This took me hours to fix. I’m so utterly annoyed at myself for not finding the problem out earlier, that I’m going to let you in on what I did.
We have a set up at work of about 100 cisco routers, aironets and other 802.1x devices connecting to a Windows 2008 IAS box for AD RADIUS authentication. Now, this one user was having a problem with them. IAS logs are, as I’m sure you’re aware, impossible to read. I could see something happening in the logs, but the aironet said Station [mac] Authentication failed. Hmm. AD security logs showed he authenticated ok. It took a long time for Windows to give up authenticating, so seemed like a network related issue. This guy was ok at home with his wireless so the laptop was ok. Weird.
Anyway, after a long and hard struggle of no errors being logged, I looked at his “dial-in” tab in AD and lo and behold, it was set to “deny”. Thanks to whomever set his account up, that was a great help. To make it better, that tab doesn’t show in my Win7 RSAT so I had to RDP to a 2k3 box.