :
Connection mode : Connect automatically
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Switch to more preferred network if
possible
Connectivity settings
---------------------
Number of SSIDs : 1
SSID name : "WIR_TST_Lab"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present
Security settings
-----------------
Authentication : WPA2-Enterprise
Cipher : CCMP
Security key : Absent
802.1X : Enabled
EAP type : Protected EAP (PEAP)
802.1X auth credential : Machine or user credential
Cache user information : Yes
=======================================================================
======================= SHOW NETWORKS MODE=BSSID ======================
=======================================================================
Interface Name : Wireless Network Connection
There are 3 networks currently visible.
SSID 1 : WIR_TST_Lab
Network type : Infrastructure
Authentication : WPA2-Enterprise
Encryption : CCMP
BSSID 1 : 00:18:39:5a:5f:01
Signal : 97%
Radio Type : 802.11g
Channel : 6
Basic Rates (Mbps) : 1 2 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 2 : 00:18:39:5a:5f:01
Signal : 97%
Radio Type : 802.11g
Channel : 6
Basic Rates (Mbps) : 1 2 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
SSID 2 : TST_WLAN
Network type : Infrastructure
Authentication : Open
Encryption : WEP
BSSID 1 : 00:0b:86:da:4b:a0
Signal : 20%
Radio Type : 802.11g
Channel : 6
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 2 : 00:0b:86:db:1b:40
Signal : 0%
Radio Type : 802.11g
Channel : 8
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 3 : 00:0b:86:db:30:80
Signal : 8%
Radio Type : 802.11g
Channel : 11
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
SSID 3 : TST_GUEST
Network type : Infrastructure
Authentication : Open
Encryption : None
BSSID 1 : 00:0b:86:da:4b:a1
Signal : 28%
Radio Type : 802.11g
Channel : 6
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 2 : 00:0b:86:db:30:81
Signal : 8%
Radio Type : 802.11g
Channel : 11
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 3 : 00:0b:86:da:57:a1
Signal : 68%
Radio Type : 802.11g
Channel : 11
Basic Rates (Mbps) : 5.5 11
Other Rates (Mbps) : 6 9 12 18 24 36 48 54
netsh wlan>
show tracing
You can use show tracing to determine whether wireless tracing is enabled or disabled.
Syntax: |
show tracing |
Parameters: |
There are no parameters for this command. |
Remarks: |
Displayed information includes:
|
Example command: |
|
The following command sample shows the information returned by the show tracing command.
F:\netsh
Netsh>wlan
Netsh wlan>show tracing
Wireless tracing is currently stopped.
Last trace logs are stored in "F:\Windows\tracing\wireless"
netsh wlan>
Section 6: Investigative questions and quick lists for common connectivity problems
When troubleshooting wireless connectivity, ask the following questions to help define the problem.
Is the problem isolated to a single computer? If so:
Has the computer previously connected successfully to the network?
Can other computers on the same subnet reach targeted resources?
Is the computer in a media disconnected state?
Many portable devices have an external switch to turn off the wireless antenna. Is the external switch turned off?
Is the wireless adapter disabled in Network Connections?
Is the wireless adapter hardware malfunctioning?
Is the computer attempting to connect to a wireless AP or wireless router that is either unplugged from its power source or malfunctioning?
Can you identify configuration changes on the computer between the time the computer most recently connected successfully to the wireless network and when the connection failed?
Review the status details of the local area connection in Network Connections. Is there information in Network Connection Details that indicates the source or nature of the connectivity problem?
Note
To open the details for a local area connection, in Network Connections, right-click the local area connection icon, click Status, and then click Details.
- Is there a value listed for **Connection-specific DNS Suffix**? Is the value the same as the name of your domain?
- In a DHCP network, are the TCP/IP properties of the local area connection configured for dynamic addressing? If so, **Yes** will be displayed in **DHCP Enabled**.
- Are both the IPv4 address and IPv4 subnet mask in the same range as those defined for the network subnet? Or, is the IPv4 address in **Autoconfiguration IPv4 Address** listed in the range of 169.254.0.1 through 169.254.255.254 with a subnet mask of 255.255.0.0?
Note
TCP/IP addresses in the range of 169.254.0.1 through 169.254.255.254 are Automatic Private IP Addressing (APIPA) addresses. When the TCP/IP protocol is configured for dynamic addressing and a DHCP server is not available, APIPA automatically configures a unique IP address from the 169.254.x.x range (where x is an integer between 1 and 254).
- Is there information in **Lease Obtained** or **Lease Expires**?
- Are the correct IP addresses displayed for the DHCP, DNS, and WINS servers?
Are multiple computers presenting the same symptoms? If so:
What do those computers have in common?
Do those computers connect to a common wireless AP?
Do the computers connect through one or more wireless APs that, in turn, connect to a common network switch?
Are the computers on the same subnet?
Do the computers or users belong to a common Active Directory security group?
Do the computers or users belong to an Active Directory security group that is controlled through a common IAS remote access policy?
Do the computers all obtain their TCP/IP addresses from the same DHCP server?
Is the connectivity outage constant or intermittent?
Can you identify changes in your network between the time the computers connected to the network successfully and the time when connections began to fail?
Review the location and timing of the problem to help narrow the scope of the problem. In addition, examine the failures systematically by referring to the sequence of steps used to establish communications, as described in Section 3: The authentication process.
Quick lists for common connectivity problems
This section provides a series of tables and lists that can help you to quickly identify conditions that can cause connectivity problems. The quick lists are presented in two categories: by symptom and by network type.
Quick lists by symptom
Symptom: Inability to connect
Symptom: Intermittent connectivity
Symptom: Incorrect, missing, or stale visible networks
Symptom: Wireless client has associated, but no there is no valid IP address configuration or no network connectivity
Symptom: Wireless connection problems when performing a suspend and resume with a laptop computer
Symptom: Wireless Networks tab is not present for the properties of the wireless network adapter in the Network Connections folder or there are no visible wireless networks
Quick lists by network type
General network connectivity problems
Domain network connectivity problems
802 1X-authenticated network connectivity problems
Quick lists by symptom
The following series of tables present common symptoms, their causes, and likely solutions.
Symptom: Inability to connect
| Possible Causes | Corrective Measures |
|---|---|
|
|
Symptom: Intermittent connectivity
| Possible Causes | Corrective Measures |
|---|---|
|
|
Symptom: Incorrect, missing, or stale visible networks
| Possible Causes | Corrective Measures |
|---|---|
|
|
Symptom: Wireless client has associated, but no there is no valid IP address configuration or no network connectivity
| Possible Causes | Corrective Measures | ||
|---|---|---|---|
|
|
Symptom: Wireless connection problems when performing a suspend and resume with a laptop computer
| Possible Causes | Corrective Measures |
|---|---|
|
|
Symptom: Wireless Networks tab is not present for the properties of the wireless network adapter in the Network Connections folder or there are no visible wireless networks
| Possible Causes | Corrective Measures |
|---|---|
|
|
Quick lists by network type
The following quick lists are not exhaustive catalogs of connectivity problems. They provide information about the types of conditions that can cause connectivity problems.
For the purposes of this document, network connectivity problems fall into three groups:
General network connectivity problems
Domain network connectivity problems
802.1X-authenticated network connectivity problems
General network connectivity problems
These types of problems can occur on networks ranging from SOHO workgroup-based networks to enterprise networks:
Note
In Windows Vista, Windows Network Diagnostics can frequently determine the cause of these types of errors, and either fix the problem or provide next-step user actions.
A wireless setting mismatch exists between the wireless AP and the wireless client. For example, the network key configured on the client does not match the network key configured on the wireless AP, or the wireless AP is configured to use WPA2-Personal and the client is configured with WPA-Personal.
The wireless adapter is disabled in Network Connections.
The external switch that controls the wireless antenna is turned off.
The wireless network adapter is malfunctioning.
Network clients configured with static IP addresses are not configured using the same IP address or subnet mask.
The DHCP service is enabled on the wireless router to provide addressing to network clients, but one or more network clients are configured with a static IP address.
Excluding networks on which client computers are configured with static addresses, the TCP/IP properties of the local area connection are not configured for dynamic addressing.
The DHCP server is disconnected from the network, powered off, or the service is not running. In a SOHO network, the DHCP service is typically provided by the wireless router or by Internet Connection Sharing (ICS).
In a SOHO network:
In a new wireless network or when replacing your modem or wireless AP, you have not registered your modem with your ISP, or your router Media Access Control (MAC) address. Modem or router registration varies by ISP.
Your ISP requires that the public (Internet) connection of your router is configured by the DHCP server on the ISP's network, but you have not configured the public connection on the router to accept DHCP leases. For example, you have configured the public connection on the wireless router with a static IP address.
Domain network connectivity problems
In addition to the general network connectivity problems, these types of problems commonly occur on domain networks, ranging from small organizations to enterprise networks:
Active Directory
The user does not have an account in Active Directory Users and Computers.
The dial-in properties of the user account or computer account in Active Directory Users and Computers is set to Deny access.
The user account has expired.
The user is attempting a connection at a prohibited time, as specified in the logon hours of the user account (the default setting is Logon Permitted for all hours).
The user is attempting a prohibited connection by using a computer not specified in the Log On To setting of the user account properties, and the default setting All computers is not selected.
The DNS service is stopped or is not configured.
The domain controller is offline.
Users and Computers
The client computer is not joined to the domain.
The client is attempting to log on to the domain with non-domain credentials.
DHCP
The DHCP scope is full, and can no longer lease addresses to requesting clients.
The IP address of the DHCP server was changed and now DHCP clients cannot get IP addresses.
The DHCP server is stopped.
On a newly configured DHCP server:
The DHCP server is not authorized in Active Directory.
The IP address range is incorrectly specified.
The DHCP service is stopped.
The DHCP scope is not activated.
The DHCP server is not on the same subnet as the clients.
The DHCP server is offline.
802.1X-authenticated network connectivity problems
This section provides examples of configuration problems that are specific to networks that deploy 802.1X-authenticating wireless APs and IAS for 802.1X-authenticated connections. In an 802.1X network, the following examples should be considered in addition to the examples listed in the previous two sections.
Active Directory Problems
- The Active Directory domain functional level is not raised to Windows Server 2003. IAS RADIUS settings require the Windows Server 2003 domain functional level.
Important
If domain controllers on your network are running Windows NT 4.0 and earlier, then do not raise the domain functional level to Windows 2000 native. After the domain functional level is set to Windows 2000 native, it cannot be changed back to Windows 2000 mixed. If domain controllers on your network are running Windows 2000 or Windows NT 4.0 and earlier, then do not raise the domain functional level to Windows Server 2003. After the domain functional level is set to Windows Server 2003, it cannot be changed back to Windows 2000 mixed or Windows 2000 native.
In Active Directory Users and Computers, the dial-in properties of the user account are not configured to Control access through Remote Access Policy.
The IAS remote access policy grants access for members of an Active Directory security group. However, the user is not a member of the security group that is specified in the remote access policy.
The authentication method specified in the Wireless Network (IEEE 802.11) Policies does not match the authentication method specified in the IAS remote access policy.
For example, if network clients running Windows Vista are configured by the Wireless Network (IEEE 802.11) Policies to use PEAP-MS-CHAPv2 authentication, but there is not a matching IAS remote access policy that specifies PEAP-MS-CHAPv2 authentication, the mismatch will prevent client authentication.
Client
- The WLAN AutoConfig Service is not running.
Note
By default, the WLAN AutoConfig Service startup type is set to start automatically. You can start the service in the Services console, by running the netsh wlan set autoconfig command on individual computers or in a script, or by configuring the service in Windows Server 2008 Group Policy.
In an 802.1X authenticating network with PEAP, EAP-TLS, or PEAP-TLS deployed, the user has chosen not to trust the server certificate when prompted.
Using EAP-TLS authentication, the client does not have a certificate that contains the Client Authentication purpose in the Enhanced Key Usage extension and is configured according to minimum client certificate requirements.
Certificate Services
For EAP-TLS deployments, the user does not have a client certificate.
The client does not have a corresponding root CA certificate that matches the issuing CA of the IAS server certificate.
IAS (RADIUS)
The RADIUS shared secret on the wireless AP does not match the shared secret configured for RADIUS clients in IAS.
The IAS remote access policy properties are configured to reject the user or computer requests. For example:
On the Settings tab, the properties of the policy are set to Deny remote access permission.
On the Dial-in Constraints tab of the remote access policy, time restrictions prohibiting the connection are configured using the Allow access only on these days and at these times setting.
On the Dial-in Constraints tab, an incorrect media type is specified in Allow access only through these media (NAS-Port-Type).
A mismatch exists between the trusted root certification authority that issued the RADIUS server certificate that is specified in the IAS remote access policy, and the trusted root certification authority that is specified in the properties of the selected EAP type in the Wireless Network (IEEE 802.11) Policies.
The wireless AP (RADIUS Client) vendor-specific attributes are configured incorrectly.
The IP address of the RADIUS client (wireless AP) specified in IAS is incorrect.
The IAS server certificate has expired.
The IAS service is stopped.
EAP is configured differently in the applicable remote access policy from the way it is configured in the Wired Network (IEEE 802.11) Policy in Active Directory.
On a newly configured IAS server:
IAS is not registered in Active Directory.
The IAS service is not running.
The IAS server does not have a server certificate.
Wireless AP
The wireless AP does not have the correct or latest firmware.
The IP address of the wireless AP is incorrectly configured for the subnet.
The wireless AP does not specify the correct address of the IAS RADIUS server.
802.1X is not enabled on the switch.
The RADIUS shared secret configured on the wireless AP does not match the shared secret configured on the RADIUS server.
Wireless user troubleshooting quick list
Wireless users can follow these steps to solve several common problems associated with wireless connections:
Many portable computers have a switch that can be used to turn the 802.11 wireless network adapter antenna on and off. Be sure that the switch is turned on. For more information, see the product documentation for your portable computing device.
Make sure that the wireless adapter has not been disabled in Network Connections. You can enable a wireless adapter through the UI by right-clicking a wireless adapter icon, and then selecting Enable.
Wireless adapters that have been disabled in Network Connections do not appear in the notification area and can only be enabled in Network Connections.
Use WLAN AutoConfig to configure wireless network settings. When enabled, WLAN AutoConfig allows you to connect to an existing wireless network, change wireless network connection settings, configure a connection to a new wireless network, and specify preferred wireless networks. It also notifies you when new wireless networks are available. When you switch wireless networks, your wireless network adapter settings will be dynamically updated to match the settings of that new network and a network connection attempt will be made.
If you are connecting to a wireless network for the first time, WLAN AutoConfig will configure basic network settings, if the service is enabled. However, you might need to configure additional settings, such as the data encryption type or network key, if they are not automatically configured for your account through the Wireless Network (IEEE 802.11) Policies in Active Directory. You might also need to request account permissions from your network administrator.
Check to see if the desired wireless network appears in the network list. Right-click the network center icon, and then click Connect to a network. If the desired wireless network does not appear under Select a network to connect to, you might be outside of the broadcast range of that network or the network might be suppressing the beaconing signal. First, try to relocate the wireless device to a location that receives a stronger signal. To refresh the network list and get the most current list of wireless networks that are advertising within reception range of your computer, right-click the Network Center icon, click Connect to a network, and then click the Refresh button.
Note
Some infrastructure networks suppress the beaconing signal because they do not want to advertise the availability of their wireless network. In Windows Vista, hidden networks appear under Choose a wireless network as Unnamed Network, indicating that a hidden SSID is present. You can connect to these networks if you manually configure a wireless profile with all of the correct network settings, such as the SSID, network key, network authentication and encryption, and enable the setting Connect even if the network is not broadcasting.
Important
Enabling the Connect even if the network is not broadcasting setting can create a security risk. When Connect even if the network is not broadcasting is enabled, wireless clients will probe for, and attempt connections to, any wireless network. By default, this setting is not enabled.
Check to see if there is a wireless warning icon in the notification area. You can click the warning icon to get information about the error as well as possible remedies. If you used Connect to a network to open the list of available wireless networks, under Select a network to connect to, check for a warning where the wireless network is displayed. You can click the warning link text to get information about the warning and possible remedies.
If you have previously connected successfully to a network, but connection attempts to that network now fail, right-click the wireless icon, and then click Diagnose.
Section 7: Event logs, diagnostics logs, and wireless tracing reports
This section contains information about how to locate and review data collected in the following logs and reports:
Basic event logging (Event Viewer and system logs)
Operational logging (Applications and Services, WLAN-AutoConfig operational logs)
Wireless tracing reports (Wireless Diagnostics)
Event Viewer and system logs
You can use the WLAN AutoConfig events captured in the Event Viewer to track the start and stop state of the WLAN AutoConfig Service. You can use these logs to determine whether the WLAN AutoConfig Service is functioning correctly.
To access the Event Viewer
To access the Event Viewer
On a computer equipped with a 802.11 wireless adapter, click Start, right-click Computer, and then click Manage.
In the Computer Management console, click Event Viewer, click Windows Logs, and then click System. This will open the System Event logs.
In the details pane, filter the view by source or service type.
In the Source column, navigate to WLAN AutoConfig events to view wireless events.
Example system event logs
The following examples show the type of information reported in the Event Viewer.
Example 1
WLAN AutoConfig service has successfully started.
Example 2
WLAN AutoConfig service has successfully stopped.
Applications and Services WLAN AutoConfig operational log
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure.
Opening the WLAN AutoConfig operational log
To access the WLAN AutoConfig operational log
On a computer equipped with a 802.11 wireless adapter, click Start, right-click Computer, and then click Manage.
In the Computer Management console, click Event Viewer, click Applications and Services, and then click Microsoft, as shown in the following figure:
.gif)
Click Windows, click WLAN-AutoConfig, and then click Operational, as shown in the following figure:
.gif)
In the details pane, click the event to display the logged information.
Example WLAN AutoConfig operational logs
The following examples illustrate the type of information reported in the WLAN AutoConfig operational log.
Example 1
WLAN AutoConfig service has successfully connected to a wireless
network.
Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Automatic connection with a profile
Profile Name: PEAP
SSID: WIR_TST_Lab
BSS Type: Infrastructure
BSSID: 00:18:39:5A:5F:01
PHY Type: 802.11g
Authentication: WPA2-Enterprise
Encryption: AES
802.1X Enabled: Yes
Example2
WLAN AutoConfig service failed to connect to a wireless network.
Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Automatic connection with a profile
Profile Name: PEAP
SSID: WIR_TST_Lab
BSS Type: Infrastructure
Failure Reason:802.1X authentication did not complete within configured
time
Example3
WLAN AutoConfig service failed to connect to a wireless network.
Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Automatic connection with a profile
Profile Name: PEAP
SSID: WIR_TST_Lab
BSS Type: Infrastructure
Failure Reason:Driver disconnected while associating.
Example 4
WLAN AutoConfig service failed to connect to a wireless network.
Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Automatic connection with a profile
Profile Name: PEAP
SSID: WIR_TST_Lab
BSS Type: Infrastructure
Failure Reason:There was no response to the EAP Response Identity
packet
Example 5
WLAN AutoConfig service failed to connect to a wireless network.
Network Adapter: Broadcom 802.11g Network Adapter
Interface GUID: {0DCF87D3-BED3-4518-BA99-F1066EDB3D87}
Connection Mode: Connection to a secure network without a profile
Profile Name: WIR_TST_Lab
SSID: WIR_TST_Lab
BSS Type: Infrastructure
Failure Reason:The specific network is not available.
Wireless Diagnostics and wireless tracing reports
Sometimes the basic Event Viewer system logs and operational logs cannot provide enough information for you to diagnose a connection issue. To continue troubleshooting, you need more information about which processes are occurring with individual wireless components. You can use Wireless Diagnostics to generate the Microsoft Wireless Diagnostics Report, which contains numerous reports.
Most of the information generated by the Microsoft Wireless Diagnostics Report is intended for developers and administrators. However, the summary information in the Diagnostics Results section of the report can help network administrators, help desk personnel, and advanced users who are troubleshooting wireless connectivity problems.
The following list follows the structure of the Microsoft Wireless Diagnostics Report, and summarizes the purpose and content of each part of the report:
Diagnostic Results - This portion of the Microsoft Wireless Diagnostics Report provides symptom, cause, event details, and suggested resolutions.
Wireless Networking Troubleshooting information - Intended for Microsoft Customer Service and Support and developers, this report contains the following information:
Software Configuration - contains relevant details about the Windows Vista operating system, and wireless networking system files.
Hardware Configuration - contains information about the computer make and model, and wireless network adapter information.
System State - enumerates the state of system services at the time the Microsoft Wireless Diagnostics Report was generated, and provides current user and environment information.
Wireless Network Configuration - contains information about wireless network configuration profiles.
Connection Attempts - lists details about the each aspect of connection attempt that was processed during the generation of the current instance of the Microsoft Wireless Diagnostics Report.
Wireless Trace - contains Wireless trace logs and event logs. These logs are mainly used by developers and Microsoft Customer Service and Support personnel.
CPU - provides statistics about CPU usage.
Network Diagnostics - contains additional debugging and diagnostic details for developers and Microsoft Customer Service and Support personnel.
Generating Microsoft Wireless Diagnostics Report
Generating the Microsoft Wireless Diagnostics Report is a three-step process: enable wireless tracing, reproduce the wireless connectivity error, and then stop wireless tracing.
When tracing is enabled, it runs silently in the background while the problem is re-created. When the logging is turned off, a process will run that will automatically compile the Microsoft Wireless Diagnostics Report.
To generate a Microsoft Wireless Diagnostics Report
On a computer equipped with a 802.11 wireless adapter, click Start, right-click Computer, and then click Manage.
In the Computer Management console, click Reliability and Performance, click Data Collector sets, click System, right-click Wireless Diagnostics, and then click Start. This will start the wireless diagnostic tracing. This is shown in the following figure:
.gif)
Attempt to connect to the wireless network to reproduce the error condition.
Right-click Wireless Diagnostics, and then click Stop to stop the wireless diagnostic tracing.
Click Reports, click System, click Wireless Diagnostics, and then click Wireless to open the top level of the Microsoft Wireless Diagnostics Report. This is shown in the following figure.
.gif)
Diagnostics Results
The Diagnostics Results section of the Microsoft Wireless Diagnostics Report provides summary information about the symptom, cause, and resolution of the connectivity problem. Network administrators, help desk personnel, and advanced users can use this information to help troubleshoot and resolve wireless connectivity problems.
The following examples illustrate the type of diagnostic information that wireless tracing generates in Diagnostics Results.
Example1:
Symptom: The user successfully connected to a wireless network.
Cause: The most recent wireless network connection attempt was
successful.
Details: The user connected to the wireless network with the following
SSID: WIR_TST_Lab
Resolution: No resoultion required.
Example2:
Symptom: The user failed to connect to the desired wireless network.
Cause: The reason for the failure of the most recent wireless network
connection attempt is: User has cancelled the operation.
Details: The user attempted to connect to the wireless network with the
SSID: WIR_TST_Lab
Resolution: Confirm that both the wireless network adapter and the
wireless network access point are using the same version of the 802.11
protocol.
Also, confirm that both the wireless network adapter and the wireless
network access point are using the same encryption scheme.
Wireless trace logs
The wireless trace logs that are generated in the Microsoft Wireless Diagnostics Report are a set of files that contain highly-detailed information about specific aspects of wireless service-related components in Windows Vista. The wireless trace logs are intended to be used by help desk personnel and developers for advanced troubleshooting and debugging issues.
To open wireless trace logs
In the Microsoft Wireless Diagnostics Report, open Wireless Networking Troubleshooting Information. This is shown in the following figure:
.gif)
Click Wireless Trace, as shown in the following figure:
.gif)
The following wireless trace files are generated when you enable wireless tracing.
OneX Trace (onex.txt): 802.1X library communication – conversation with EapHost
Diagnostics Helper Class Trace (diaghc.txt)
Wlan Trace (wlan.txt): This log gathers the output from the following components: AutoConfig, the FAT and RNFW MSM, Native WiFi Intermediate driver, and the Diagnostics core
Msmsec Trace (msmsec.txt): 802.11 security module
Extensibility Trace (ext.txt): Extensibility framework logging
Native Wifi Driver Trace (nwifi.txt)
Wireless GP Trace (wlangp.txt)
Layer 2 Network Access Trace (L2nacp.txt): Single Sign On (SSO)
Wireless AutoConfiguration Event Log (not a text file)
Wireless Diagnostics Event Log (not a text file)
The reading of diagnostic logs is not an exact science. Sometimes the most useful troubleshooting information obtained from a trace log is an observed behavior pattern, rather than a specific error. For this reason, it is important that you understand the layout and relationship of the wireless components that are discussed in Section 2: Wireless infrastructure components and Section 3: The authentication process.
Trace logs frequently capture redundant information; multiple logs will note the same events, but from a different perspective. For example, the MSMSEC, WLAN, and OneX logs all record connection events, but report different information. This is helpful for determining where a problem occurred and in which phase of the connection process.
The following shows the typical layout of a trace file:
[0] 12:50:01.256 TX=54 Mbps RX=54 Mbps
[0] 12:50:11.396 TX=54 Mbps RX=54 Mbps
[0] 12:50:18.978 Receive 1X packet: FrameSeq# 4077: 00-18-39-5A-5F-01
==> 00-14-BF-74-6D-C3 STATUS_SUCCESS
[0] 12:50:18.978 1X Packet: Unknown version 2, type 0
0000 01080005 01 .....
[3796] 12:50:18.982 Send 1X packet: 00-14-BF-74-6D-C3 ==>
00-18-39-5A-
5F-01
[3796] 12:50:18.982 PPP-EAP: EAPCODE_0x00000002(Response) Id=0x08
EAPTYPE_0x00000001(Identity) len=15
0000 4558414D 504C455C 47504164 6D696E EXAMPLE\GPAdmin
[3796] 12:50:18.982 Send Security Packet: NDIS_PACKET=85672320
[0] 12:50:18.983 Send Security Packet Completion: STATUS_SUCCESS
NDIS_PACKET=85672320
[0] 12:50:18.994 Receive 1X packet: FrameSeq# 4078: 00-18-39-5A-5F-01
==> 00-14-BF-74-6D-C3 STATUS_SUCCESS
Two-page samples of each of the three main troubleshooting and debugging trace files are included in Appendix D: Trace File examples:
OneX Trace file
Wlan Trace file
Msmsec Trace file
What to look for in wireless trace files
The two main things to look for in the wireless trace files are keywords and reason codes. The following two lists provide keyword and reason code examples:
Keywords
The types of keywords to look for are error, failed, failure, or rejected.
[2476] 12:51:42.130 Port(37): Received a failure indication from the local Eap dll with error code 0x80420105 and reason code 0x80420105
[2476] 12:51:42.130 Port(37): Eap error info contains winError=0x80420105, reasonCode=0x80420105, EapMethod(Type=25), rootCauseString=The
authentication failed because the user certificate required for this network was rejected by the server
[2476] 12:51:42.130 Port(37): The auth failed. Deleting all cached UI
[3796] 12:51:42.142 [Strings] RC=<1:The authentication failed because the user certificate required for this network was rejected by the
server>, ep=<1:Provide valid user credentials for this network connection
[1592] 10:51:00.840 [Strings] RC=<1:The authentication failed because there is a problem with the user account
[1136] 12:51:42.130 Port <37> Peer 00:18:39:5A:5F:01 AuthMgr Transition AUTHENTICATING (7) --> AUTH FAILED (10)
[1136] 12:51:42.130 Port<37> 05AF04F0 Complete Processing Event <MSMSEC_PORT_PRIVATE_EVENT_AUTH_ONEX_FAILURE>
Reason codes:
[2344] 10:35:03.812 INFO: Is Network Compatible = 0x00000000(false), Security Incompatible reason=262174
[2476] 12:51:42.142 Post Connect Security has FAILED with reason code: 327685
[1388] 10:50:38.342 SL: Profile = PEAP, reason code = 0
[3796] 12:51:42.142 SecNotif[Update:1] OneXAuthStatus=<4>, Reason=<327685>, dwError=<-2143158011>
[1388] 10:50:58.070 Post Connect Security has FAILED with reason code: 327686
[3796] 12:51:42.646 ACM: Connection failed. Interface = Broadcom 802.11g Network Adapter, reason code = 327685
[2332] 10:35:10.267 DiagnoseMsmSecCapabilityMatchFailure: WLAN_REASON_CODE_MSMSEC_CAPABILITY_PROFILE_AUTH
You can look up reason codes or #def names values in the tables in Appendix E: Mapping of reason codes to event messages to find their associated event message or friendly string.
Appendices
The following appendices are provided in this section:
Appendix A: Detailed EAP and PEAP-MS-CHAP v2 operations
Appendix B: Windows Vista DLLs and function descriptions
Appendix C: Using netsh wlan to manage tracing
Appendix D: Trace File examples
Appendix E: Mapping of reason codes to event messages
Appendix A: Detailed EAP and PEAP-MS-CHAP v2 operations
This section describes the detailed operations of EAP and Protected EAP (PEAP) MS-CHAPv2 authentication.
802.1X EAP authentication phases
This section provides information about the 802.1X EAP authentication phases.
With EAP, the specific authentication mechanism is not chosen during the association phases of the connection; instead, each peer negotiates to perform EAP during the connection authentication phase. When the connection authentication phase is reached, the peers negotiate the use of a specific EAP authentication scheme known as an EAP method or EAP type.
EAP over RADIUS is used in environments where RADIUS is the authentication provider. An advantage of using EAP over RADIUS is that EAP types do not need to be installed at each network access server (in the case of wireless, access points), only at the RADIUS server. However, the access server must support the negotiation of EAP as an authentication protocol and the passing of EAP messages to a RADIUS server. In a typical deployment of EAP over RADIUS, the wireless AP is configured to use EAP and to use RADIUS as its authentication provider. Because EAP is part of the IEEE 802.1X standard, you must enable IEEE 802.1X authentication to enable a wireless AP to use EAP.
EAP over RADIUS is not an EAP type; it is the passing of EAP messages of any EAP type by the access server to a RADIUS server for the purpose of authentication. An EAP message sent between the access client and access server is formatted as the EAP-Message RADIUS attribute and sent in a RADIUS message between the access server and the RADIUS server. The wireless AP becomes a pass–through device, passing the EAP message between the access (wireless) client and the RADIUS server. EAP messages are processed by the access client and the RADIUS server, not by the wireless AP.
PEAP-MS-CHAPv2 requires a certificate on each RADIUS server, but not on the wireless client. IAS servers must have a certificate installed in their Local Computer certificate store. Instead of deploying a PKI, you can purchase individual certificates from a non-Microsoft CA to install on your IAS servers. To ensure that wireless clients can validate the IAS server certificate chain, the root CA certificate of the CA that issues the IAS server certificates must be installed on each wireless client.
Windows XP, Windows Server 2003, and Windows Vista include the root CA certificates of many non-Microsoft CAs. If you purchase your IAS server certificates from a non-Microsoft CA for which your Windows clients do not include a corresponding root CA certificate, you must install the root CA certificate on each wireless client. If you purchase your IAS server certificates from a non-Microsoft CA that corresponds to an included root CA certificate, no additional wireless client configuration is required.
Part 1: Creating the TLS channel and authentication method negotiation
The following process creates the TLS channel:
If the wireless AP observes a new wireless client associating with it, the wireless AP transmits an EAP-Request/Identity message to the wireless client. Alternatively, when a wireless client associates with a new wireless AP, it transmits an EAP-Start message. If the IEEE 802.1X process on the wireless AP receives an EAP-Start message from a wireless client, it transmits an EAP-Request/Identity message to the wireless client.
The wireless client responds with an EAP-Response/Identity message that contains the identity (user name or computer name) of the wireless client.
The EAP-Response/Identity message is sent by the wireless AP to the RADIUS server. From this point on, the logical communication occurs between the RADIUS server and the wireless client by using the wireless AP as a pass-through device.
The RADIUS server sends and EAP request/Start PEAP message to the wireless client.
The wireless client and the RADIUS server exchange a series of TLS messages through which the cipher suite for the TLS channel is negotiated and the RADIUS server sends a certificate chain to the wireless client for authentication.
At the end of PEAP negotiation:
The RADIUS server has authenticated itself to the wireless client.
Both the wireless client and RADIUS server have determined mutual encryption keys for the PEAP-TLS channel by using public key cryptography, not passwords.
All subsequent EAP messages sent between the wireless client and the RADIUS server are encrypted.
Part 2: PEAP-MS-CHAP-v2
This section examines the PEAP-MS-CHAPv2 operation of 802.1X authentication and authorization.
After the PEAP-TLS channel is created, PEAP-MS-CHAP-v2 performs the following steps to authenticate the wireless client, based on user name and password credentials:
The RADIUS server sends an EAP-Request/Identity message.
The wireless client responds with an EAP-Response/Identity message that contains the identity (user or computer name) of the wireless client.
The RADIUS server sends an EAP-Request/EAP-MS-CHAPv2 Challenge message that contains a challenge string.
The wireless client responds with an EAP-Response/EAP-MS-CHAPv2 Response message that contains both the response to the RADIUS server challenge string and a challenge string for the RADIUS server.
The RADIUS server verifies the client credentials against the user accounts database, and if a matching record is found, sends an EAP-Request/EAP-MS-CHAPv2 Success message. The EAP-Request/EAP-MS-CHAPv2 Success message indicates that the wireless client response is correct, and contains the response to the wireless client challenge string.
The wireless client responds with an EAP-Response/EAP-MS-CHAPv2 Ack message, indicating that the RADIUS server response is correct.
The RADIUS server sends an EAP-Success message.
At the end of this mutual authentication exchange:
The wireless client has provided proof of knowledge of the correct password (the response to the RADIUS server challenge string).
The RADIUS server has provided proof of knowledge of the correct password (the response to the wireless client challenge string).
The entire exchange has been encrypted through the TLS channel created in the first part of the PEAP authentication.
At this point, the 802.1X controlled port on the AP allows the wireless client’s traffic to traverse the controlled port. The client sends a DHCP "address request" through the 802.1X controlled port to the network. If a DHCP server responds, the client obtains an IP address. If configured, the Wireless Network (IEEE 802.11) Policies are applied or refreshed. Provided the client has the correct permissions, the client is able to access network resources.
Appendix B: Windows Vista DLLs and function descriptions
Main DLLs
wlanui.dll – WLAN UI implements the Windows Vista supplicant UI for creating and editing wireless profiles settings.
wlanapi.dll - Public API to interface with Auto Configuration Module (ACM).
wlansvc.dll – 802.11 AutoConfiguration service is the core service for Windows Vista. It is responsible for discovering, connecting, and disconnecting from wireless networks. It also handles passing the appropriate configuration information to the 802.11. Media Specific Module (MSM).
wlanmsm.dll – 802.11 Media Specific Module manages communication between Security Module, the IHV Security Manager and Native Wi-Fi and FAT (legacy) network drivers. It is the bridge between the media specific drivers is the interface between the It is also responsible for bridging associations.
Supporting DLLs
wlancfg.dll - Command Line Interface (CLI) provides all scripting and command line configuration functionality. For example, profile import and export functions, profile configuration manipulation, blocked lists export, etc, can all be displayed through the Netsh interface.
l2nacp.dll - Single Sign On (SSO) Manager is responsible for prompting for additional credentials and interacting with the Logon UI and the ACM. (l2na refers to layer 2 network authentication.)
wlangpui.dll – Group Policy UI implements the UI for wireless Group Policy settings.
wlangpclnt.dll – Group Policy Client is responsible for downloading the WLAN Group Policy object (GPO) settings from Active Directory and plumbing the settings to the ACM.
wlanhlp.dll – WLAN private API.
wlansec.dll – WLAN Security module manages communications with 802.1X Authentication Module and MFM. It is responsible for handling key exchanges, pre-authentication, and Pairwise Master Key caching.
onex.dll - 802.1X Authentication Module is responsible for managing the communication between the Security Module and the various EAP methods (native or other) through the EAPHost API.
wlanext.exe - IHV Security Manager interfaces to other IHV plug-ins for client connectivity and security settings. The application runs in its own separate process.
wlandlg.dll – Implements the interactive UI dialog boxes and notifications during the connection process, such as “Enter key here.”
Additional DLLs
The following DLLs are associated with the Windows Vista supplicant, but are outside the scope of this document.
wlanconn.dll
wlanhc.dll
wlaninst.dll
wlanmm.dll
wlanmmhc.dll
l2sechc.dll
Appendix C: Using netsh wlan to manage tracing
You can start tracing for Wireless LAN (Wireless AutoConfig and related components) by using Performance Monitor or the netsh wlan set tracing command. By default, wireless LAN tracing is enabled until it is manually stopped or the system is restarted. In some cases, you must enable tracing at startup so that you can troubleshoot and debug issues that might take place before user logs on. In other words, traces are needed when the wireless service starts at boot time before user logon and tracing, when enabled must persist after a system reboot.
When logging must resume when the computer is restarted, use the command-line interface to enable WLAN tracing at startup.
Using this command, WLAN tracing will start immediately and will continue even after the computer is restarted. When the system reboots, the tracing will start shortly after the WLAN AutoConfig service starts; any pre-existing wireless trace logs and files will be overwritten.
Wireless tracing detail
There are three subfolders in the wireless folder: Config, EventLog, and Traces.
In the wireless\config folder, there are three logs that contain information about the wireless environment:
Osinfo.txt – This log contains information about the operating system, such as SKU, whether the system is a single or multiprocessor computer, the versions of the wireless binaries, and whether the installation is a clean build or an upgrade.
Adapterinfo.txt – This log captures information about the network card driver, such as date, version, and provider. If multiple cards exist, the information will exist for all wireless interfaces.
Envinfo.txt – This is the most useful of the config logs. It contains all of the information about the wireless environment, including information about the type of driver (Native versus Fat), adapter capabilities, radio types supported, loaded profiles on the adapters, visible BSSIDs, and the computer certificate. Future versions will display the logged-on user’s certificate. All of the data in this log can be gathered individually by using the following show commands:
Show Drivers
Show Interfaces
Show settings
Show Filters
Show Profiles
Show networks
To set persistent WLAN tracing
Click Start, and in Start Search, type cmd.
In Programs, right-click the cmd icon and select Run as administrator to start command prompt with administrator credentials.
Note
To run the netsh wlan set tracing command, you must run cmd with elevated privileges.
- At the command prompt, type netsh wlan set tra persistent, and then press ENTER.
After running the command you will receive a message similar to the following:
Persistent wireless tracing has been enabled.
Trace logs will be stored in C:\Windows\tracing\wireless
Note
Tracing for WLAN remains on until stopped with the netsh wlan set tra no command.
The following procedure shows the steps used to collect wireless trace sets.
To collect wireless related trace sets
Click Start, and in Start Search, type cmd.
In Programs, right-click the cmd icon, and select Run as administrator to start command prompt with administrator credentials.
At the command prompt, type netsh wlan set tra yes, and then press ENTER.
Reproduce your WLAN problem or errant condition.
In the command prompt, type netsh wlan set tra no, and then press ENTER to stop wireless tracing and create the tracing logs.
Appendix D: Trace File examples
The trace files that are generated by wireless diagnostics capture detailed information about connection processes. Because the connection process for 802.1X authenticated wireless access is complicated, the resulting logs can be quite lengthy. Accordingly, the example trace files in this appendix have had sections of text removed to limit the length of each example to about two pages. The string "+++++++Text Removed+++++++" is used to indicate locations where text was removed from the original trace file.
OneX Trace file
Wlan Trace file
Msmsec Trace file
OneX Trace file
[1176] 10:50:39.034 OneXCreateSupplicantPort
[1176] 10:50:39.037 Port(9): Setting the quarantine state to 0
[1176] 10:50:39.037 Port(9): Setting the Eap method backend support to
BackendSupportUnknown
[1176] 10:50:39.037 Port(9): EapEndSession called for eap type 0
[1176] 10:50:39.037 Port(9): Setting a 1x profile of size 206
[1176] 10:50:39.037 Port(9): Resetting the fProfileChanged flag
[1176] 10:50:39.037 Port(9): Resetting the fDiscoveryLocalUser flag
[1176] 10:50:39.037 Finished initializing a new port with id = 9 and
friendly name = Broadcom 802.11g Network Adapter
[3784] 10:50:39.037 OneXUpdatePortProfile
[3784] 10:50:39.040 Port(9): Update port profile called with profile of
size 206
[3784] 10:50:39.040 OneXSetRuntimeState
[3784] 10:50:39.040 OneXStartAuthentication
[1388] 10:50:39.041 Port(9): ProcessOneXEvent: Event [ConfigChanged]
[1388] 10:50:39.041 Port(9): Start processing local event:
(PAEConfigChanged)
[1388] 10:50:39.041 Port(9): Processing local event complete:
(PAEConfigChanged)
[1388] 10:50:39.041 Port(9): Draining the event queue (SupplicantQueue)
[1388] 10:50:39.041 Port(9): Processing global event complete:
(ConfigChanged)
[1388] 10:50:39.041 Port(9): ProcessOneXEvent: Event [SetRuntimeState]
[1388] 10:50:39.041 Port(9): Start processing local event:
(PAESetRuntimeState)
[1388] 10:50:39.041 Port(9): Set runtime state containing a user token
[1388] 10:50:39.041 Port(9): Processing local event complete:
(PAESetRuntimeState)
[1388] 10:50:39.041 Port(9): Draining the event queue (SupplicantQueue)
[1388] 10:50:39.041 Port(9): Processing global event complete:
(SetRuntimeState)
[1388] 10:50:39.041 Port(9): ProcessOneXEvent: Event [StartAuth]
[1388] 10:50:39.041 Port(9): Start processing local event:
(PAEStartAuth)
[1388] 10:50:39.041 Port(9): Starting a new 802.1X authentication (MSM
initiated)
[1388] 10:50:39.041 Port(9): StateSpaeAuthNotStarted ---->
StateSpaeStartAuth
[1388] 10:50:39.041 Port(9): Sending notification = (ResultUpdate) to
MSM
[1388] 10:50:39.041 Port(9): Updating MSM with OneX Result
[1388] 10:50:39.041 Port(9): Processing local event complete:
(PAEStartAuth)
[1388] 10:50:39.041 Port(9): Start processing local event:
(BackendStartBackend)
[1388] 10:50:39.041 Port(9): StateSBackendNotStarted ---->
StateSBackendDeactivated
[1388] 10:50:39.041 Port(9): Processing local event complete:
(BackendStartBackend)
[1388] 10:50:39.041 Port(9): Start processing local event: (PAEUCT)
[1388] 10:50:39.041 Port(9): A user token has been specified to be
used. Proposing user auth
[1388] 10:50:39.041 Port(9): Identified OneX credentials. Using User
Auth
[4092] 10:50:39.041 OneXIndicatePacket
[1388] 10:50:39.042 Port(9): User name = GPAdmin, domain name = EXAMPLE
[1388] 10:50:39.042 Port(9): 802.1X user identified. auth identity =
User Auth, sessionId = 1, username=GPAdmin, domain=EXAMPLE
[1388] 10:50:39.042 Port(9): StateSpaeStartAuth ---->
StateSpaeInitialize
+++++++Text Removed+++++++
[1388] 10:50:54.057 Port(9): Sending notification = (AuthRestarted) to
MSM
[1388] 10:50:54.057 Port(9): Sending OneX packet of size 5 to MSM
[1388] 10:50:54.057 Port(9): Sent an Eapol start packet
+++++++Text Removed+++++++
[3712] 10:50:59.997 Port(10): Eap error info contains
winError=0x40420110, reasonCode=0x40420110, EapMethod(Type=0), rootCauseString=The authentication failed because there is a problem
with the user account
+++++++Text Removed+++++++
Wlan Trace file
[400] 10:50:34.229 Could not find the interface using the given GUID,
error 87.
[400] 10:50:34.418 Could not find the interface using the given GUID,
error 87.
[2276] 10:50:35.916 Could not find the interface using the given GUID,
error 87.
[400] 10:50:35.933 ACM: bypass access validation, because radio state
is accessed from console session 1.
[400] 10:50:35.934 Refresh Scan Results
[400] 10:50:35.934 Number of Unique Networks: 5
[400] 10:50:35.934 ACM: network is not permitted.
[400] 10:50:35.934 Network WSUA-EAP (1) is not permitted by the network
filters.
[400] 10:50:35.934 ============================= Diag Event
=============================
[400] 10:50:35.934 --> Fn
[400] 10:50:35.935 ***** Event[004D7DB8:00000000]: [ACM: Scan RESULT
(MSM) = 7] --> <0> pIntf=<004D6898> *****
[400] 10:50:35.935 --> Fn
[400] 10:50:35.935 WDiagProcessAcmScanResult[MSM]: <5> MSM
ScannedSsids
[400] 10:50:35.935 [1] 3*<WIR_TST_Lab>, Status=<1:0>, BSS=<1>,
Phy=<6>, Priv:Auth:Ciph:Cap=<1:6:4:12582912>
[400] 10:50:35.935 [2] 2*<linksys>, Status=<1:0>, BSS=<1>,
Phy=<6>, Priv:Auth:Ciph:Cap=<0:1:0:0>
[400] 10:50:35.935 [3] 24*<TSTWLAN>, Status=<1:0>, BSS=<1>,
Phy=<6>, Priv:Auth:Ciph:Cap=<1:1:257:0>
[400] 10:50:35.935 [4] 26*<TSTGUEST>, Status=<1:0>, BSS=<1>,
Phy=<6>, Priv:Auth:Ciph:Cap=<0:1:0:0>
[400] 10:50:35.935 [5] 3*<WSUA-EAP>, Status=<0:163843>, BSS=<1>,
Phy=<6>, Priv:Auth:Ciph:Cap=<1:1:257:0>
[400] 10:50:35.935 --> Fn
+++++++Text Removed+++++++
[2276] 10:50:38.330 INFO: Is Network Compatible = 0x00000001(true),
Security Incompatible reason=0
[2276] 10:50:38.331 INFO: Profile is Compatible: 0x00000001(true) with
Reason: 0
[2276] 10:50:38.341 ACM: clean runtime info. Flags = 4294967295,
conervatively unblock = 0
[2276] 10:50:38.341 ACM: Profile PEAP is unfailed.
[2276] 10:50:38.341 ACM: All SSIDs in the profile.
[2276] 10:50:38.341 ACM: Profile PEAP is unblocked.
[2276] 10:50:38.341 ACM: All SSIDs in the profile.
[2276] 10:50:38.341 ACM: got connection request, mode = 0, flags = 0,
profile name = PEAP, session = 1.
[1388] 10:50:38.341 ST: current state = Failed, trigger = Manually
connect (Command), next state = Manual connect (Manual Connect).
[1388] 10:50:38.341 ============================= Diag Event
=============================
+++++++Text Removed+++++++
[1388] 10:50:38.344 [0000000C --> 36] ==> Connecting to <PEAP->WIR_TST_Lab>, bIsDisc:dwDiscIndex=<0:0>
+++++++Text Removed+++++++
[4092] 10:50:39.047 INFO: Received 802.11 PACKET
[4092] 10:50:39.051 ============================= Diag Event
=============================
+++++++Text Removed+++++++
[1388] 10:50:58.070 Post Connect Security has FAILED with reason code:
327686
[1388] 10:50:58.070 INFO: FSM Current state Authenticating[4], event
Post_Security_Failure[16]
+++++++Text Removed+++++++
[1388] 10:50:58.070 Found PortSessionId 10, security session 00010001
[3896] 10:50:58.586 WDiagConnectCompletion: Result=<50006>, ReasonCode=<50006>, Dot11Status=<0>, Sec Packets Rx : Tx = <2 : 4>
[3896] 10:50:58.586 *** Authentication FAILed <50006>,
+++++++Text Removed+++++++
[3896] 10:51:00.003 [Strings] RC=<1:The authentication failed
because there is a problem with the user account
>, Rep=<1:Contact your network administrator for further assistance
>
+++++++Test Removed+++++++
Msmsec Trace file
[1388] 10:50:38.345 Received StopSecurity on Adapter 004E67A8
00:14:BF:74:6D:C3
[1388] 10:50:38.345 Invalid state 1 for action 3
[1388] 10:50:38.345 SecMgrStopSecurity failed, Error 5023
[3784] 10:50:38.346 Adapter<1> MSM Connect notification, Network
"WIR_TST_Lab", hMSMSec 004E67A8, Completion context 0000000C
[3784] 10:50:38.346 Adapter<1> Received PreAssociateSecurity on Adapter
004E67A8 00:14:BF:74:6D:C3
[3784] 10:50:38.346 Infrastructure Auth WPA2-Enterprise (6), Cipher AES
(4), OneX Enabled
[3784] 10:50:38.346 EAP Type 25, Vendor ID 0, Vendor Type 0, Author ID
0
[3784] 10:50:38.346 Creating connect profile
[3784] 10:50:38.346 PMK Cache <<ENABLED>>
[3784] 10:50:38.346 PreAuth not enabled in profile
[3784] 10:50:38.346 PreAuth: Not enabled.
[3784] 10:50:38.346 MSM Connect Completion context: Old 00000000, New
0000000C
[3784] 10:50:38.346 Adapter<1> Set notification session to 0000000C,
old 00000000
[3784] 10:50:38.346 Adapter<1> 00:14:BF:74:6D:C3 Transition INITIALIZED
(1) --> PROCESSING_PREASSOCIATE (2)
[3784] 10:50:38.346 Performing Action PreAssociate Completion (2) on
Adapter 004E67A8 00:14:BF:74:6D:C3
[3784] 10:50:38.346 Adapter<1> PreAssociate completion on Adapter
004E67A8 00:14:BF:74:6D:C3
[3784] 10:50:38.346 Setting Auth Algo WPA2-Enterprise (6)
[3784] 10:50:38.346 Setting Ucast Cipher Algo AES (4)
[3784] 10:50:38.346 Set privacy 1
[3784] 10:50:38.346 Set exclude unencrypted 1
[3784] 10:50:38.346 Profile does not require static keys
[3784] 10:50:38.346 Exempt ethertype 8e88
[3784] 10:50:38.346 Register ethertype 8e88
[3784] 10:50:38.346 Ethertype exemption/registration completed
[3784] 10:50:38.346 Adapter<1> 00:14:BF:74:6D:C3 Transition
PROCESSING_PREASSOCIATE (2) --> PREASSOCIATE_DONE (3)
[3784] 10:50:38.346 Sending notification (SRC Security 0x2 : Code
0x10001) to MSM for session 0000000C, Data size 32
[3784] 10:50:38.346 Adapter<1> Connect Completion, Status Success (0,
0), MSM Handle 004D7DB8, Context 0000000C
[1176] 10:50:39.037 Adapter<1> MSM Port up notification, hMSMSec
004E67A8, MSM context 00010001
[1176] 10:50:39.037 Adapter<1> Port up for peer 00:18:39:5A:5F:01
+++++++Text Removed+++++++
[3784] 10:50:39.041 Port<10> 02F74528 Start Processing Event
<MSMSEC_PORT_PRIVATE_EVENT_SEC_ACTIVATE>
[3784] 10:50:39.041 RSN IE transmitted, but no PMKIDs, checking for
Fast roam anyway
[3784] 10:50:39.041 Can't do fast roaming when PMK Cache is not valid
[3784] 10:50:39.041 PMKID didn't match or no auth params/PMK available
[3784] 10:50:39.041 FAST ROAMING is Disabled
+++++++Removed Text+++++++
[3784] 10:50:39.041 Port<10> Peer 00:18:39:5A:5F:01 SecMgr Transition
ACTIVE (2) --> START AUTH (3)
[3784] 10:50:39.041 Port<10> 02F74528 Complete Processing Event
<MSMSEC_PORT_PRIVATE_EVENT_SEC_PMK_NOT_SENT>
[3784] 10:50:39.041 Port<10> 02F74528 Start Processing Event
<MSMSEC_PORT_PRIVATE_EVENT_AUTH_ACTIVATE_UNAUTHENTICATED>
[1176] 10:50:39.041 Sending notification (SRC Security 0x2 : Code
0x10002) to MSM for session 0000000C, Data size 368
[3784] 10:50:39.044 Port<10> Queued Event (MSMSEC_PORT_PRIVATE_EVENT_AUTH_UCT) in port (0x02F74528) queue (Port
Private Queue)
[3784] 10:50:39.044 Port <10> Peer 00:18:39:5A:5F:01 AuthMgr Transition
ENABLED (3) --> START AUTH (6)
[3784] 10:50:39.044 Port<10> 02F74528 Complete Processing Event
<MSMSEC_PORT_PRIVATE_EVENT_AUTH_ACTIVATE_UNAUTHENTICATED>
[1176] 10:50:39.044 Adapter<1> Receive packet, hMSMSec 004E67A8
[3784] 10:50:39.044 Port<10> 02F74528 Start Processing Event
<MSMSEC_PORT_PRIVATE_EVENT_SEC_UCT>
[1176] 10:50:39.044 Adapter<1> Rx from 00:18:39:5A:5F:01, Ethertype
0X8E88, size 9
[3784] 10:50:39.044 Port<10> Peer 00:18:39:5A:5F:01 SecMgr Transition
START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+++++++Removed Text+++++++
[1388] 10:50:58.070 Port<10> 1x Update result callback
[1388] 10:50:58.070 Port<10> Explicit failure from 802.1X, (Reason
50006, Error 0)
[1388] 10:50:58.070 Port<10> Queued Event (MSMSEC_PORT_PUBLIC_EVENT_AUTH_ONEX_FAILURE) in port (0x02F74528) queue
(Port Public Queue)
+++++++Text Removed+++++++
[3712] 10:51:00.522 Adapter<1> Reset notification session
[3712] 10:51:00.522 Adapter<1> 00:14:BF:74:6D:C3 Transition
STOPPING_SECURITY (4) --> INITIALIZED (1)
[3712] 10:51:00.522 Adapter<1> MSM Disconnect notification, hMSMSec
004E67A8
[3712] 10:51:00.522 Invalidating cache when cache is not valid!
[3712] 10:51:00.522 PMK Cache <<INVALID>>
Appendix E: Mapping of reason codes to event messages
0
131073 - 131074
151553 - 151566
163841 - 163854
196609 - 196613
217088 - 217105
229377 - 229394
262145 - 262178
282624 - 282645
327681 - 327696
524289 - 524309
65537
0
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
0 |
WLAN_REASON_CODE_ SUCCESS |
The operation succeeds. |
131073 - 131074
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
131073 |
WLAN_REASON_CODE_ NETWORK_NOT_COMPATIBLE |
The wireless network is not compatible. |
131074 |
WLAN_REASON_CODE_ PROFILE_NOT_COMPATIBLE |
The profile for the wireless network is not compatible. |
151553 - 151566
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
151553 |
WLAN_REASON_CODE_ NO_AUTO_CONNECTION |
The profile specifies no auto connection. |
151554 |
WLAN_REASON_CODE_ NOT_VISIBLE |
The wireless network is not visible. |
151555 |
WLAN_REASON_CODE_ GP_DENIED |
The wireless network is blocked by group policy. |
151556 |
WLAN_REASON_CODE_ USER_DENIED |
The wireless network is blocked by the user. |
151557 |
WLAN_REASON_CODE_ BSS_TYPE_NOT_ALLOWED |
The basic service set (BSS) type is not allowed on this wireless adapter. |
151558 |
WLAN_REASON_CODE_ IN_FAILED_LIST |
The wireless network is in the failed list. |
151559 |
WLAN_REASON_CODE_ IN_BLOCKED_LIST |
The wireless network is in the blocked list. |
151560 |
WLAN_REASON_CODE_ SSID_LIST_TOO_LONG |
The size of the service set identifiers (SSID) list exceeds the maximum size supported by the adapter. |
151561 |
WLAN_REASON_CODE_ CONNECT_CALL_FAIL |
The Media Specific Module (MSM) connect call fails. |
151562 |
WLAN_REASON_CODE_ SCAN_CALL_FAIL |
The MSM scan call fails. |
151563 |
WLAN_REASON_CODE_ NETWORK_NOT_AVAILABLE |
The specified network is not available. |
151564 |
WLAN_REASON_CODE_ PROFILE_CHANGED_OR_ DELETED |
The profile was changed or deleted before the connection was established. |
151565 |
WLAN_REASON_CODE_ KEY_MISMATCH |
The profile key does not match the network key. |
151566 |
WLAN_REASON_CODE_ USER_NOT_RESPOND |
The user is not responding. |
163841 - 163854
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
163841 |
WLAN_REASON_CODE_ NO_AUTO_CONNECTION |
The profile specifies no auto connection. |
163842 |
WLAN_REASON_CODE_ NOT_VISIBLE |
The wireless network is not visible. |
163843 |
WLAN_REASON_CODE_ GP_DENIED |
The wireless network is blocked by the group policy. |
163844 |
WLAN_REASON_CODE_ USER_DENIED |
The wireless network is blocked by the user. |
163845 |
WLAN_REASON_CODE_ BSS_TYPE_NOT_ALLOWED |
The BSS type is not allowed on this wireless adapter. |
163846 |
WLAN_REASON_CODE_ IN_FAILED_LIST |
The wireless network is in the failed list. |
163847 |
WLAN_REASON_CODE_ IN_BLOCKED_LIST |
The wireless network is in the blocked list. |
163848 |
WLAN_REASON_CODE_ SSID_LIST_TOO_LONG |
The size of the SSID list exceeds the maximum size supported by the adapter. |
163849 |
WLAN_REASON_CODE_ CONNECT_CALL_FAIL |
The MSM connect call failed. |
163850 |
WLAN_REASON_CODE_ SCAN_CALL_FAIL |
The MSM scan call failed. |
163851 |
WLAN_REASON_CODE_ NETWORK_NOT_AVAILABLE |
The specific network is not available. |
163852 |
WLAN_REASON_CODE_ PROFILE_CHANGED_ OR_DELETED |
The profile used for the connection is changed or deleted. |
163853 |
WLAN_REASON_CODE_ KEY_MISMATCH |
The password is probably not correct for the network. |
163854 |
WLAN_REASON_CODE_ USER_NOT_RESPOND |
User did not provide information needed for the connection. |
196609 - 196613
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
196609 |
WLAN_REASON_CODE_ UNSUPPORTED_SECURITY_ SET_BY_OS |
The security settings are not supported by the operating system. |
196610 |
WLAN_REASON_CODE_ UNSUPPORTED_SECURITY_ SET |
The security settings are not supported. |
196611 |
WLAN_REASON_CODE_ BSS_TYPE_UNMATCH |
The BSS type does not match. |
196612 |
WLAN_REASON_CODE_ PHY_TYPE_UNMATCH |
The PHY type does not match. |
196613 |
WLAN_REASON_CODE_ DATARATE_UNMATCH |
The data rate does not match. |
217088 - 217105
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
217088 |
WLAN_REASON_CODE_ USER_CANCELLED |
User has cancelled the operation. |
217089 |
WLAN_REASON_CODE_ ASSOCIATION_FAILURE |
Driver disconnected while associating. |
217090 |
WLAN_REASON_CODE_ ASSOCIATION_TIMEOUT |
Association timed out. |
217091 |
WLAN_REASON_CODE_ PRE_SECURITY_FAILURE |
Pre-association security failure. |
217092 |
WLAN_REASON_CODE_ START_SECURITY_FAILURE |
Failed to start security after association. |
217093 |
WLAN_REASON_CODE_ SECURITY_FAILURE |
Security ends up with failure. |
217094 |
WLAN_REASON_CODE_ SECURITY_TIMEOUT |
Security operation times out. |
217095 |
WLAN_REASON_CODE_ ROAMING_FAILURE |
Driver disconnected while roaming. |
217096 |
WLAN_REASON_CODE_ ROAMING_SECURITY_ FAILURE |
Failed to start security for roaming. |
217097 |
WLAN_REASON_CODE_ ADHOC_SECURITY_FAILURE |
Failed to start security for ad hoc peer. |
217098 |
WLAN_REASON_CODE_ DRIVER_DISCONNECTED |
Driver disconnected. |
217099 |
WLAN_REASON_CODE_ DRIVER_OPERATION_ FAILURE |
Driver failed to perform some operations. |
217100 |
WLAN_REASON_CODE_ IHV_NOT_AVAILABLE |
The IHV service is not available. |
217101 |
WLAN_REASON_CODE_ IHV_NOT_RESPONDING |
The response from the IHV service timed out. |
217102 |
WLAN_REASON_CODE_ DISCONNECT_TIMEOUT |
Timed out waiting for the driver to disconnect. |
217103 |
WLAN_REASON_CODE_ INTERNAL_FAILURE |
An internal error prevented the operation from being completed. |
217104 |
WLAN_REASON_CODE_ UI_REQUEST_TIMEOUT |
A user interface request timed out. |
217105 |
WLAN_REASON_CODE_ TOO_MANY_SECURITY_ ATTEMPTS |
Roaming too often. Post security was not completed after 5 attempts. |
229377 - 229394
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
229377 |
WLAN_REASON_CODE_ USER_CANCELLED |
User has cancelled the operation. |
229378 |
WLAN_REASON_CODE_ ASSOCIATION_FAILURE |
Driver disconnected while associating. |
229379 |
WLAN_REASON_CODE_ ASSOCIATION_TIMEOUT |
Association times out. |
229380 |
WLAN_REASON_CODE_ PRE_SECURITY_FAILURE |
Pre-association security failed. |
229381 |
WLAN_REASON_CODE_ START_SECURITY_FAILURE |
Failed to start security after association. |
229382 |
WLAN_REASON_CODE_ SECURITY_FAILURE |
Security ends up with failure. |
229383 |
WLAN_REASON_CODE_ SECURITY_TIMEOUT |
Security operation times out. |
229384 |
WLAN_REASON_CODE_ ROAMING_FAILURE |
Driver disconnected while roaming. |
229385 |
WLAN_REASON_CODE_ ROAMING_SECURITY_ FAILURE |
Failed to start security for roaming. |
229386 |
WLAN_REASON_CODE_ ADHOC_SECURITY_FAILURE |
Failed to start security for Adhoc peer. |
229387 |
WLAN_REASON_CODE_ DRIVER_DISCONNECTED |
Driver disconnected. |
229388 |
WLAN_REASON_CODE_ DRIVER_OPERATION_ FAILURE |
Driver failed to perform some operations. |
229389 |
WLAN_REASON_CODE_ IHV_NOT_AVAILABLE |
The IHV service is not available. |
229390 |
WLAN_REASON_CODE_ IHV_NOT_RESPONDING |
IHV service timed out. |
229391 |
WLAN_REASON_CODE_ DISCONNECT_TIMEOUT |
Driver disconnect timed out. |
229392 |
WLAN_REASON_CODE_ INTERNAL_FAILURE |
Internal failure prevented the operation from completing. |
229393 |
WLAN_REASON_CODE_ UI_REQUEST_TIMEOUT |
UI request timed out. |
229394 |
WLAN_REASON_CODE_ TOO_MANY_SECURITY_ ATTEMPTS |
Roaming too often, security is not completed after several attempts. |
262145 - 262178
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
262145 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ INVALID_KEY_INDEX |
Key index specified is not valid. |
262146 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ PSK_PRESENT |
Key required, PSK present. |
262147 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_KEY_ LENGTH |
Invalid key length. |
262148 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ PSK_LENGTH |
Invalid PSK length. |
262149 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_NO_ AUTH_CIPHER_SPECIFIED |
No auth/cipher pairs specified. |
262150 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_TOO_ MANY_AUTH_CIPHER_ SPECIFIED |
Too many auth/cipher pairs specified. |
262151 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ DUPLICATE_AUTH_ CIPHER |
Profile contains duplicate auth/cipher pair. |
262152 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ RAWDATA_INVALID |
Profile raw data is invalid. |
262153 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_INVALID _AUTH_CIPHER |
Invalid auth/cipher combination. |
262154 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ ONEX_DISABLED |
802.1X disabled when it is required to be enabled. |
262155 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ONEX_ ENABLED |
802.1X enabled when it is required to be disabled. |
262156 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_INVALID_ PMKCACHE_MODE |
Invalid PMK cache mode. |
262157 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ INVALID_PMKCACHE_SIZE |
Invalid PMK cache size. |
262158 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ INVALID_PMKCACHE_TTL |
Invalid PMK cache TTL. |
262159 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_INVALID_ PREAUTH_MODE |
Invalid preauth mode. |
262160 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_INVALID_ PREAUTH_THROTTLE |
Invalid preauth throttle. |
262161 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ PREAUTH_ONLY_ENABLED |
Preauth enabled when PMK cache is disabled. |
262162 |
WLAN_REASON_CODE_ MSMSEC_CAPABILITY_ NETWORK |
Capability matching failed at network. |
262163 |
WLAN_REASON_CODE_ MSMSEC_CAPABILITY_NIC |
Capability matching failed at NIC. |
262164 |
WLAN_REASON_CODE_ MSMSEC_CAPABILITY_ PROFILE |
Capability matching failed at profile. |
262165 |
WLAN_REASON_CODE_ MSMSEC_CAPABILITY_ DISCOVERY |
Network does not support specified capability type. |
262166 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ PASSPHRASE_CHAR |
Passphrase contains invalid character. |
262167 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ KEYMATERIAL_CHAR |
Key material contains invalid character. |
262168 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ WRONG_KEYTYPE |
The key type specified does not match the key material. |
262169 |
WLAN_REASON_CODE_ MSMSEC_MIXED_CELL |
A mixed cell is suspected. The AP is not signalling that it is compatible with a privacy-enabled profile. |
262170 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_AUTH_ TIMERS_INVALID |
The number of authentication timers or the number of timeouts specified in the profile is invalid. |
262171 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_INVALID_ GKEY_INTV |
The group key update interval specified in the profile is invalid. |
262172 |
WLAN_REASON_CODE_ MSMSEC_TRANSITION_ NETWORK |
A "transition network" is suspected. Legacy 802.11 security is used for the next authentication attempt. |
262173 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_KEY_ UNMAPPED_CHAR |
The key contains characters that are not in the ASCII character set. |
262174 |
WLAN_REASON_CODE_ MSMSEC_CAPABILITY_ PROFILE_AUTH |
Capability matching failed because the profile does not contain an authentication method. |
262175 |
WLAN_REASON_CODE_ MSMSEC_CAPABILITY_ PROFILE_CIPHER |
Capability matching failed because the profile does not contain a cipher algorithm. |
262176 |
WLAN_REASON_CODE_ MSMSEC_PROFILE_ SAFE_MODE |
FIPS 140-2 mode value is invalid |
262177 |
WLAN_REASON_CODE_ MSMSEC_CAPABILITY_ PROFILE_SAFE_MODE_NIC |
Profile requires FIPS 140-2 mode, not supported by NIC |
262178 |
WLAN_REASON_CODE_ MSMSEC_CAPABILITY_ PROFILE_SAFE_MODE_NW |
Profile requires FIPS 140-2 mode, not supported by network |
282624 - 282645
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
282624 |
WLAN_REASON_CODE_ MSMSEC_UI_REQUEST_ FAILURE |
Failed to queue the UI request. |
282625 |
WLAN_REASON_CODE_ MSMSEC_AUTH_START_ TIMEOUT |
802.1X authentication did not start within configured time. |
282626 |
WLAN_REASON_CODE_ MSMSEC_AUTH_SUCCESS_ TIMEOUT |
802.1X authentication did not complete within configured time. |
282627 |
WLAN_REASON_CODE_ MSMSEC_KEY_START_ TIMEOUT |
Dynamic key exchange did not start within configured time. |
282628 |
WLAN_REASON_CODE_ MSMSEC_KEY_SUCCESS_ TIMEOUT |
Dynamic key exchange did not complete within configured time. |
282629 |
WLAN_REASON_CODE_ MSMSEC_M3_MISSING_KEY_DATA |
Message 3 of 4-way handshake has no key data. |
282630 |
WLAN_REASON_CODE_ MSMSEC_M3_MISSING_IE |
Message 3 of 4-way handshake has no IE. |
282631 |
WLAN_REASON_CODE_ MSMSEC_M3_MISSING_ GRP_KEY |
Message 3 of 4-way handshake has no GRP key. |
282632 |
WLAN_REASON_CODE_ MSMSEC_PR_IE_MATCHING |
Matching security capabilities of IE in M3 failed. |
282633 |
WLAN_REASON_CODE_ MSMSEC_SEC_IE_MATCHING |
Matching security capabilities of secondary IE in M3 failed. |
282634 |
WLAN_REASON_CODE_ MSMSEC_NO_PAIRWISE_KEY |
Required a pairwise key but access point (AP) configured only group keys. |
282635 |
WLAN_REASON_CODE_ MSMSEC_G1_MISSING_ KEY_DATA |
Message 1 of group key handshake has no key data. |
282636 |
WLAN_REASON_CODE_ MSMSEC_G1_MISSING_ GRP_KEY |
Message 1 of group key handshake has no group key. |
282637 |
WLAN_REASON_CODE_ MSMSEC_PEER_INDICATED_ INSECURE |
AP reset secure bit after connection was secured. |
282638 |
WLAN_REASON_CODE_ MSMSEC_NO_ AUTHENTICATOR |
802.1X indicated that there is no authenticator, but the profile requires one. |
282639 |
WLAN_REASON_CODE_ MSMSEC_NIC_FAILURE |
Plumbing settings to NIC failed. |
282640 |
WLAN_REASON_CODE_ MSMSEC_CANCELLED |
Operation was cancelled by a caller. |
282641 |
WLAN_REASON_CODE_ MSMSEC_KEY_FORMAT |
Entered key format is not in a valid format. |
282642 |
WLAN_REASON_CODE_ MSMSEC_DOWNGRADE_ DETECTED |
A security downgrade was detected. |
282643 |
WLAN_REASON_CODE_ MSMSEC_PSK_MISMATCH_ SUSPECTED |
A PSK mismatch is suspected. |
282644 |
WLAN_REASON_CODE_ MSMSEC_FORCED_FAILURE |
There was a forced failure because the connection method was not secure. |
282645 |
WLAN_REASON_CODE_ MSMSEC_SECURITY_UI_ FAILURE |
The security UI request failed because the request could not be queued or because the user cancelled the request. |
327681 - 327696
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
327681 |
ONEX_UNABLE_TO_ IDENTIFY_USER |
Unable to identify a user for 802.1X authentication |
327682 |
ONEX_IDENTITY_ NOT_FOUND |
Unable to get the identity information for 802.1X authentication |
327683 |
ONEX_UI_DISABLED |
UI is required for the authentication but UI has been disabled for this 1X port |
327684 |
ONEX_UI_FAILURE |
UI is required for the authentication but the UI operation failed |
327685 |
ONEX_EAP_FAILURE_ RECEIVED |
Explicit Eap failure received |
327686 |
ONEX_AUTHENTICATOR_ NO_LONGER_PRESENT |
The authenticator is no longer present |
327687 |
ONEX_NO_RESPONSE_ TO_IDENTITY |
There was no response to the EAP Response Identity packet |
327688 |
ONEX_PROFILE_VERSION_ NOT_SUPPORTED |
The version of the profile is not supported |
327689 |
ONEX_PROFILE_INVALID_ LENGTH |
The profile has an invalid length field |
327690 |
ONEX_PROFILE_ DISALLOWED_EAP_TYPE |
The Eap type in the profile is not allowed for the media |
327691 |
ONEX_PROFILE_INVALID_ EAP_TYPE_OR_FLAG |
The Eap type in the profile is not valid |
327692 |
ONEX_PROFILE_INVALID_ ONEX_FLAGS |
The onex flags in the profile are invalid |
327693 |
ONEX_PROFILE_INVALID_ TIMER_VALUE |
The profile has an invalid timer value |
327694 |
ONEX_PROFILE_INVALID_ SUPPLICANT_MODE |
The supplicant mode specified in the profile is invalid |
327695 |
ONEX_PROFILE_INVALID_ AUTH_MODE |
The auth mode specified in the profile is invalid |
327696 |
ONEX_PROFILE_INVALID_ EAP_CONNECTION_ PROPERTIES |
The eap connection properties specified in the profile are invalid |
524289 - 524309
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
524289 |
WLAN_REASON_CODE_ INVALID_PROFILE_SCHEMA |
The profile is invalid according to the schema. |
524290 |
WLAN_REASON_CODE_ PROFILE_MISSING |
The WLAN profile element is missing. |
524291 |
WLAN_REASON_CODE_ INVALID_PROFILE_NAME |
The name of the profile is invalid. |
524292 |
WLAN_REASON_CODE_ INVALID_PROFILE_TYPE |
The type of the profile is invalid. |
524293 |
WLAN_REASON_CODE_ INVALID_PHY_TYPE |
The PHY type is invalid. |
524294 |
WLAN_REASON_CODE_ MSM_SECURITY_MISSING |
The MSM security settings are missing. |
524295 |
WLAN_REASON_CODE_ IHV_SECURITY_NOT_ SUPPORTED |
The IHV security settings are not supported. |
524296 |
WLAN_REASON_CODE_ IHV_OUI_MISMATCH |
The IHV profile OUI did not match with the adapter OUI. |
524297 |
WLAN_REASON_CODE_ IHV_OUI_MISSING |
The IHV OUI settings are missing. |
524298 |
WLAN_REASON_CODE_ IHV_SETTINGS_MISSING |
The IHV security settings are missing. |
524299 |
WLAN_REASON_CODE_ CONFLICT_SECURITY |
The security settings conflict. |
524300 |
WLAN_REASON_CODE_ SECURITY_MISSING |
The security settings are missing. |
524301 |
WLAN_REASON_CODE_ INVALID_BSS_TYPE |
BSS type is not valid. |
524302 |
WLAN_REASON_CODE_ INVALID_ADHOC_ CONNECTION_MODE |
Automatic connection cannot be set for an ad hoc network. |
524303 |
WLAN_REASON_CODE_ NON_BROADCAST_SET_ FOR_ADHOC |
Non-broadcast cannot be set for an ad hoc network. |
524304 |
WLAN_REASON_CODE_ AUTO_SWITCH_SET_FOR_ADHOC |
Auto-switch cannot be set for an ad hoc network. |
524305 |
WLAN_REASON_CODE_ AUTO_SWITCH_SET_ FOR_MANUAL_CONNECTION |
Auto-switch cannot be set for a manual connection profile. |
524306 |
WLAN_REASON_CODE_ IHV_SECURITY_ONEX_MISSING |
1X setting is missing for IHV security. |
524307 |
WLAN_REASON_CODE_ PROFILE_SSID_INVALID |
The SSID in the profile is invalid or missing. |
524308 |
WLAN_REASON_CODE_ TOO_MANY_SSID |
Too many SSIDs specified in the profile. |
524309 |
WLAN_REASON_CODE_ IHV_CONNECTIVITY_ NOT_SUPPORTED |
|
65537
| REASON_CODE Value | #def name | Event Message Friendly String |
|---|---|---|
65537 |
WLAN_REASON_CODE_ UNKNOWN |
The reason is unknown. |
See Also
Other Resources
Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements
Windows Vista Wireless Networking Evaluation Guide
Network Diagnostics Technologies in Windows Vista
Microsoft TechNet Wireless Networking
Wi-Fi Protected Access 2 Data Encryption and Integrity: The Cable Guy, August 2005
Wi-Fi Protected Access 2 (WPA2) Overview: The Cable Guy, May 2005
Deployment of Secure 802.11 Networks Using Microsoft Windows
Windows Server 2003 Technical Reference
Online Windows Server 2003 Product Help