If you want to use a Windows NT server for authentication, authorization, or accounting, you must first create at least one Windows NT server group and add one or more servers to each group. You identify Windows NT server groups by name.
To add a Windows NT server group, perform the following steps:
aaa-server servergroup1 protocol nt
Identifies the server group name and the protocol.
When you enter the
command, you enter aaa-server group configuration mode.
Specifies the maximum number of requests sent to a Windows NT server in the group before trying the next server. The
argument can range from 1 and 5. The default is 3.
If you configured a fallback method using the local database (for management access only), and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default), so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the
command in the next step.
If you do not have a fallback method, the ASA continues to retry the servers in the group.
Specifies the method (reactivation policy) by which failed servers in a group are reactivated.
keyword reactivates failed servers only after all of the servers in the group are inactive.
keyword-argument pair specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent reenabling of all servers. The default is 10 minutes.
keyword reactivates failed servers after 30 seconds of down time.
The following example shows how to add a Windows NT domain server group:
Specifies the name for the Windows NT authentication domain controller.
argument represents the hostname (no more than 15 characters) of the NT Primary Domain Controller for this server (for example, PDC01). You must enter a name, and it must be the correct hostname for the server whose IP address you added in the Authentication Server Address field. If the name is incorrect, authentication fails.
The following example shows how to add a Windows NT domain server to the NTAuth server group: