I'm having trouble getting multiple devices to establish a WiFi connection when they use the same authentication details. Here's a bit about my wireless setup:
- Single access point using WPA2 Enterprise (802.1X) -- Linksys WAP4400N (yep it's pretty old).
- 802.1X authentication is PEAP, 2nd phase authentication is EAP-MSCHAPv2 or certificate.
- RADIUS server is Network Policy Server from Windows Server 2008 R2.
- Users authenticate against an Active Directory, anyone active in the Domain Users group is allowed in.
- Wireless devices include Windows 7, two iPhones, and two Android tablets. Not all of these are mine.
The issue is that if the same user (because the device belongs to the same person) tries to authenticate on two devices at a time only the first device that authenticated will get a working WiFi connection. Although the subsequent devices will claim that 802.1X authentication has been successful (as mirrored in the Windows security event log) it will always fail to retrieve an IP address from DHCP.
None of the devices also claim that 802.1X authentication has failed, they just stick on "obtaining IP address" for a while then fail blaming poor connectivity. The Windows security event log doesn't show any authentication failures. Setting a static IP address doesn't resolve this; a WiFi connection will claim to be established, but no data will flow.
I'm wondering if it's the access point at fault, or if the way I'm authenticating is ill advised? On the face of it, it would appear that the access point isn't happy with two supplicants using the same user credentials, but then I was under the impression the access point has no say in this. Isn't the access point (authenticator) merely supposed to be a bridge between the supplicant and authentication server?
Perhaps I should be issuing each device with its' own certificate then use EAP-TLS or PEAP with phase 2 certificates instead. I don't really want to go making new users for each person on a separate WiFi device as that defeats the purpose of what a user is, plus the device MAC address is fully logged so it's not like I couldn't see which devices are authenticating anyway.
