What you might want to check is that the new users are allowed to authenticate using remote access;
Check out the "Dial-in" tab on the properties of your user (via the AD Users & Computers MMC)
You could also change a group policy to audit security events and use the event-viewer to see why a user is denied access. It could also be that the vpn-concentrator is not part of the AD anymore, so authentication requests are denied and no response is sent back (happens with radius servers that receive requests from unknown clients as well)..
However, usually when I want to authenticate against an AD I use the Internat Authentication Service from Microsoft on one or more DC's and configure the PIX/VPN concentrator/IOS Router to authenticate using radius.
That way you can use debugging / logging on both devices to see what's wrong.
In the VPN Concentrator there is an option to authenticate against a RADIUS server, but also directly to the Kerberos/NT Domain.
Now something comes to my mind, did you recently upgrade the AD to 2003 native mode (if you're using 2003)? It could be that the VPN concentrator authenticates as an NT server, which means that you should keep your AD in mixed mode / downgrade some security settings. I don't know which settings need some change, but it could be something that causes the current problem. If I remember correctly, check the encryption settings for authentication (e.g. disable strong encryption for the authentication somewhere in the group policy).
What protocol are you using/what type of authentication server is configured? You should be able to do kerberos directly to ad. NT may not work depending on your ad server config. If you turn up the authdbg event class (sev 1-9 to log) you should get a good idea of what the interaction is between the 3k and your ad server. User authentication via ldap to ad is not supported (authorization only and only with specific 3k schema loaded).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :