Remote node users are telecommuters and mobile users who need to dial in to a network from their PC or Macintosh computer, through an access server in to IP, IPX, or AppleTalk networks to access network resources. This chapter describes the following scenarios:
Each configuration in this chapter builds on preceding configurations from previous chapters. It presents the whole configuration required to enable dial-in and configure security for each of the scenarios. Thus far, this guide has described how to configure the following on your access server:
When a remote PC or Macintosh computer dials in to a network, it is considered a "node" on the LAN to which it is connecting. This is the case for each dial-in session, whether the device dialing in is a PC, Macintosh, or other computer. The IP address of a PC, for example, is selected from those available on the subnet assigned to the network that the PC is connecting to. In Figure 5-1, for example, the telecommuter's Macintosh is a node in the AppleTalk network 2500 in the zone Mac-dialup, and is treated like a local host.
In router-to-router configurations (such as between a remote and central office), the remote device (PC or Macintosh computer) is not considered a node on the LAN that it is dialing in to. That is, the remote computer is on a different LAN and has an IP address that is not chosen from those available on the local network. These configurations are typically more complex and require use of the dial-on-demand routing (DDR) facility in the Cisco IOS software. For more information, refer to the chapter "Routing across Modem Lines" later in this guide.
This section describes how to configure your access server to accept calls into IP and IPX networks from clients (PCs) using PPP to access resources such as file servers and printers. It also describes how to allow Macintosh or PC clients running a PPP application to dial in to an AppleTalk network.
Specifically, this section describes the following:
This section describes how to configure the access server to accept calls in to an IP network so that clients (remote PC computers) can access IP resources, such as a Windows NT server. It describes first the access server configuration, then presents some basic configuration information for the dial-in client. Figure 5-2 shows a typical dial-in scenario.
In Figure 5-2, a remote telecommuter dialing through the access server uses the Windows 95 client to access the Windows NT server. The client is considered a node on the same network as the NT server.
To dial in to an IP network by using PPP, you first need to enable the network protocol support. IP routing is enabled by default in the Cisco IOS software. However, if you have a routing protocol running on the LAN to which the access server provides access, you must specify this protocol in the access server's configuration, as well. This guide and the following procedure assume you are configuring OSPF routing. If so, perform the following steps to enable IP network support:
Step 1 Enter privileged EXEC and global configuration mode on the access server named 2511.
Step 2 If you haven't done so already, specify the IP address of the Ethernet interface on the access server. This should be a valid, unique, and unused IP address for a subnet on a connected LAN.
Step 3 Enable OSPF routing (assuming a routing process is given the number 101):
Step 4 Define the IP address of the Ethernet interface on which OSPF runs and define the area ID for that interface:
Step 5 Configure an OSPF network type of point-to-multipoint on the Ethernet interface 0 on the access server:
Step 6 Identify the IP domain name and IP name server on the LAN segment:
To configure IGRP instead of OSPF routing, issue the router igrp process-id global configuration command, then associate the network with the IGRP process ID by issuing the network address router configuration command. For example, you enter the following commands to configure IGRP routing:
2511(config-if)# router igrp 101
2511(config-router)# network 172.16.42.0
You can also configure a number of other routing protocols with IP, including RIP, IS-IS, BGP, EGP, GDP, IRDP, and IP multicast routing. For more information about configuring any of these routing protocols, refer to the Network Protocols Configuration Guide, Part 1 in the Cisco IOS documentation.
To enable IP dial-in, configure PPP encapsulation on asynchronous interfaces, as follows:
Step 1 To conserve IP addresses, configure the asynchronous interfaces as unnumbered and assign the IP address of the Ethernet interface to them:
Step 2 Specify PPP encapsulation on asynchronous interfaces to which you will allow PPP connections:
Step 3 Enable interactive mode on asynchronous interfaces:
Step 4 Configure lines on the access server to detect incoming PPP packets and permit a PPP client to connect to the network automatically. The following example shows lines 1 to 8 on an access server being configured to autoselect incoming PPP packets:
This section describes the methods you can use to assign IP addresses to dial-in clients. The methods are as follows:
To configure the address pool locally on the access server, perform the following steps:
Step 1 Create a local IP address pooling mechanism in the access server:
Step 2 Assign a pool of specific IP addresses in a pool (addresses 172.16.80.0 through 172.16.80.16 in pool1):
The address pool named pool1 is applied automatically to each asynchronous interface configured for point-to-point access, so you do not have to apply it manually. If you need to apply this pool manually to asynchronous interfaces, issue the peer default ip-address pool pool1 interface configuration command.
For a comprehensive configuration example of PPP dial-in to an IP network, refer to the section "Dial-In Configuration Examples" later in this chapter.
To configure the access server to obtain IP addresses from a DHCP server, perform the following steps:
Step 1 Configure asynchronous interfaces on an access server to assign IP addresses to dial-in clients from a DHCP server (in this example, a group async interface is configured):
Step 2 Configure the Cisco IOS software to query a DHCP server for IP addresses that can be supplied to IP clients as they dial in:
You also must configure the client software on client PCs to obtain IP addresses from a DHCP server. Refer to the documentation that accompanied the PC client software for more information about configuring IP addressing options.
