EAP-TTLS with mschapv2 and edirectory
Alan DeKok
aland at deployingradius.com
Wed Sep 9 11:29:42 CEST 2009
Michael Fischer wrote:
> the strange thing is that I've never used anything else than universal
> password and my universal password policy does allow the user to read
> the password.
No, it doesn't. The debug log disagrees with you.
> I get the same error with the working Cisco-VPN configuration, see the
> debug output:
...
> rlm_ldap: Error reading Universal Password.Return Code = -1635
See?
A quick check of "google" shows:
http://www.novell.com/documentation/ndsedir86/readme/winreadme.html
> rlm_pap: WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
Which is the same error as with PEAP.
> rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
That is different than PEAP. In this case, FreeRADIUS is handing the
username && password to eDirectory for authentication. eDirectory
returns success/failure.
> I guess that cannot be the problem then...
Yes, it *is* the problem. Fix eDirectory so that it doesn't return
error 1635.
Nothing else will solve the problem.
Alan DeKok.
More information about the Freeradius-Users
mailing list