This document demonstrates how to configure the Cisco VPN 3000
Concentrator to authenticate Cisco VPN Clients to an external Microsoft Windows
NT domain server. If multiple NT domain servers are specified, the first server
listed is the primary server. The rest are backup servers in the event the
primary server is inoperative after a configurable number of retries (0-10) and
seconds (1-30). Set up a trust relationship in NT, with one NT domain server
listed in the VPN 3000 to have authentication to multiple NT domains. All
requests go to the single NT domain server, which forwards the request to the
appropriate trusted primary domain controller (PDC) in the specified domain.
The information in this document is based on these software and
Cisco VPN 3000 Concentrator 2.5.2 and later
Windows NT server 4.0
Note: This example from the lab shows the authentication PDCs outside the
VPN Concentrator. In an actual network environment, and for maximum security,
the PDCs would be inside the VPN Concentrator.
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
is listed in the VPN 3000 Concentrator, but a trust relationship is
set up in Windows NT, requests go to 172.18.124.99 (ZEKIE), which services user
requests itself or forwards requests for other users to 172.18.124.110
Test to be sure that the VPN Client authentication and encryption
to the internal VPN 3000 database works before you add authentication to a
Windows NT domain server.
Add the NT domain server to the VPN 3000 Concentrator
authentication server list. For a trust relationship, you might need to
increase the timeout (the default is a 4-second timeout and two retries).
Test the NT domain server authentication from the VPN 3000
Concentrator. For example, we formed an NT trust relationship between
172.18.124.99 and 172.18.124.110 with one server listed. We tested
authentication by entering:
(user on 172.18.124.99)
User Name: vpnuser
User Name: ANYWHERE\vpnuser
(user on 172.18.124.110)
User Name: RTP-APPS\appsuser
Configure the VPN 3000 group to point to the NT domain for
On the Cisco VPN 3000 Concentrator versions 3.0 and later, it is
possible to define the authentication server on a per-group basis (instead of
defining it on a global basis for the whole VPN Concentrator). Select
Configuration > User Management > Groups and click
This section provides information that you can use to troubleshoot your
Select Configuration > System > Events > Classes
> Add to turn on VPN 3000 Concentrator debugging. Include AUTH,
AUTHDBG, AUTHDECODE with these settings.
Severity to Log = 1-9
Severity to Console = 1-3
In Windows NT, enable the audit facility.
Select Monitoring > Event Log to examine the
VPN 3000 Concentrator debug.
View successful and failed attempts for Windows NT.
Note: Be aware of one of the common errors for authentication failure
for VPN users. The cause of the error can be due to the non-synchronization of
the Clock between the VPN Concentrator and the AD server. Synchronize the time
for authentication to work.
44 10/12/2000 15:35:01.370 SEV=2 AUTH/17 RPT=1
Unable to establish connection: server = 172.18.124.99
56 10/12/2000 15:35:01.370 SEV=4 AUTH/9 RPT=6 220.127.116.11
Authentication failed: Reason = No active server found
handle = 66, server = 172.18.124.99, user = vpnuser