P2 · Network Infrastructure

Wi-Fi Client Connectivity Failure — SSID Not Joining or Repeated Drops

Q: How do I resolve Wi-Fi Client Connectivity Failure — SSID Not Joining or Repeated Drops?

Test PSK SSID to isolate RADIUS vs. general connectivity • Restore RADIUS reachability — fix firewall rule or NPS service • Renew NPS certificate and push root CA to clients via GPO • Correct trunk VLAN allowed list on AP uplink switch port • Adjust AP channel/power to reduce co-channel interference

Wireless clients cannot associate with an SSID, repeatedly disconnect, or land on the wrong VLAN after joining. Causes span 802.1X/RADIUS authentication failure, PSK mismatch, trunk VLAN misconfiguration on the AP uplink, and RF interference.

Indicators

SSID is visible but clients fail authentication and are not issued an IP
Clients receive an APIPA 169.254.x.x address on wireless
802.1X EAP failure logged in RADIUS/NPS event log — Event ID 6273
Clients connect but repeatedly drop every few minutes
Wireless controller shows AP–client association but DHCP lease never issued

Likely causes

RADIUS server unreachable from AP — firewall blocking UDP 1812/1813
NPS certificate expired or untrusted by client supplicant
Trunk port from AP to switch missing the SSID VLAN in allowed list
Native VLAN mismatch between AP and upstream switch port
RF interference or channel saturation in high-density environment
Pre-shared key mismatch (typo or out-of-sync after rotation)

Diagnostic steps

Check RADIUS reachability from AP management interface: ping RADIUS server IP; verify UDP 1812/1813 is permitted between AP subnet and RADIUS server
Review NPS/RADIUS logs: Event Viewer > Security > filter for Event ID 6273 (rejection) — reason code identifies EAP method failure, certificate issue, or user not found
Isolate 802.1X vs. general wireless: create a temporary PSK SSID on the same AP and test client connectivity — if PSK works, the issue is RADIUS/EAP specific
Verify switch trunk port serving the AP: show interfaces trunk (Cisco) — confirm SSID VLAN is in 'VLANs allowed and active in management domain'
Check AP event log in wireless controller (Meraki, UniFi, Aruba): look for DHCP failure, VLAN ID mismatch, or deauthentication reason codes
If drops are occurring: use Wi-Fi analyser (inSSIDer, Ekahau) to check channel utilisation and co-channel interference from neighbouring APs

Resolution path

Test PSK SSID to isolate RADIUS vs. general connectivity
Restore RADIUS reachability — fix firewall rule or NPS service
Renew NPS certificate and push root CA to clients via GPO
Correct trunk VLAN allowed list on AP uplink switch port
Adjust AP channel/power to reduce co-channel interference

Prevention

Monitor NPS certificate expiry and alert 30 days before (it causes mass wireless auth failure)
Use RRM (Radio Resource Management) for automatic channel and power adjustment
Document VLAN-to-SSID mapping and verify after any switch port change
Test 802.1X authentication with a known-good supplicant after any cert renewal or NPS change

Tools

Wireless controller — Meraki Dashboard, UniFi Network, Aruba Central
NPS/RADIUS Event Viewer (Event ID 6273)
Switch CLI (show interfaces trunk, show vlan brief)
Wi-Fi analyser (inSSIDer, Ekahau Site Survey)
Wireshark (wired-side capture on AP uplink port)
Netsh WLAN (Windows supplicant diagnostic)

wifiwireless802.11ssidradius802.1xeapmerakiunifiarubanpsaccess-point