Throughout this chapter, we have been looking at the routing capabilities for AppleTalk in the Cisco IOS. The Cisco IOS also allows remote access from AppleTalk clients , similar to the functionality covered in the previous chapter for dialup IP. AppleTalk remote access provides users with the capability to use AppleTalk network services, although they are not physically connected to a dedicated LAN segment on the network.
Within the IOS, the remote access capability for AppleTalk is available over asynchronous dialup lines and ISDN. In this chapter, we have chosen to discuss the specific AppleTalk commands commonly used for asynchronous dialup clients accessing network services via the AppleTalk Remote Access Protocol (ARAP) and the AppleTalk Control Protocol (ATCP) of the Point-to-Point Protocol (PPP). AppleTalk access over ISDN is commonly used in dial-on-demand routing between routers, a topic beyond the scope of this book.
As we saw in Chapter 4 during the configuration of IP dialup services, remote access consists of setting up the asynchronous line configuration, enabling the AAA services for users, and configuring the protocol-specific options. For AppleTalk, asynchronous line configuration is nearly identical to that shown for IP in Chapter 4.
Only ARAP requires additional asynchronous line configuration commands. AppleTalk clients using ARAP require the configuration of additional AAA services, while users of the PPP data-link protocol use the configuration of AAA services, as previously discussed for IP and in further discussions in Chapter 7, "Basic Administrative and Management Issues." Both ARAP and AppleTalk PPP dialup users require that protocol-specific configuration commands be applied to the group -async interface of the access server.
We first give an example of the additional configuration commands required to support ARAP dialup clients. Three async line commands are required to implement ARAP dialup services. These commands enable the ARA protocol, specify the ARAP authentication method, and determine how ARAP is invoked during the dialup session.
The IOS line configuration subcommand arap enable , the first of these three commands, allows the ARA protocol to operate on the dialup lines. The IOS line configuration subcommand arap authentication default instructs the access server to use the default ARAP authentication method configured via the AAA service. Lastly, the IOS line configuration subcommand autoselect arap configures the access server to automatically recognize that a dialup user is attempting to connect with the ARA protocol. The following is an example of adding the ARAP line configuration subcommands to the Singapore access server Sing2511, which was previously configured for dialup IP services:
Sing2511# configure Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CTRL+Z. Sing2511(config# line 1 16 Sing2511(config-line)# arap enable Sing2511(config-line)# arap authentication default Sing2511(config-line)# autoselect arap Sing2511(config-line)# ^Z
Additional AAA authentication commands are required to verify the identity of dialup users accessing via the ARA protocol. The IOS global configuration command aaa authentication arap is used to specify the criteria by which ARAP users are identified. The command takes as parameters a method name and a list of authentication methods . As with PPP, ARAP can be authenticated using a local username or an authentication server, such as Terminal Access Controller Access Control System (TACACS+). Control of guest logins can also be specified with the keyword auth-guest , which specifies that guest ARAP login is allowed only if a user has previously been authenticated to the IOS EXEC during the dialup session.
ARAP dialup users must also be supplied an AppleTalk network and zone number, to which they are assigned during their dialup session. The IOS global configuration command arap network is used to specify the ARAP network number and zone name.
In the following example, the Singapore access server named Sing2511 is configured with authentication and AppleTalk protocol information to allow ARAP dialup users to access the AppleTalk network. ARAP users are authenticated to the local username database configured on this access server and are assigned to the AppleTalk network 2500 in the Mac-dialup Zone:
Sing2511# configure Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CTRL+Z. Sing2511(config# aaa authentication arap default auth-guest local Sing2511(config)# arap network 2500 Mac-dialup Sing2511(config)# ^Z
Allowing dialup users access to AppleTalk services with ATCP and PPP requires only two protocol commands in addition to the PPP and line configuration commands configured previously for IP dialup services in Chapter 4. As with ARAP, AppleTalk PPP clients must have an AppleTalk network and zone name to which they can be assigned. Although the ARAP network number and zone name may be the same, a separate IOS command is used to create the dialup PPP network number and zone name.
After the PPP dialup network number and zone name are established, AppleTalk PPP client services are enabled on the group-async interface. The IOS global configuration command appletalk virtual-net is used to establish the PPP network number and zone name by supplying those items as parameters to the command. The IOS interface configuration subcommand appletalk client-mode enables PPP dialup services on the interface to which it is applied. When client mode is enabled, AppleTalk routing is disabled on the interface, and routing updates are not sent. The following is an example of configuring the Singapore access server named Sing2511 to support AppleTalk PPP dialup clients that are assigned to AppleTalk network 2501 and Zone Mac-dialup:
Sing2511# configure Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CTRL+Z. Sing2511(config)# apple virtual-net 2501 Mac-dialup Sing2511(config)# interface group-async 1 Sing2511(config-if)# appletalk client-mode Sing2511(config-if)# ^Z