PMP 13.4 –Microsoft RADIUS Support (Feature Brief)

Microsoft RADIUS Support


This feature supports Microsoft RADIUS (Network Policy and Access Services a.k.a NPS) as Authentication server for SM and User authentication.

Since NPS official doesn't support TTLS, SM Authentication will use PEAP-MSCHAPv2

EAP-MD5, which Canopy software uses for User Authentication, is deprecated. To continue using EAP-MD5 on NPS, users has to enable EAP-MD5, See this section for details

All this configuration has been tested on Windows Server 2012 R2 version. 

This feature is not supported on P9 or lower platforms

SM Authentication

Web UI

There are no new configuration on AP.However on SM, user should select PEAP in following way.

Configuration → Security → AAA Authentication Settings → Phase 1, Select eappeap.

Note that as you select Phase 1 as EAP-PEAP, Phase 2 will change automatically to MSCHAPv2.Other Phase 2 protocols like PAP/CHAP will be disabled.


User can configure existing OID in WHISP-SM-MIB

OID: . (phase1): Set this to 2 to use eappeap.

OID: . (phase2): Set this to 2 to use mschapv2.

Windows Server Configuration

Import Certificate

 Certificate on SM and RADIUS server should match. So, user must import certificate in Windows Server.

  1. Copy the certificate which is configured in SM under Configuration -> Security ->Certificate1 to Windows Server machine.
  2. Right Click and Select 'Install Certificate', this will install the certificate and it's ready to be used. We will use this certificate while configuring PEAP-MSCHAPv2 in NPS.
  3. Associate private key to this certificate.Note that Windows uses private key in form of *.p12/pfx format, you may have to convert the private file from pem format to p12. You can use the following openssl command to do that.

         openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile CACert.crt

Note: If server certificate is signed by an untrusted CA , users has to install CA first on Windows server first before doing above steps. See for detailed  procedure.

NPS Configuration (

Following items should be configured in NPS Console

  1. RADIUS Client
  2. Connection Request Policies Choose 'Wireless-Other' in NAS-Port-Type
  3. Network Policy Choose 'Wireless-Other' in NAS-Port-Type
    While configuring PEAP, select the certificate imported above


User Authentication

Enabling EAP-MD5

As it is mentioned that Microsoft has deprecated the support for MD5 from versions of Windows. To enable it there are some steps.

  1. Please follow instruction   
  2. Next from NPS Console Network Policy -> <Policy Name> -> Properties -> Constrains -> Authentication Method and click Add , You will see MD5 there, select and click OK.

User Configuration in Active Directory

Next open 'Active Directory Users and Computers' and create user, Make sure user property is configured as shown.

Note: DO NOT do this SM Authentication user, otherwise it wil try to do EAP-MD5 instead of PEAP-MSCHAPv2.

Radius VSA Configuration

Before using we must configure Cambium-Canopy-UserLevel(50) VSA with some access level say ADMIN(3), Follow , Our Vendor Code is 161.


User can enable accounting in NPS, Under NPS Console -> Accounting -> Configure Accounting

For more details refer


This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.