If your RADIUS shared secret does not match on the Wireless Access Point (WAP) and Microsoft RADIUS Server, you will get a confusing error message that doesn’t clearly indicate the pass-phrase mis-match. Your RADIUS Events will be listed in Server Manager under the Network Policy and Access Services (NPAS) Events list. You can update the shared secret on the server for each client under Network Policy Server (NPS) – RADIUS Clients and Servers – RADIUS Clients. Each pass-phrase will need to match the one your configure on your wireless hardware that will be authenticating with WPA2-Enterprise (Microsoft PEAP, or other authentication method). An example error message follows:
Source: NPS, Event ID: 18, Level: Error, Message: An Access-Request message was received from RADIUS client 169.254.254.99 with a Message-Authenticator attribute that is not valid. (Fake IP was used for this example)
If you encounter this problem, double and triple check that the passwords match – usually by re-typing them in both the RADIUS server and client wireless hardware. For good measure I recommend rebooting the wireless hardware and re-starting the NPS RADIUS service to make sure they’re using the updated pass-phrases.
There is a related discussion of this error on the Windows Server Forums: NPS Error code 18 (microsoft.com). The solution for the Original Poster was the one I needed as well.