PMP450i RADIUS for Management Authentication

Hello,

I'm hoping to configure our PMP450i AP's for RADIUS authentication so that our team can use domain credentials to log into the AP's.

I've seen some guides, but I'm just not completely clear on what needs to happen.  I do have a Windows Network Policy Server which will be doing the authentication.


Can anyone provide some instruction or point me in the proper direction?

Thanks,

Brian

I found a guide that details how to configure RADIUS User authentication for management in an NPS server:
http://community.cambiumnetworks.com/t5/PMP-Beta/PMP-13-4-Microsoft-RADIUS-Support-Feature-Brief/m-p/40460#M277

This guide includes exporting a certificate from the AP/SM and importing it to the NPS server. I'm hoping to just accomplish this by Shared Secret.

Also, the guide states that the user's password must be stored in "reversible encryption." Surely that's still not the case today, is it?


Can anyone bridge these gaps for me?

Thanks,

Brian

Here's my configuration so far:

The PMP450i has the following configuration in Accounts:

  • User Authentication Mode: Reomte then Local
  • User Authentication Method: EAP-PEAP-MSCHAPv2
  • Allow Local Login after Reject from AAA: Disabled
  • User Authentication Server DNS Usage: Disable DNS Domain Name
  • User Authentication Server 1: shared secret is correctly entered, server IP Address is correctly entered

NPS Server Configuration:

RADIUS Client Created with correct Client IP Address and Shared Secret

Network Policy looks like this:

Overview:

  • Access permission: Grant Access
  • Network Connection Method: Type of network access server = Unspecified

Conditions:

  • Includes the windows security group that my test user is a member of

Constraints:

  • Authentication Methods
    • MS-CHAP-V2 is selected

Settings

  • Standard Attributes
    • Name: Service-Type
    • Value: Login
  • Vendor Specific Attributes
    • Name: Vendor-Specific
    • Vendor Code: 161 (which is Cambium Networks)
    • Value: 3 (which is Admin user permissions for AP)

When I try to log into the PMP450i AP with my test user, it eventually times out and the System event log on the NPS server reports the following:

  • An Access-Request message was received from RADIUS client <ip address> with a Message-Authenticator attribute that is not valid.

Can anyone pinpoint what I'm doing wrong?

Thanks,

Brian

I shortened the shared secret and no longer get this error:

  • An Access-Request message was received from RADIUS client <ip address> with a Message-Authenticator attribute that is not valid.

The randomly NPS-generated shared secret is quite long, and perhaps Cambium doesn't support shared secrets over a certain length causing that error, I don't know.

I then got this error in the Security Log:

  • The user attempted to use an authentication method that is not enabled on the matching network policy.

I added the EAP type in the Authentication Methods in the Network Policy:

Constraints:

  • EAP Types:
    • Microsoft: Protected EAP (PEAP) - the settings of which are:
      • Certificate Issued: <proper server cert>
      • Enable Fast Reconnect: checked
      • EAP Types: Secured password (EAP-MSCHAP v2)

Now when I try to log into an AP with a domain user, I get the following errors:

AP webpage:

Unauthorized
You have timed out of your session, have been locked out due to too many unauthorized access attempts, or have exceeded your maximum allowed sessions.
Please press here to continue

Security Log:

An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors. (but I can't find any EAP logs in C:\Windows\System32\LogFiles as referenced by some misc. posts.)

System Log:

schannel: The following fatal alert was received: 42.

Which according to Microsoft means TLS1_ALERT_BAD_CERTIFICATE 42 - SEC_E_CERT_UNKNOWN 0x80090327

The EAP RADIUS Log on the AP shows this:

10/12/2017 : 22:19:52 UTC : Deleted EAP Session.
10/12/2017 : 22:19:52 UTC : Create EAP Session.
10/12/2017 : 22:19:52 UTC : Restarted EAP Session.
10/12/2017 : 22:19:52 UTC : FULL Restart EAP Session.
10/12/2017 : 22:19:52 UTC : Create EAP Session.
10/12/2017 : 22:19:52 UTC : Restarted EAP Session.
10/12/2017 : 22:19:52 UTC : FULL Restart EAP Session.
10/12/2017 : 22:19:52 UTC : SSL client made connection.
10/12/2017 : 22:19:52 UTC : Deleted EAP Session.
10/12/2017 : 22:19:52 UTC : EAP FAILURE For Session
10/12/2017 : 22:19:52 UTC : Deleted EAP Session.

Thanks,

Brian

Hi,

Starting Release 15.1 onwards we do support PEAP-MSCHAPv2 for User Auth as well.
http://community.cambiumnetworks.com/t5/PMP-450/Separation-of-SM-authentication-and-User-Authentication/m-p/76325#M5096

Maximum length for NPS shared secret is 31 characters.

One more thing Allow Local Login after Reject from AAA: Disabled, make it enabled , this will act as a failsafe mechanism to login the radio in case something wrong with AAA.


>Which according to Microsoft means TLS1_ALERT_BAD_CERTIFICATE 42 - SEC_E_CERT_UNKNOWN 0x80090327
Also please perform steps in Import Certificate section of
https://community.cambiumnetworks.com/t5/PMP-Beta/PMP-13-4-Microsoft-RADIUS-Support-Feature-Brief/m-p/40460/thread-id/277

If server certificate is signed by an untrusted CA , users has to install CA first on Windows server first before doing above steps.
See https://technet.microsoft.com/en-us/library/cc754367 for detailed procedure.

Another impotrant point is for User Auth is Cambium-Canopy-UserLevel VSA must be present.

This tells what privillege level this user should be assigned by PMP Radio.

Thanks,
Chitrang

1 Like

Hi Chitrang,


Thanks for the information.

The Import Certificate section seems to detail importing the certificate created by the PMP AP onto the NPS server.  Does this mean I have to import certificates from every AP onto the NPS server? Or is it a one time thing? I would imagine that each AP would have a uniquely generated certificate.


The NPS server is also running the AD CS role - I'll take a look at the technet link to make sure it's configured properly for this.

What is the vendor-assigned attribute number for Cambium-Canopy-UserLevel? I've found that it is 50, so my NPS configuration already has a vendor-specific attribute with the following info:

  • Attribute Value
    • Vendor: Vendor Code: 161
      • Vendor-assigned attribute number: 50
      • Attribute format: decimal
      • Attribute value: 3

Please let me know if that value needs to be different.


Thanks,

Brian

Hi,

Its a one time thing.

Basically AP acts as a radius client and while making secure tunnel (TLS), 450 AP does validate server certificate sent by NPS and if that matches what is already installed, it proceed further.

By default all PMP radios ship with default certificate and the same can be downloaded from here.

https://support.cambiumnetworks.com/files/pmp450/

aaaserver_cert.pem is signed from cacert_aaasvr.pem, which is root CA and windows should know about this root CA.

PLease install this because from the logs of NPS, it appears windows doesnt understand who signed the server certificate which is being used in secure tunnel of PEAP-MSCHAPv2

Thanks,

Chitrang

3 Likes

Hi Chitrang,

I pulled down the files you mentioned since I couldn't find them on the AP using the instructions in the NPS walk through you linked to earlier.

I converted the aaasvr_cert.pem and cacert_aaasvr.pem to .crt.  I then imported the aaasvr_cert.crt file to the Personal certificate store of the NPS server, and imported the cacert_aaasvr.crt to the Trusted Root Certificate Authorities certificate store.

In NPS, I changed the PEAP certificate to "Canopy AAA Server Demo Certificate"

I now get the following errors on the NPS server when trying to authenticate with a domain user:

System:

schannel - The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

Security:

Audit Failure - The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

I'm doing some research and trying to determine what's wrong with the cert.  Do you have any ideas?

Thanks,

Brian

Hi Chitrang,

I think I got this figured out.  The cause of the error was quite obvious "The SSL server credential's certificate does not have a private key information property attached to it."

I had converted the public key from pem to crt and imported it without a private key.  I used openssl to convert the crt and key to pfx to make a pair:

# openssl pkcs12 -export -out aaasvr_cert.pfx -inkey aaasvr_key.pem -in aaasvr_cert.pem

I imported aaasvr_cert.pfx to the NPS server's Personal certificate store and then updated PEAP to use it.

I'm now able to authenticate to the PMP AP with the domain user credentials!


Thanks for the help,

Brian

Hi Chitrang,


I've got another question.  I see that when exporting the AP config, it's holding 2 certificates.  The SM's, on the other hand, allow to upload / delete certificates via Configuration -> Security, whereas the AP's don't allow for this.

I realize that the risk is likely low, however using a private key that is made somewhat publicly available doesn't seem like a wise idea.  Can I upload a my own certificate to the AP like can be done on the SM? If not, why not?

Thanks,

Brian

Nevermind, I figured this out.   On the AP, you can upload certificates in Accounts section as opposed to the Configuration -> Security section on the SM.

I deleted one of the default Cambium certificates, exported the CA cert from my local CA server, imported it to the AP, saved, rebooted, and changed my PEAP to utilize the local CA certificates instead of the Cambium Demo certs.  RADIUS authentication still succeeds.

Thanks,

Brian

yes on SM one can import 4 certificate i.e. 2 for SM authentication and 2 for user authentication , while on AP all you can do is user authentication so 2 certificate for that.