|
|
This chapter describes how to configure your router to act as an AppleTalk Remote Access (ARA) server. It does not describe how to configure or use the client Macintosh. Refer to the Apple Computer, Inc. Apple Remote Access Client User's Guide and the Apple Remote Access Personal Server User's Guide for information about how to use ARA software on your Macintosh. For a complete description of the commands in this chapter, refer to the chapter "AppleTalk Remote Access Commands" in the Access Services Command Reference.
Cisco's implementation of ARA gives Macintosh users direct access to information and resources in remote AppleTalk networks over standard telephone lines. For example, if you have a PowerBook at home and need to get a file from your Macintosh at the office, ARA software can make the connection between your home and office computers over telephone lines.
You can configure your router to act as an ARA server by enabling AppleTalk and ARA protocol on physical terminal (TTY) or virtual terminal (VTY) lines. Configuring your router to act as an ARA server allows remote Macintosh users to dial in, become a network node, and connect to devices on other networks. ARA protocol support is transparent to the Macintosh end user. Macintosh users can also use SLIP to access remote IP network resources and PPP to access both Appletalk and IP resources.
The following Macintosh and Cisco IOS software support is required for ARA connectivity:
Figure 18 shows how your router can act as an ARA server between remote Macintosh computers (in Figure 18, a Power Macintosh and a PowerBook) and devices on another network.
To set up the Cisco IOS software to act as an ARA server, complete the following tasks:
The following tasks are optional:
To enable asynchronous callback to ARA clients, refer to the section "Call Back ARA Clients" in the "Configuring Terminal Lines and Modem Support" chapter.
Figure 19 shows how to connect a Macintosh using internal and external modems.
Use the MMOD version of the RJ-45-to-DB-25 adapter (labeled "Modem" if from Cisco) to connect a "rolled" RJ-45 cable from the router to the modem. Use a high-speed modem cable with hardware flow control to connect a modem to your Macintosh (refer to the user documentation for your modem for more specific information).
For more information about connecting cables, refer to the hardware installation and maintenance or product user's guide for your router.
Configure the line as follows:
For more information about configuring lines and modem control, refer to the chapter "Configuring Terminal Lines and Modem Support" earlier in this publication. For information about configuring security, refer to the chapter "Managing the System" in the Configuration Fundamentals Configuration Guide.
To configure ARA, perform the following tasks:
The sections that follow describe each of these tasks. Refer to the chapter "AppleTalk Remote Access Commands" in the Access Services Command Reference publication for information about commands listed in these tasks.
To enable AppleTalk routing, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Enable AppleTalk. | appletalk routing |
For more information about configuring AppleTalk, refer to the chapter "Configuring AppleTalk in the Network Protocols Configuration Guide, Part 1.
To create a new network or zone, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Create an internal AppleTalk network. | arap network [network-number] [zone-name] |
The network-number argument must be a unique network number.
To ensure that a new internal network is advertised, make sure that Routing Table Maintenance Protocol (RTMP) is not disabled by performing the following task in interface configuration mode:
| Task | Command |
|---|---|
| Enable RTMP network advertising. | appletalk send-rtmps |
You can manually configure an interface for AppleTalk or, if an interface is connected to a network that has at least one other router configured for AppleTalk, you can dynamically configure the interface using discovery mode.
If the AppleTalk network already exists, the zone and cable range must match the existing configuration. To identify existing cable ranges and zone names, configure the Cisco IOS software for discovery mode.
You can also configure an AppleTalk interface on a segment for which there are no AppleTalk routers.
For more information, refer to the chapter "Configuring AppleTalk" in the Network Protocols Configuration Guide, Part 1.
To enable ARA on a line, perform the following task in line configuration mode:
| Task | Command |
|---|---|
| Step 1 Turn on AppleTalk routing. | appletalk routing |
| Step 2 Enter line configuration mode. | line [tty | aux | vty] line-number [ending-line-number]1 |
| Step 3 Enable ARA on a line. | arap enable |
Refer to this section after you have configured AppleTalk routing, created an internal ARA network, and enabled ARA. At this point, you can enable the optional tasks in the following list. Though optional, the tasks in this section might be required for your network environment.
The following sections describe these tasks. Refer to the chapter "AppleTalk Remote Access Commands" in the Access Services Command Reference for information about commands listed in these tasks.
To configure the Cisco IOS software to allow an ARA session to start automatically, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Configure a line to automatically start an ARA session. | autoselect {arap | ppp | slip | during-login}1 |
The autoselect command permits the device to allow an appropriate process to start automatically when a starting character is received. The device detects either a Return character, which is the start character for an EXEC session, or the start character for the ARA protocol. By issuing the command with the during-login argument, you can display the username or password prompt without pressing the Return key. While the Username or Password name is being presented, you can choose to answer these prompts or to start sending packets from an autoselected protocol.
For information on using ARA with TACACS, Extended TACACS, and AAA/TACACS+, refer to the "Managing the System" chapter in the Configuration Fundamentals Configuration Guide.
To set a line to function only as an ARA connection, perform the following task in line configuration mode:
| Task | Command |
|---|---|
| Configure a line for ARA only. | arap dedicated |
You can also set the line for autoselect with or without TACACS logins.
To set the maximum length of an ARA session for a line, perform the following task in line configuration mode:
| Task | Command |
|---|---|
| Set the maximum length of an ARA session. | arap timelimit [minutes] |
The default is to have unlimited length connections. This task is optional.
To configure when to display a disconnect warning is displayed, perform the following task in line configuration mode:
| Task | Command |
|---|---|
| Set when a disconnect warning message will be displayed, in number of minutes before the line is set to disconnect. | arap warningtime [minutes] |
This command is valid only when a session time limit is set.
The following three types of security can be used with ARA:
The following sections describe these tasks. Refer to the chapter "AppleTalk Remote Access Commands" in the Access Services Command Reference for information about commands listed in these tasks.
This section describes the following security features, which are specific to the ARA protocol:
You can control access by requiring that users enter their password manually at the time they log in. To force manual password entry, perform the following task in line configuration mode:
| Task | Command |
|---|---|
| Require manual password entry. | arap require-manual-password |
You can control Macintosh access to zones and networks by using arap commands to reference access control lists configured using AppleTalk access-list commands.
To control which zones the Macintosh user can see, perform the following task in line configuration mode:
| Task | Command |
|---|---|
| Limit the zones the Macintosh user sees. | arap zonelist zone-access-list-number |
To control traffic from the Macintosh to networks, perform the following task in line configuration mode:
| Task | Command |
|---|---|
| Control access to networks. | arap net-access-list net-access-list-number |
A guest is a person who connects to the network without having to give a name or a password. To prohibit Macintosh guests from logging in through the router, perform the following task in line configuration mode. Use the optional if-needed argument to allow users to log in as guests if they are already authenticated with a username or password.
| Task | Command |
|---|---|
| Prohibit guests from logging in to the ARA network. | arap noguest [if-needed] |
 | Caution Do not use the arap noguest command if you are using modified CCL scripts and the login tacacs command. |
You can prevent unauthenticated users from accessing your network resources using the following local security mechanisms:
To configure for internal username authentication, perform the following task in global configuration mode. Enter this information for each supported user.
| Task | Command |
|---|---|
| Specify a username and password. | username name password password1 |
An access list is a list of AppleTalk network numbers or zones that is maintained by the Cisco IOS software and used to control access to or from specific zones or networks. For more information about AppleTalk access lists, refer to the section "Control Access to AppleTalk Networks." in the chapter "Configuring AppleTalk" in the Network Protocols Configuration Guide, Part 1.
You can prevent unauthenticated users from accessing your network resources using the following security mechanisms:
For more information about each of these security mechanisms, refer to the section "Security Management" in the chapter "Managing the System" in the Configuration Fundamentals Configuration Guide.
There are two ways use TACACS security:
Use the arap use-tacacs command with Standard and Extended TACACS servers for authentication within ARA sessions. You must already have set up an Extended TACACS server using the Cisco Extended TACACS server software, available from the ftp.cisco.com directory. Refer to the README in this directory for more information.
When you use the arap use-tacacs command with Standard TACACS, the remote user logs in by entering username at the ARA username prompt, and their password at the password prompt.
When you use the arap use-tacacs command and the single-line keyword with Standard TACACS, the remote user logs in by entering username*password at the ARA username prompt, and arap at the password prompt.
Use the aaa authentication arap command with AAA/TACACS+.
To configure the Cisco device to use TACACS with ARA, perform one of the following tasks in line configuration mode:
| Task | Command |
|---|---|
| Enable TACACS under ARA. | arap use-tacacs [single-line]1 |
| Enable TACACS+/AAA for ARA. | aaa authentication arap1 |
For an example of enabling TACACS for ARA authentication, see the section "Configuration Examples" later in this chapter.
This section tells you how to modify your CCL script to work with TACACS security and how to configure a line to use a TACACS server for user authentication.
| Caution Because of the underlying structure of the ARA protocol, modem layer error control is disabled during the exchange of username and password. This makes the exchange highly susceptible to line noise, especially at higher baud rates enabled by V.34 modems. For this reason, we do not recommend the use of modified scripts, and encourage users to either upgrade to later versions of TACACS or to use the arap use-tacacs single-line command. |
For information on how to use TACACS without modifying scripts, refer to "Enable Standard and Extended TACACS or AAA/TACACS+ for ARA Authentication" earlier in this chapter. For information about the arap commands, refer to the Access Services Command Reference.
If you are currently using modified CCL scripts and want to migrate to nonmodified scripts, see "Configure to Use Modified and Unmodified Scripts Example" at the end of this chapter for information on how to use both in the same environment.
For several popular modems, we provide CCL files that you can use as examples to modify your CCL scripts to support TACACS security. This section explains how to use the CCL files provided by Cisco with TACACS security.
We recommend using the ARA Modem Toolkit provided through the AppleTalk Programmers and Developers Association (APDA); it provides both syntax checking and a script tester.
The client uses ARA CCL scripts to establish point-to-point links with the modem to the AppleTalk network. When the connection has been established, the script ends and ARA is activated. TACACS authentication occurs after the connection is established and the ARA script ends, but before the protocol becomes active after the ARA script ends.
Insert TACACS logic just before the end of a script. The CCL TACACS logic performs the following user authentication tasks:
CCL scripts control logical flow by jumping to labels. The labels are the numbers 1 through 128 and are not necessarily in sequential order in script files. The TACACS logic in the Cisco IOS software CCL files have label numbers from 100 through 127. In most environments, you can copy the complete TACACS logic from a sample file.
The steps for creating a new TACACS CCL file are as follows:
Step 1 Copy the TACACS logic from a sample CCL script that contains TACACS logic into the new CCL script.
In most cases, you can insert the TACACS logic at the appropriate place in your CCL script. The one case that requires extra attention is when the original CCL script has labels that conflict with the logic in the new file. The labels must be resolved on a case-by-case basis, usually by changing the label numbers used by the original script. This is a fairly simple programming job, but you should read and understand the manual that comes with the Modem Toolkit before beginning.
Step 2 Locate the logical end of the script and insert the command jump 100.
You can locate the logical end of the script by following its flow. Most scripts have the following basic structure:
The characteristic logical end of the script is as follows:
It is common in this case to replace "pause 30" with "jump 100." In fact, this is usually the only change made to the logic of the original script.
To configure a line to use a TACACS server for user authentication, perform the following task in line configuration mode:
| Task | Command |
|---|---|
| Use a TACACS server for user authentication. | login tacacs or login authentication {default | list-name} |
Use the login tacacs command in Standard and Extended TACACS. Use the login authentication command in AAA/TACACS+. Figure 20 shows the TACACS login screen on the Macintosh.
Figure 21 shows the TACACS password screen on the Macintosh.
Refer to the chapter "Managing the System" the Configuration Fundamental Configuration Guide, or the chapter "System Management Commands" in the Configuration Fundamentals Command Reference for information about configuring a line to support your modem.
You can use Kerberos as an authentication method within ARA sessions. To do so, you configure it using the TACACS+/AAA configuration facility. Perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Define the name of the kerberos realm in which the router is located. | kerberos local realm {kerberos realm}1 |
| Define the DNS domain of the kerberos realm in which the router is located. | kerberos realm {dns domain | dns host} {kerberos realm}1 |
| Display the contents of your credentials cache | show kerberos creds1 |
| Delete the contents of your credentials cache. | clear kerberos creds1 |
For more information about Kerberos authentication, refer to the chapter "Managing the System" chapter in the Configuration Fundamentals Configuration Guide.
You can use Radius as an authentication method within ARA sessions. To do so, you configure it using the TACACS+/AAA configuration facility. Perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Enable the Cisco access server to act as a client for the Radius authentication protocol. | aaa authentication {feature | list-name method] [...[method4]]} radius1 |
| Set parameters that restrict a user's network access based on Radius authorization. | aaa authorization {feature} radius1 |
| Set AAA accounting of requested services for billing or security purposes. | aaa accounting {feature} {when} radius1 |
| Specify a server host. | radius-server host1 name |
| Set the authentication/encryption key used for all Radius communications between the access server and the Radius daemon. | radius-server key1 {string} |
| Specify the number of times the router software will search the list of Radius server hosts before giving up. | radius-server retransmit1 n |
| Set the interval that the server waits for a server host to reply. | radius-server timeout1 {seconds} |
For more information about Kerberos authentication, refer to the chapter "Managing the System" chapter in the Configuration Fundamentals Configuration Guide.
