Hi,
Starting Release 15.1 onwards we do support PEAP-MSCHAPv2 for User Auth as well.
http://community.cambiumnetworks.com/t5/PMP-450/Separation-of-SM-authentication-and-User-Authentication/m-p/76325#M5096
Maximum length for NPS shared secret is 31 characters.
One more thing Allow Local Login after Reject from AAA: Disabled, make it enabled , this will act as a failsafe mechanism to login the radio in case something wrong with AAA.
>Which according to Microsoft means TLS1_ALERT_BAD_CERTIFICATE 42 - SEC_E_CERT_UNKNOWN 0x80090327
Also please perform steps in Import Certificate section of
https://community.cambiumnetworks.com/t5/PMP-Beta/PMP-13-4-Microsoft-RADIUS-Support-Feature-Brief/m-p/40460/thread-id/277
If server certificate is signed by an untrusted CA , users has to install CA first on Windows server first before doing above steps.
See https://technet.microsoft.com/en-us/library/cc754367 for detailed procedure.
Another impotrant point is for User Auth is Cambium-Canopy-UserLevel VSA must be present.
This tells what privillege level this user should be assigned by PMP Radio.
Thanks,
Chitrang