i was mixing two services and forgot to the combine everything into one. so the correct setup is: add EAP-MD5 as authentication method, add local users as authentication source, add the user as configured on the client with the password as configured on the client to the local user database, then it works.
thanks both of you.
[EDIT] seems like something that should be documented in the manual.