If you want to use a Windows NT server for authentication, authorization, or accounting, you must first create at least one Windows NT server group and add one or more servers to each group. You identify Windows NT server groups by name.
To add a Windows NT server group, perform the following steps:
aaa-server server_tag protocol nt
ciscoasa(config)# aaa-server servergroup1 protocol nt
Identifies the server group name and the protocol.
When you enter the aaa-server protocol command, you enter aaa-server group configuration mode.
Specifies the maximum number of requests sent to a Windows NT server in the group before trying the next server. The number argument can range from 1 and 5. The default is 3.
If you configured a fallback method using the local database (for management access only), and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default), so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the next step.
If you do not have a fallback method, the ASA continues to retry the servers in the group.
Specifies the method (reactivation policy) by which failed servers in a group are reactivated.
The depletion keyword reactivates failed servers only after all of the servers in the group are inactive.
The deadtime minutes keyword-argument pair specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent reenabling of all servers. The default is 10 minutes.
The timed keyword reactivates failed servers after 30 seconds of down time.
The following example shows how to add a Windows NT domain server group:
Specifies the name for the Windows NT authentication domain controller.
The string argument represents the hostname (no more than 15 characters) of the NT Primary Domain Controller for this server (for example, PDC01). You must enter a name, and it must be the correct hostname for the server whose IP address you added in the Authentication Server Address field. If the name is incorrect, authentication fails.
The following example shows how to add a Windows NT domain server to the NTAuth server group: