Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Authentication against Windows 2000 Mixed-Mode Server

I have a client with a VPN 3005 concentrator, and they want to authenticate against their Windows 2000 Active Directory. However, the AD servers are running in Mixed-mode.

I have tried to configure the VPN 3005 concentrator to authenticate against the AD server, and although it recognises the domain and username, it will not authenticate (I always get an 'invalid password' message). Has anyone else experienced a similar problem/got this working?

Regards,

Matt

  • Other Security Subjects
6 REPLIES
Silver

Re: VPN Authentication against Windows 2000 Mixed-Mode Server

Mixed mode shouldn't matter - that really only changes the ability of NT 4 BDCs to function. Downlevel clients should not be impacted, as win2k native and mixed mode both grok NTLM authentication.

Are you specifying the AD server as a "nt domain" type under authentication?

I didn't have a problem at all as I have upgraded from nt 4 to win2k mixed mode to win2k native mode - the 30xx never flinched. I am not running the 4.0 code, which might be more AD aware.

New Member

Re: VPN Authentication against Windows 2000 Mixed-Mode Server

Hi,

I've specified the Authentication type as 'Kerberos/Active Directory', which is what causes the problem.

I can get it working by specifying 'NT domain' as the authentication type; however, this doesn't allow me to control *which* users can access the VPN.

Is there any way to get a mixed-mode controller to work using AD authentication, or alternatively, any way of controlling which users can access the VPN when using 'NT domain' authentication.

Many thanks,

Matt

Silver

Re: VPN Authentication against Windows 2000 Mixed-Mode Server

That is odd. I can;t think of anything kerberos / AD related that changes via the switch to native mode.

If you are using digital certs, you can use group matching rules under "Policy Matching" rules. This can probably get unwieldy, and would be nowhere as easy as using nt/ad groups, although I haven't played with the kerberos/ad auth features yet.

I would open a case with TAC - I truly cannot think of *any* reason why there would be a problem with mixed mode.

New Member

Re: VPN Authentication against Windows 2000 Mixed-Mode Server

OK - thanks for your help anyway. It's really appreciated.

Cheers,

Matt

New Member

Re: VPN Authentication against Windows 2000 Mixed-Mode Server

My VPN 3060 is authenticating using Microsoft's IAS RADIUS. In this case the Active Directory attribute controlling RAS access is used to control authentication.

Tom Zeller

Indiana University

812-855-6214

zeller@indiana.edu

New Member

Re: VPN Authentication against Windows 2000 Mixed-Mode Server

Hi, and thanks for your reply.

I'm not sure if this is the same situation in which I am running. Can you confirm if the Active Directory is running in Mixed Mode?

Regards,

Matt

104
Views
7
Helpful
6
Replies