If you are in IT support you will know that one of the more common calls to the IT help desk is for help connecting to a wireless network. Loss of network connectivity can have a major impact on a user’s productivity and hence directly impact a company’s profitability.
Troubleshooting a connectivity problem could be as simple as the user forgetting to turn the radio, to more complex issues such as expired digital certificates and intermittent coverage. This article will step you through how to troubleshoot the most common causes and hopefully get your users connected quickly with minimum disruption.
Good troubleshooting always starts with defining the problem. In particular you should determine if just one user is having a problem connecting, or if every user is impacted. Also determine whether the user had previously connected and what might have changed since then.
It is common to record the time and date that the problem is reported, but you should also record the precise physical location of the user. In the event that the problem is caused by interference or coverage related issues, this may be particularly important for tracking down the interferers. A few years ago, I had some users report problems around noon. It turned out to be usage of nearby microwave ovens. By moving the Access Point to another frequency channel, the problem was effectively resolved.
All network troubleshooting should start with checking the physical connections. You need to check both ends of the wireless link, in other words both the user’s device and the Access Point.
The first thing to do is check the lights to make sure the equipment is actually on.
Your Access Point may have one or more status lights depending on the manufacturer and model. However, most Access Points have a power light which is solid green when powered on. If you are using Power over Ethernet (PoE) and the power light is not on or if the power light is on but the status light indicates that the device is not ready, you should visually inspect the network cable. Make sure that the network cable is securely inserted into the WAN port on the Access Point. You should also consider replacing it. Make sure you are using the right network cable. Some networks actually require a cross-over cable between the Access Point and the switch.
On the user device you need to make sure the radio is turned on. I am always surprised by how many users call the IT help desk with a connectivity problem just to find out that they accidentally turned off their radio. Most laptops have a light that indicates if the radio is turned on. On a Windows 7 device you can also check to see if the radio is on by looking at the network icon on the task bar, or by selecting the “control panel”, followed by the “network and sharing center” and then change the “adapter settings”. Figure 1 below shows that the WLAN that has been disabled. To turn on the radio you need to right click the “wireless network connection” and select “enable”.
Figure 1: Illustration showing that the WLAN is disabled
Keeping your wireless device drivers and other software up to date is an important but often overlooked aspect of managing the network. Updating the WLAN Access Point and client drivers may fix compatibility problems between the device and the network. It may also add new capabilities to your devices that are important for connectivity, such as authentication and encryption options.
Updates are specific to the manufacturer of your Access Points and your client WLAN adapters. To check the driver version on a Windows 7 client go back to the “change adapter settings”, right click the “wireless network connection” as you did earlier but this time select “properties”. Click the “configure” button and select the “driver” tab. Figure 1 shows a Windows 7 client with a driver version 220.127.116.11.
Figure 2: Checking the client version number
For Windows clients, most drivers can be automatically updated using the Microsoft Windows Update process. However, if you need to manually update the WLAN driver you should go to the manufacturer website to download the driver.
If the Access Point is not appearing in your wireless network connection list, then you need to check the WLAN settings. The first thing to check is whether the Access Point is broadcasting its network identity, which is called the Service Set Id (SSID). There is little security protection in not broadcasting the SSID and it makes it more difficult for users to find the Access Point and connect. Therefore most companies configure their Access Points to broadcast the SSID.
If you decide not to broadcast the SSID on your Access Points, you need to set-up a preferred connection profile on the clients that includes the SSID. A common problem is that the SSID has been typed incorrectly. Note that the SSID is case sensitive. On a Windows 7 client this is done in the network and sharing center, by selecting “manage wireless networks”, and then clicking the “add” button. This is illustrated in figure 3 below. Remember to check the “connect even if the network is not broadcasting” button.
Figure 3: Adding a wireless network profile
Next on the list of possible issues to check is the actual radio. You need to make sure that your Access Point supports the type of radio in the client device. For example if you have an 802.11n Access Point but you have configured it to support 802.11n clients only then an old 802.11b device or an 802.11b/g device would not be able to connect. If you are trying to connect 802.11b/g devices to an 802.11n Access Point you need to make sure that the Access Point is configured to operate in a mixed mode. See figure 4 below.
