Michael Fischer wrote: > the strange thing is that I've never used anything else than universal > password and my universal password policy does allow the user to read > the password.
No, it doesn't. The debug log disagrees with you. > I get the same error with the working Cisco-VPN configuration, see the > debug output: ... > rlm_ldap: Error reading Universal Password.Return Code = -1635 See? A quick check of "google" shows: http://www.novell.com/documentation/ndsedir86/readme/winreadme.html > rlm_pap: WARNING! No "known good" password found for the user. > Authentication may fail because of this. Which is the same error as with PEAP. > rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to > localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful That is different than PEAP. In this case, FreeRADIUS is handing the username && password to eDirectory for authentication. eDirectory returns success/failure. > I guess that cannot be the problem then... Yes, it *is* the problem. Fix eDirectory so that it doesn't return error 1635. Nothing else will solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