ARA can run on any point-to-point link, such as a Public Switched Telephone Network (PSTN) or an X.25 WAN. This permits remote Macintosh users to dial into a remote network and access AppleTalk services (such as file sharing and printing). For example, you can enable a Macintosh client on the remote side of an X.25 WAN to connect to an AppleTalk network through the router. To do so, you configure a virtual terminal (VTY) line on the router so that the client sees one of two scenarios:
To enable ARA on VTY lines and enable clients running different virtual terminal protocols to connect to an AppleTalk network through the router, perform the following tasks, beginning in global configuration mode. The first four steps are required. The next eight steps (Step 5 through Step 12) are optional. Step 5, configure automatic protocol startup, dedicates the line to ARA:
| Task | Command |
|---|---|
| Step 1 Turn on AppleTalk routing. | appletalk routing |
| Step 2 Create an internal AppleTalk network. | arap network [network-number] [zone-name] |
| Step 3 Enter line configuration mode. | line vty line-number [ending-line-number] |
| Step 4 Enable ARA on a line. | arap enable |
| Step 5 Configure automatic protocol startup. | autocommand arap |
| Step 6 Set a dedicated ARA line. | arap dedicated |
| Step 7 Set the session time limit. | arap timelimit [minutes] |
| Step 8 Set the disconnect warning time. | arap warningtime [minutes] |
| Step 9 Disallow guests. | arap noguest |
| Step 10 Require manual password entry. | arap require-manual-password |
| Step 11 Limit the zones the Macintosh user sees. | arap zonelist zone-access-list-number |
| Step 12 Control access to networks. | arap net-access-list net-access-list number |
To customize the AppleTalk configuration, you can also perform the following tasks:
For more information about these and other tasks you can perform to customize your AppleTalk configuration, refer to the chapter "Configuring AppleTalk" in the Network Protocols Configuration Guide, Part 1.
To display information about a running ARA connection, perform the following task in privileged EXEC mode (reached by entering the enable command and a password):
| Task | Command |
|---|---|
| Display information about a running ARA connection. | show arap [line-number] |
The show arap command with no arguments displays a summary of ARA traffic since the router was last booted. The show arap command with a specified line number displays information about the connection on that line.
The Cisco IOS software provides several commands that you can use to monitor an AppleTalk network. In addition, you can use Apple Computer's Inter·Poll, which is a tool to verify that a device is configured and operating properly. Use the commands described in this section to monitor an AppleTalk network using both Cisco IOS software commands and Inter·Poll.
To monitor the AppleTalk network, perform one or more of the following tasks:
This section contains the following examples of ARA configuration.
The following example configures the interface for an extended AppleTalk network. It defines the zones Orange and Brown. The cable range of one allows compatibility with nonextended AppleTalk networks.
Router(config)#appletalk routingRouter(config)#interface ethernet 0Router(config-if)#appletalk cable-range 69-69 69.128Router(config-if)#appletalk zone OrangeRouter(config-if)#appletalk zone Brown
The following example configures an extended network in discovery mode. In Figure 22, access server A provides the zone and network number information to the interface when it starts.
Use the following commands to configure this extended network in discovery mode:
appletalk routing interface ethernet 0 appletalk cable-range 0-0 0.0
The following example configures the router for ARA support, as described in the comments (lines beginning with an exclamation point [!]).
! Enable AppleTalk on the router appletalk routing ! interface Ethernet 0 ip address 172.30.1.1 255.255.255.0 ! ! On interface Ethernet 0, assign network number 103 to the physical cable and ! assign zone name "Marketing Lab" to the interface. Assign a zone name if ! you are creating a new AppleTalk internet. If the internet already exists, ! the zone and cable range must match exactly, or you can leave the cable ! range at 0 to enter discovery mode. The suggested AppleTalk ! address for the interface in this example is 103.1 interface Ethernet 0 appletalk cable-range 103-103 103.1 appletalk zone Marketing Lab ! Configure a username and password for the router. username jake password sesame ! On lines 4 through 8, InOut modems are specified, the lines are configured ! to automatically start an EXEC session or enable AppleTalk, AppleTalk Remote ! Access Protocol is enabled, the modem speed is specified as 38400 bps, and ! hardware flow control is enabled. line 4 8 modem InOut autoselect arap enabled speed 38400 flowcontrol hardware
Note that you must set your terminal emulator to match the speed that you set for the line.
The following example enables a Macintosh client running ARA on a remote network to connect across an X.25 network, through the router, to an AppleTalk network. In this example, VTY lines 0 through 19 are configured for ARA.
