>This should not be sending back Accepts as the database does not contain an anonymous user, so I am left >scartching my head.
This is one important difference between TTLS and PEAP, TTLS doesnt expose username in outer tunnel while PEAP does.https://tools.ietf.org/html/rfc5281#page-38
>But in the client settings for aaa auth enforcement is not enabled. What am I missing here? I've attached screenshots of current configuration in the cambium equipment.
That is not required, that configuration means your want your SM to always do AAA auth irrespective what AP want. Leave that as disabled unless you absolutely want to SM dont talk without authentication.Typically AP decided whether SM authetication is required or not.
Web User Authnetication uses EAP-MD5^ while SM can use TTLS/PEAP+ MSCHAPv2 . To make SM auth work you should have installed same certificate in RADIUS server as in SM because the SM verifies certificate what RADIUS server send, if their is a mismatch it rejects auth.
EAP-MD5 doesn't need any certificate, it is challenge handshake protocol, so this should easily have worked.
Please check this guide
http://community.cambiumnetworks.com/t5/PMP-Configuration-Examples/Using-RADIUS-Server-with-PMP-450/m-p/52305
Try these trouble shooting steps to figure out your problem.
- Make sure AP IP address is listed as a trusted client, otherwise all Access request wil be rejected.
- For SM authentication, RADIUS server and SM must have same certificate installed. SM validates the certificate which RADIUS server present, with the one SM is configured it.Demo certificate can be downloaded from this page.
- Use PEAP instead of TTLS in SM configuration.
- When doing User Authentication, make sure Canopy-Cambium-UserLevel VSA is configured for the user, otherwise login process will fail.
^: Our latest software 15.1 Open Beta for PMP 450 does support PEAP-MSCHAPv2 even for user authentciation , so you can configure your server for PEAP-MSCHAPv2 and then both SM and user auth works.