PMP450i RADIUS for Management Authentication

Products PMP
4

I shortened the shared secret and no longer get this error:

  • An Access-Request message was received from RADIUS client <ip address> with a Message-Authenticator attribute that is not valid.

The randomly NPS-generated shared secret is quite long, and perhaps Cambium doesn't support shared secrets over a certain length causing that error, I don't know.

I then got this error in the Security Log:

  • The user attempted to use an authentication method that is not enabled on the matching network policy.

I added the EAP type in the Authentication Methods in the Network Policy:

Constraints:

  • EAP Types:
    • Microsoft: Protected EAP (PEAP) - the settings of which are:
      • Certificate Issued: <proper server cert>
      • Enable Fast Reconnect: checked
      • EAP Types: Secured password (EAP-MSCHAP v2)

Now when I try to log into an AP with a domain user, I get the following errors:

AP webpage:

Unauthorized
You have timed out of your session, have been locked out due to too many unauthorized access attempts, or have exceeded your maximum allowed sessions.
Please press here to continue

Security Log:

An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors. (but I can't find any EAP logs in C:\Windows\System32\LogFiles as referenced by some misc. posts.)

System Log:

schannel: The following fatal alert was received: 42.

Which according to Microsoft means TLS1_ALERT_BAD_CERTIFICATE 42 - SEC_E_CERT_UNKNOWN 0x80090327

The EAP RADIUS Log on the AP shows this:

10/12/2017 : 22:19:52 UTC : Deleted EAP Session.
10/12/2017 : 22:19:52 UTC : Create EAP Session.
10/12/2017 : 22:19:52 UTC : Restarted EAP Session.
10/12/2017 : 22:19:52 UTC : FULL Restart EAP Session.
10/12/2017 : 22:19:52 UTC : Create EAP Session.
10/12/2017 : 22:19:52 UTC : Restarted EAP Session.
10/12/2017 : 22:19:52 UTC : FULL Restart EAP Session.
10/12/2017 : 22:19:52 UTC : SSL client made connection.
10/12/2017 : 22:19:52 UTC : Deleted EAP Session.
10/12/2017 : 22:19:52 UTC : EAP FAILURE For Session
10/12/2017 : 22:19:52 UTC : Deleted EAP Session.

Thanks,

Brian