Figure 4: Access Point configuration
If you can see the Access Point and then it goes away, in other words sometimes you are connected and sometimes you are not, then this is probably a coverage or interference problem. To solve this problem you need to have a simple spectrum analyzer. This will enable you to see if there is other equipment operating in the same frequency band. If this is the problem you may need to move the Access Point to a different frequency channel.
Now we have verified that the physical connections are good and the drivers are all updated, it is time to investigate whether you have an IP addressing problem. First verify that the client is set up to obtain the IP address and DNS server address automatically. On a Windows 7 client go to the network and sharing center and select the change adapter settings. Right click the wireless network connection and select properties as before. Highlight Internet Protocol Version 4 and click properties. This displays you TCP/IP settings. See figure 3 below.
Figure 5: WLAN adapter settings
Now we know the client is set up correctly, you should look at the network management logs to see if the wireless client has been assigned an IP address. If an IP address has not been assigned there are two common issues with the DHCP server that you should check. First, check the DHCP server is assigning IP addresses in the same subnet as the LAN port address but not overlapping with any Access Point IP addresses. Second, check that the DHCP is not filtering the client’s MAC address. MAC address filtering is a security mechanism that many companies use to ensure only devices with a known MAC address can connect to the network. See figure 6 below.
Figure 6: Access Point MAC filtering
You can check if the Windows 7 client has an IP address by right click the “wireless network connection” and selecting “status”. This time click the “details” button. When you have confirmed that you have an IP address, you should verify that the client is connected to the network. You can verify connectivity using the ping command. You should both ping the Access Point from the client and then ping the client from another client. This is done in the command prompt as show in figure 7 below.
Figure 7: Verifying network connectivity
If the ping to the Access Point is successful but the ping to the client fails, then there may be a problem with the set-up of the firewall. In this situation you should disable the firewall and retry the ping. If the ping is now successful, you need to reconfigure the firewall to allow the desired Windows network protocols to communicate through the firewall, for example HTTPS. You can change the firewall settings on a Windows 7 client by selecting Windows firewall in the “control panel” and then selecting “allow a program or feature through Windows firewall”. See figure 8 below. After reconfiguring the firewall, remember to enable it.
Figure 8: Configuring the firewall
If you still are unable to connect, it is time to check the security settings.
Independent of the security options that you are supporting on the Access Point, the client security configuration must match these settings. If the client does not match these settings the client will be unable to connect. You can edit these setting by clicking on the “wireless network connection”, selecting the “wireless properties” and then clicking the “security” tab. See figure 7 below.
If you are using WPA2-Enterprise you also need to make sure that the authentication method required by your RADIUS server is supported by the client. Choices may include PEAP, EAP-TLS, EAP-TTLS, or EAP-MSCHAPS.
You can display the security settings on a Windows 7 client by again right clicking the wireless network connection and selecting status. However, this time you need to click the wireless properties button and select the security tab, as shown in figure 9 below.
Figure 9: Client WLAN security settings
If the problem still persists, and you have deployed WPA2-Enterprise, you have reached the moment when you need to look at your RADIUS server and 802.1X configuration. Deployment of RADIUS and 802.1X is quite complex. I recommend you start with the following:
Does the user exist in Active Directory?
Can you ping the RADIUS server from the client?
Are there warning messages on the RADIUS server?
If this did not help, it time to get the network analyzer out and start looking at the traffic between the client and the RADIUS server. In the summer of 2010 I arrived at this point after 3 days of troubleshooting possible causes. I had checked all the configuration options, updated all the drivers and software, compared working and no working configurations, all to no avail.
When I ran the traffic analyzer authentication traffic was arriving at the RADIUS server but the server was not seeing it. It turned out to be a TCP/IP address port conflict between the Windows RADIUS server and a network management tool that were both running on the same machine.
Solving user connectivity problems is a common work place task for IT professionals. Although this article used a Windows 7 client to illustrate how to troubleshoot Wi-Fi connectivity problems, this approach may be applied to other user devices, including smart phones and tablets.
As with any troubleshooting methodology, defining the problem and tracking changes is essential for ensuring that you reach a successful and repeatable solution.