Michael Fischer wrote:
the strange thing is that I've never used anything else than universal password and my universal password policy does allow the user to read the password.
No, it doesn't. The debug log disagrees with you.
I get the same error with the working Cisco-VPN configuration, see the debug output: ... rlm_ldap: Error reading Universal Password.Return Code = -1635
See? A quick check of "google" shows: http://www.novell.com/documentation/ndsedir86/readme/winreadme.html
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Which is the same error as with PEAP.
rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful
That is different than PEAP. In this case, FreeRADIUS is handing the username && password to eDirectory for authentication. eDirectory returns success/failure.
I guess that cannot be the problem then...
Yes, it *is* the problem. Fix eDirectory so that it doesn't return error 1635. Nothing else will solve the problem. Alan DeKok.