Yes, the 30xx can't simulataneously do NT Domain authentication and PPTP encryption (as PPTP encryption initial vectors are apparently 'seeded' using the string corresponding to the user's password -- the Cisco VPN needs to 'know' the user's password in order to do PPTP encryption).
You need to use RADIUS authentication from the 30xx to a NT domain controller running the Microsoft RADIUS server (or Windows 2000 AD server running the Microsoft IAS -- Internet Authentication Server -- version RADIUS server). This supports authentication against the users/passwords in an NT/W2K domain using RADIUS extensions for MSCHAPv1 and MSCHAPv2 -- apparently in a mode which passes back the 'hash' necessary as the initialization vector for PPTP encryption... - H. Morrow Long [EMAIL PROTECTED] wrote: > > On 16 Jan 2002, at 15:48, Maung, Than Contractor wrote: > > > I'm trying to set up a Cisco VPN 3000 box using NT domain authentication and > > having some problems. > > > > Problem 1. > > > > When I configured PPTP encryption required on the VPN box, I will get an 691 > > error User name/ password wrong message. (I'm using a 95 laptop and > > Microsoft VPN). If I configure PPTP encryption not required on the VPN box I > > can connect fine. > > Unless Cisco has fixed this, the 30xx can't do "NT Domain" > authentication directly with PPTP. With PPTP, your working choices > are "Internal database" (Internal to the 30xx) or "RADIUS" (which > might in turn be doing NT domain authentication, but the 30xx doesn't > know that). > > Dave Gillett > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls
smime.p7s
Description: S/MIME Cryptographic Signature
