SSID visible but authentication fails for only one security group

Scenario

An SSID broadcasts normally, but users from one department cannot authenticate while others can.

Recommended Resolution Path

1. Confirm the RADIUS policy maps the group to the expected VLAN and access profile.
2. Review whether certificate, PEAP, or user group conditions changed recently.
3. Test with a user from the affected group on a known-good device and vice versa.
4. If authorization is the blocker, fix the policy rather than telling users to forget and reconnect endlessly.

Technician Notes

Document what changed, what confirmed the fix, and whether the issue points to a broader standards gap worth addressing for the client.