Router(config)#appletalk routingRouter(config)#line vty 0 19Router(config-line)#arap enableRouter(config-line)#autocommand arapRouter(config-line)#arap dedicatedRouter(config-line)#arap timelimit 45Router(config-line)#arap warningtime 5Router(config-line)#arap noguestRouter(config-line)#arap require-manual-passwordRouter(config-line)#arap net-access-list 611
The Macintosh client connects to any VTY line from 0 through 19. When the EXEC prompt appears, ARA begins automatically on the line (because of the autocommand arap command). The VTY lines 0 through 19 are dedicated to ARA dial-in clients, and those clients have a 45-minute time limit. Five minutes before the line is disconnected, a warning message appears, indicating that the session will be disconnected in five minutes. Guest access is denied, and manual password entry is required. The AppleTalk access list 611 has been applied to the VTY lines, meaning that access to other networks through these VTY lines has been limited.
In the following example, the cable range is changed and the zone name is reentered.
The initial configuration is as follows:
appletalk cable-range 100-103 appletalk zone Twilight Zone
The cable range is expanded as follows:
appletalk cable-range 100-109
At this point, you must reenter the zone name as follows:
appletalk zone Twilight Zone
In the following example for TACACS and Extended TACACS, line 1 is configured for ARA and username authentication is performed on a TACACS server:
line 1 login tacacs arap enable
In the following example of AAA/TACACS+, line 1 is configured for ARA and username authentication is performed on a TACACS server:
line 1 login authentication arap authentication
The following example shows regular TACACS enabled for ARA authentication:
line 3 arap use-tacacs
The following example shows AAA/TACACS+ enabled for ARA authentication:
line 3 aaa authentication arap
In the following example, line 2 is configured as a dedicated ARA line, user authentication information is configured on the ARA server, and guests are disallowed from making ARA sessions:
username jsmith password woof line 2 arap dedicated arap noguest
In the following configuration, ARA is enabled on lines 2 through 16, username authentication is configured on the ARA server, and the lines are configured to automatically start an ARA session when an ARA user on a Macintosh attempts a connection:
username jsmith password woof line 2 16 autoselect arap enabled arap noguest
If you are currently using modified CCL scripts and want to migrate to nonmodified scripts, you can set your system to accept logins using both modified (CCL) and unmodified scripts by entering the following commands in line configuration mode:
autoselect arap
autoselect during-login
arap noguest if-needed
!
The following example shows how to set up ARA functionality.
Log in to the router, use the enable command to enter your password if one is set, use the configure command to enter configuration mode, and add the following commands to your configuration:
appletalk routing arap network 104 ARAP Dialin Zone interface ethernet 0 appletalk cable-range 0-0 0.0 ! puts router in discovery mode line 5 6 modem inout speed 38400 arap enabled autoselect
If you already know the cable-range and the zone names you need, include the information in the configuration file. If you do not know this information, let the Cisco IOS software learn about the AppleTalk network in discovery mode by following these steps:
Step 1 Permit the Cisco IOS software to monitor the line for a few minutes.
Step 2 Log in and enter configuration mode.
Step 3 Show the configuration again (using the show startup-config command).
Step 4 Note the appletalk cable-range and appletalk zone variables.
Step 5 Manually add the information in those two entries and add any user accounts.
Step 6 Save the configuration.
Step 7 Show the configuration again (using the show startup-config command) to make sure the configuration is correct.
The following example describes how to set up a Telebit T-3000 modem that attaches to a router, which supports hardware flow control. The Macintosh will use a CCL script to configure the attached modem.
Start with the modem at factory defaults. (The preferred configuration for hardware flow control is AT&F9.) Use the direct command if you have a terminal attached to the modem, or use the T/D Reset sequence described in the Telebit T-3000 manual to reset the modem to the &F9 defaults.)
Attach a hardware flow control-capable cable between the modem and the device with which you are configuring the modem. (At this point, the modem is in hardware flow control mode, with autobaud-rate-recognition, and can detect your speed between 300 and 38,400 bps at 8-N-1. However, the modem must receive the flow control signals from the device to which you have the modem attached.)
Send the modem the following commands:
ATS51=6 E0 Q1 S0=2 &D3 &R3 S58=2 &W
This sequence tells the modem to perform the following tasks:
At this point, if you press the Return key or enter characters, no characters appear on your screen because the result codes are turned off. You can determine whether the modem is working by getting a list of its configuration registers using the following command:
AT&V
After the modem is configured, connect it to the router with a modem-to-RJ45 adapter and an RJ-45 cable to the lines(s) that you plan to use.
The following commands are compatible with the Telebit 3000 settings described in this section:
arap enable
autoselect
no escape-character
flowcontol hardware
modem ri-is-cd
speed 38400
|
|