Полезная информация

cc/td/doc/product/software/ios112/112cg_cr
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

AppleTalk Remote Access Commands

AppleTalk Remote Access Commands

This chapter describes the commands used to configure your router to act as an AppleTalk Remote Access (ARA) server. The Cisco implementation of ARA gives remote Macintosh users direct access to information and resources on the network. Macintosh users can connect to another Macintosh computer or AppleTalk network over standard telephone lines. For example, if you have a PowerBook at home and need to get a file from your Macintosh at the office, ARA software can make the connection between your home computer and office computer.

For information about security features that are available for use with ARA, refer to the chapter "Managing the System" in the Configuration Fundamentals Configuration Guide (in the section "Configuring System Management").

This chapter does not describe how to configure or use the client Macintosh. Refer to the Apple Computer, Inc. Apple Remote Access Client User's Guide and the Apple Remote Access Personal Server User's Guide for information about how to use ARA software on your Macintosh. For AppleTalk Remote Access configuration tasks and examples, refer to the "Configuring AppleTalk Remote Access" chapter in the Access Services Configuration Guide.

This chapter also does not describe how to configure AppleTalk routing, AppleTalk access lists, or other AppleTalk routing functions. For information about AppleTalk commands, refer to the chapter "Configuring AppleTalk" in the Network Protocols Command Reference, Part 2.

arap authentication

To enable TACACS+ authentication for ARA on a line, use the arap authentication command. Use the no form of the command to disable authentication for an ARA line.

arap authentication {default | list-name}
no arap authentication {default | list-name}

Syntax Description
default Use the default list created with the aaa authentication arap command.
list-name Use the indicated list created with the aaa authentication arap command.
Default

ARAP authentication uses the default set with the aaa authentication arap command. If no default is set, the local user database is checked.

Command Mode

Line configuration

Usage Guideline

This command first appeared in Cisco IOS Release 10.3.

This command is a per-line command used with TACACS+, and specifies the name of a list of AAA authentication processes to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). Defaults and lists are created with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default argument.

Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication arap command.

 
Caution If you use a list-name that is not configured using the aaa authentication arap command, you will disable ARAP on this line.
Example

The following example specifies that the TACACS+ authentication list called MIS-access is to be used on ARA line 7:

line 7
 arap authentication MIS-access
Related Command

A dagger (+) indicates that the command is documented outside this chapter.

aaa authentication arap +

arap callback

To enable an ARA client to request a callback, use the arap callback global configuration command.

arap callback
Syntax Description

This command has no arguments or keywords.

Default

Callback requests are not accepted on lines configured for ARA.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command enables the router to accept callback requests from ARA clients. You first have to enable AppleTalk routing on the router and then enable automatic ARA startup on the line. You can use this command with either local username authentication or TACACS+ authentication.

Example

The following example accepts a callback request from an ARA client:

arap callback
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

arap authentication
autoselect ara
callback forced-wait
+
ppp authentication +
ppp callback
+
service exec-callback
+
username
+

arap dedicated

To configure a line to be used only as an ARA connection, use the arap dedicated line configuration command. Use the no form of the command to return the line to interactive mode.

arap dedicated
no arap dedicated

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Example

The following example configures line 3 to be used only for ARA connections:

line 3 
 arap dedicated

arap enable

To enable ARA for a line, use the arap enable line configuration command. Use the no form of this command to disable ARA.

arap enable
no arap enable

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Example

The following example enables ARA on a line:

line 3 
 arap enable
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

appletalk routing +
autoselect
+

arap net-access-list

To control Macintosh access to networks, use the arap net-access-list line configuration command. Use the no form of this command to return to the default setting.

arap net-access-list net-access-list-number
no arap net-access-list
net-access-list-number
Syntax Description
net-access-list-number One of the list values configured using the AppleTalk access-list cable-range, access-list includes, access-list network, access-list other-access, and access-list within commands.
Default

Disabled. The Macintosh has access to all networks.

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

You can use the arap net-access-list command to apply access lists defined by the access-list cable-range, access-list includes, access-list network, access-list other-access, and access-list within commands.

You cannot use the arap net-access-list command to apply access lists defined by the access-list zone and access-list additional-zones commands.

Example

In the following example, ARA is enabled on line 3 and the Macintosh will have access to the AppleTalk access list numbered 650:

line 3
 arap enable
 arap net-access-list 650
Related Command

arap zonelist

arap network

To create a new network/zone and cause it to be advertised, use the arap network global configuration command. Use the no form of this command to prevent a new network/zone from being advertised.

arap network [network-number] [zone-name]
no arap network

Syntax Description
network-number (Optional) The AppleTalk network number. The network number must be unique on your AppleTalk network. This network is where all ARAP users appear when they dial in to the network.
zone-name (Optional) The AppleTalk zone name.
Default

A new network or zone is not created.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

This is a required command. ARAP does not run without it in Cisco IOS Release 10.2 and above.

Example

The following example creates a new network/zone:

arap network 400 test zone

arap noguest

To prevent Macintosh guests from logging in to the router, use the arap noguest line configuration command. Use the no form of this command to remove this restriction.

arap noguest [if-needed]
no arap noguest

Syntax Description
if-needed (Optional) Does not authenticate if the user already provided authentication. This allows users to log in as guests if they have already been authenticated through a username and/or password.
Default

Disabled

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

A guest is a person who connects to the network without having to give a name or a password.

 
Caution You should not use the arap noguest command if you are using modified (CCL) scripts and the login tacacs command.
Example

The following example prohibits guests from logging in to the router:

line 3
 arap enable
 arap noguest

arap require-manual-password

To require users to enter their password manually at the time they log in, use the arap require-manual-password line configuration command.

arap require-manual-password
Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command only works for ARAP 2.0 connections.

Example

The following example forces users to enter their passwords manually at the time they log in, rather than use a saved password:

arap require-manual-password
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

enable password +
login (line configuration) +
password +

arap timelimit

To set the maximum length of an ARA session for a line, use the arap timelimit line configuration command. Use the no form of this command to return to the default of unlimited session length.

arap timelimit [minutes]
no arap timelimit

Syntax Description
minutes (Optional) Maximum length of time (in minutes) for a session.
Default

Unlimited session length

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

After the specified length of time, the session will be terminated.

Example

The following example specifies a maximum length of 20 minutes for ARA sessions:

line 3
 arap enable
 arap timelimit 20 
Related Command

arap warningtime

arap use-tacacs

To enable TACACS for ARAP authentication, use the arap use-tacacs line configuration command. Use the no form of this command to disable TACACS for ARAP authentication.

arap use-tacacs [single-line]
no arap use-tacacs

Syntax Description
single-line (Optional) Accepts the username and password in the username field. If you are using an older version of TACACS, (before Extended TACACS) you must use this keyword.
Default

Disabled

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

This is a per line command. Use this command only when you have set up an extended TACACS server. This command requires the new Cisco extended TACACS server.


Note This command cannot be used with AAA/TACACS+. Use the arap authentication command instead.

The command specifies that if a username and password are specified in the username, separated by an asterisk (*), then a standard TACACS login query is performed using that username and password. If the username does not contain an asterisk, then normal ARAP authentication is performed using TACACS.

This feature is useful when integrating TACACS with other authentication systems that require a clear text version of the user's password. Such systems include one-time password systems, token card systems, and others.

 
Caution Normal ARAP authentications prevent the clear-text password from being transmitted over the link. When you use the single-line keyword, passwords cross the link in the clear, exposing them to anyone looking for such information.

Due to the two-way nature of the ARAP authentication, the ARA application requires that a password value be entered in the Password field in the ARA dialog box. This secondary password must be "arap." First enter the username and password in the form username*password in the Name field of the dialog box, then enter arap in the Password field.

Example

The following example enables TACACS for ARAP authentication:

line 3
 arap use-tacacs
Related Commands

A dagger (+) indicates that the command is documented outside this chapter.

arap enable
arap noguest
autoselect
+
tacacs-server extended
+
tacacs-server host
+

arap warningtime

To set when a disconnect warning message is displayed, use the arap warningtime line configuration command. Use the no form of this command to disable this function.

arap warningtime [minutes]
no arap warningtime

Syntax Description
minutes (Optional) Amount of time, in minutes, before the configured session time limit. At the configured amount of time before a session is to be disconnected, the router sends a message to the Macintosh client, which causes a warning message to appear on the user's screen.
Default

Disabled

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

This command can only be used if a session time limit has been configured on the line.

Example

The following example shows a line configured for 20-minute ARA sessions, with a warning 17 minutes after the session is started:

line 3
 arap enable
 arap dedicated
 arap timelimit 20
 arap warningtime 3 
Related Command

arap timelimit

arap zonelist

To control what zones the Macintosh client sees, use the arap zonelist line configuration command. Use the no form of this command to disable the default setting.

arap zonelist zone-access-list-number
no arap zonelist
zone-access-list-number
 
Caution Hiding a zone from a user is not the same as preventing them from sending and receiving packets from the networks that make up that zone. For true security, an arap net-access-list command must be issued to prevent traffic to and from those networks.
Syntax Description
zone-access-list-number One of the list values configured using the AppleTalk access-list zone or access-list additional-zones commands.
Default

Disabled. The Macintosh will see all defined zones.

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

You can use the arap zonelist command to apply access lists defined by the access-list zone and access-list additional-zones command.

You cannot use the arap zonelist command to apply access lists defined by the access-list network command.

Example

In the following example, ARA is enabled on line 3 and the Macintosh will see only zones permitted by access list 650.

line 3
 arap enable
 arap zonelist 650
Related Command

arap net-access-list

debug arap

To debug ARA sessions, use the debug arap privileged EXEC command. Use the no form of this command to turn off the debugging function.

debug arap {internal | memory | mnp4 | v42bis}
no debug arap

Syntax Description
internal Debug internal ARA packets
memory Debug memory allocation for ARA.
mnp4 Debug low-level asynchronous serial protocol.
v42bis Debug compression.
Default

Disabled

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Example

The following example activates debugging internal ARA packets on line 3:

debug arap internal

show arap

To display information about a running ARAP connection, use the show arap user EXEC command.

show arap [line-number]
Syntax Description
line-number (Optional) Number of the line on which an ARAP connection is established and active.
Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Use the show arap command with no arguments to display a summary of the ARAP traffic since the router was last booted.

Sample Display

The following is sample output from the show arap command:

Router# show arap 
Statistics are cumulative since last reboot
Total ARAP connections: 2
Total Appletalk packets output: 157824
Total Appletalk packets input: 12465

These fields refer to the sum of all of the ARA connections since the box was last reloaded.

The following example results in a display of information about ARA activity on a specific line (line 3):

Router# show arap 3 
Active for 23 minutes
"Unlimited time left" or "22 minutes left"
"Doing smartbuffering" or "Smartbuffering disabled"
Appletalk packets output: 157824
Appletalk packets input: 12465
Appletalk packets overflowed: 1642
Appletalk packets dropped: 586
V42bis compression efficiency (incoming/outgoing): {percentage/percentage}
MNP4 packets received: 864
MNP4 packets sent: 1068
MNP4 garbled packets received: 4
MNP4 out of order packets received: 0
MNP4 packets resent: 0
MNP4 nobuffers: 0

Table 44 describes the fields shown in the display.


Table 44: Show ARAP Field Descriptions
Field Description
Active for {integer} minutes Number of minutes since ARAP started on the line.
Unlimited time left or {integer} minutes left Remaining time limit on the line, if applicable on the line.
Doing smartbuffering or Smartbuffering disabled Obsolete. Always says "Doing smartbuffering."
Appletalk packets output:

Number of AppleTalk packets that have been received from the Macintosh and out to the network during this connection.
Appletalk packets input: Number of AppleTalk packets that have been received from the network and sent to the Macintosh during this connection.
Appletalk packets overflowed: Number of packets from the network that have been dropped because the link to the Macintosh was congested.
Appletalk packets dropped: Number of packets from the network that have been dropped because it was unnecessary to pass them (frequently RTMP).
V42bis compression efficiency (incoming/outgoing): Performance of the v42bis protocol underneath ARA, expressed as percentage of incoming/percentage outgoing. If the efficiency is low, a network user is probably copying already compressed files across the link. Generally, low efficiency means slow performance.
MNP4 packets received: Number of link-level packets that have been received from the Macintosh.
MNP4 packets sent: How many link-level packets have been sent to the Macintosh.
MNP4 garbled packets received:

Number of garbled packets that have been received from the Macintosh.
MNP4 out of order packets received: Number of out-of-order packets that have been received from the Macintosh.
MNP4 packets resent: Number of times packets have been resent. 1
MNP4 nobuffers: How many times MNP4 has run out of buffers. This field should be zero.

1 Each of these fields indicates line noise. The higher the value, the higher the noise.


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.