EAP-TTLS with mschapv2 and edirectory

Alan DeKok aland at deployingradius.com
Wed Sep 9 11:29:42 CEST 2009

Michael Fischer wrote:
> the strange thing is that I've never used anything else than universal
> password and my universal password policy does allow the user to read
> the password.

  No, it doesn't.  The debug log disagrees with you.

> I get the same error with the working Cisco-VPN configuration, see the
> debug output:
> rlm_ldap: Error reading Universal Password.Return Code = -1635


  A quick check of "google" shows:


> rlm_pap: WARNING! No "known good" password found for the user.
> Authentication may fail because of this.

  Which is the same error as with PEAP.

> rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful

  That is different than PEAP.  In this case, FreeRADIUS is handing the
username && password to eDirectory for authentication.  eDirectory
returns success/failure.

> I guess that cannot be the problem then...

  Yes, it *is* the problem.  Fix eDirectory so that it doesn't return
error 1635.

  Nothing else will solve the problem.

  Alan DeKok.

More information about the Freeradius-Users mailing list