For a comprehensive configuration example for PPP dialing to an IP network, refer to the section "Dial-In Configuration Examples" later in this chapter.
To configure the access server to statically define IP addresses to each client dialing in to the network, enter interface configuration mode and issue the peer default ip address address command, as shown in the following example:
2511(config)# interface async 1
2511(config-if)# peer default ip-address 172.16.42.26
The IP address you assign must be the same as the address specified on the remote dial-in client. Refer to the documentation that accompanied the PC client software for more information about configuring IP addressing options.
For a comprehensive configuration example for PPP dialing to an IP network, refer to the section "Dial-In Configuration Examples" later in this chapter.
Though optional, you generally identify the IP domain name and IP name server on the LAN segment, as shown in the following example:
2511(config)# ip domain-name eapp.com
2511(config)# ip name-server charlatan
Table 5-1 lists other parameters that are often useful for administrators configuring IP dial-in using PPP.
Instructs the access server port to perform compression of TCP headers if requested by the client.
(IP only.) Enables the client to select an IP address dynamically when dialing in.
|Caution If you have configured network protocol support, PPP encapsulation, and an IP addressing method, IP clients can dial in to your network. Ensure that you configure security, as described in the chapter "Security Configuration" in this guide. Also, the configuration examples at the end of this chapter show IP configuration examples with security.|
To enable clients running NetBIOS over TCP to dial in to IP network resources, perform the following tasks on the access server:
Step 1 Specify a hostname or IP address of your Wins server on the network:
Step 2 If you have one or more domain name servers on the network, specify a host name or IP address of that domain name server:
Make sure you have the following in your NetBIOS network:
For more information about configuring your Windows NT environment, refer to your Microsoft documentation or online resource, such as the World-Wide Web page "Microsoft TechNet" at the following URL: http://www.microsoft.com/TechNet/.
To enable PPP clients using PPP applications to access AppleTalk resources on a network, first perform the following tasks, as described in the earlier section "Accessing IP Resources."
Next, perform the following steps:
Step 1 Create an internal network on the access server by issuing the appletalk virtual-net command. The internal network number and zone name also can be used for dial-in using ARA (but do not need to be the same).
Step 2 Enable AppleTalk client mode on asynchronous interfaces configured for PPP dial-in. The following example shows client mode configured on a group asynchronous interface.
At this point, PPP clients can dial in to a network and access AppleTalk resources, such as AppleShare servers and printers.
This section describes how to configure the access server to accept calls in to an IPX network so that clients can access IPX resources, such as a Novell IPX server. It describes first the access server configuration, then presents some basic configuration information for the dial-in client. Figure 5-3 shows a typical dial-in scenario.
In Figure 5-3, a remote telecommuter dialing through the access server uses the Novell IPX client to access the Novell IPX server. The client is a node on the same network as the IPX server.
For PPP dialing to an IPX network, you must first enable network protocol support. This includes enabling IPX routing on the access server. If the dial-in client will be a routing client, you also must specify the routing protocol running on the LAN to which the access server provides access. To enable IPX network protocol support, perform the following steps:
Step 1 Enable IPX routing on the access server.
Step 2 If you are configuring IPX only and not IP, configure the Ethernet interface 0 as IP unnumbered.
However, if you are configuring IP and IPX on the interface, you must provide an IP address for Ethernet interface 0. This must be a valid, unique, and unused IP address for a subnet on a connected LAN.
Step 3 Set the IPX network number and encapsulation to match your existing network. The following example shows network 123ABCD and an encapsulation type of SAP:
Step 4 If the client connecting to the network is not performing routing, you do not have to enable a routing protocol and can skip to the next step. If the client connecting to the network is performing routing, configure a routing protocol. RIP routing is enabled by default. To specify a different routing protocol, such as Enhanced IGRP or NLSP, enter the ipx router command, followed by the name of the routing protocol.
The first example shows how to enable Enhanced IGRP routing with an autonomous system number of 1205. Enhanced IGRP is usually used in large networks.
The next example shows how to enable NLSP routing with an NLSP process tag of 210. An NLSP tag is optional if there is only one NLSP process. The process of configuring NLSP is somewhat complex and you must add NLSP servers to the network.
If you allow remote clients to dial in to IPX network resources, you should create a loopback interface, which is a "virtual" interface existing only in the router. Assign a Novell IPX network number to this loopback interface, then assign this network number to each asynchronous interface. The alternative is to assign a unique Novell IPX network number to each asynchronous interface, which could consume hundreds of Novell IPX network numbers. This section assumes that nonrouting clients are dialing in to access IPX network resources.
Step 1 Create a loopback interface:
Step 2 Do not require an IP address on the Loopback interface 0:
Step 3 Assign a Novell IPX network number (in this case, 1F) to the loopback interface:
This section assumes you are configuring group asynchronous interfaces.
After you configure IPX network support and a loopback interface, you then configure the asynchronous interfaces for PPP and assign the Novell IPX network number of the loopback interface to the asynchronous interface. You can also enable interactive mode on the interfaces.
Step 1 Assign the IP address of the Ethernet interface to a single master or each asynchronous interface:
Step 2 Specify PPP encapsulation on asynchronous interfaces to which you need to allow PPP connections:
Step 3 Assign the Novell IPX network number of the loopback interface to the group asynchronous interface.
Step 4 (Optional) Filter SAP routing updates on asynchronous interfaces. SAP updates take up a great deal of bandwidth, and asynchronous interfaces have low bandwidth.
Step 5 Enable interactive mode. Interactive mode enables you to support services other than PPP (such as EXEC sessions, SLIP, or ARA).
The Cisco IOS software assumes that all PCs dialing in have their own unique IPX address and that they send this address to the access server.
For additional parameters that enable PPP dial-in to IPX networks, refer to Table 5-1.
This section describes how to install and configure Windows 95 client software to dial in to and access network resources through a Cisco access server.
If you need information about configuring the CiscoRemote client software, you can receive a fax-back document from the Cisco Technical Assistance Center at 800 553-2447 or 408 526-7209 or call directly into the fax-on-demand service at 415 596-4408.
You can use virtually any other dial-in client applications to dial in to a network through access servers.
This configuration procedure is intended only as a starting point. The configuration requirements can change without warning because Cisco does not control the design and development efforts of other companies. This configuration information is only one of many ways of configuring a Win95 client application for dial-in using PPP. To set up the built-in PPP application in Win95 so that you can access the ISP's IP or NetBEUI network resources, perform the following steps:
Step 1 Double-click on the My Computer icon located either in your Applications window or on the desktop.
The My Computer window appears.
Step 2 If you are making a connection for the first time, double-click on the Make a New Connection icon. If you have already configured your connection profiles, additional icons exist in this window and you can double-click on them to use them.
Step 3 Give the connection session a name, such as MyConnection.
Step 4 Select the type of modem connected to your PC (or built in to the PC) from the list of modems.
Step 5 When the dialog box appears, click on the Configure button.
The General, Connection, and Options folders appear stacked on top of one another. You can select each tab to configure the appropriate parameters.
Step 6 Select the Connection tab. In the Connection folder, set data bits to 8, parity to No, and stop bits to 1, then click Apply.
The Advanced Connection Settings window appears.
Step 7 Modems usually perform all the data compress you'll ever need. However, if you have a very old modem, you should Select Data Compression and Hardware flow control and click OK.
Step 8 Select the Options tab. In the Options folder, select "Bring up terminal window after dialing" and click on the Next button.
The option "Bring up terminal window after dialing" means that when you dial in, the access server prompts you for your username and password, then logs you in to the EXEC facility.
A new dialog box appears that indicates you have finished configuring a dialup profile and the Myconnection connectoid appears.
Step 9 Click on the Next button.
Step 10 In the Phone Number field, enter the phone number, area code, and country of the access server you intend to dial and press Return.
You have configured preliminary parameters to enable the Win95 client to dial in to an access server. At this point, you need to define additional properties.
Step 1 Select the dialup profile connectoid, then click with the right mouse button, and pull down the menu. Select Properties.
Step 2 In the Properties dialog box, select Server_Type.
The ServerTypes dialog box appears, as shown in Figure 5-4.
Step 3 Select PPP Windows 95 Windows NT 3.5 Internet.
Step 4 In the Allowed Network Protocols area of the dialog box, select TCP/IP if you intend to function as an IP client to access IP network resources.
Step 5 Select the TCP/IP Settings pull-down menu at the bottom right corner of the dialog box.
Step 6 Select Server assigned IP and Name server addresses if you are getting your addresses from a server. Otherwise, enter an IP address.
Step 7 Select Use default gateway on remote network. Click Apply. Select IP compression if you also intend to enable header compression of IP packets on the access server, which is enabled with the ip tcp header-compression passive interface configuration command.
Step 8 Go to the Control Panel and select Internet.
Step 9 Check the AutoDial checkbox if your PPP connection is the only modem or ISDN connection to the Internet. Uncheck this box if you have more than one outgoing connection.
Step 10 Select MyConnection and click on the Apply button.
When you start an application that requires network access, you are prompted for a username and password. This username and password must match the username and password on the access server. When you select Connect, the client dials the number you entered. In a status box, you can see the information dialing, verifying username/password, and the dial-in application should run without problems. Figure 5-5 shows a successful connection:
This section describes how to configure the access server to accept calls in to an AppleTalk network so that clients can access AppleTalk resources, such as an AppleShare server, a colleague's Macintosh to retrieve files, or a printer. For information about configuring the ARA client, you can receive a fax-back document from Cisco's Technical Assistance Center at 800 553-2447 or 408 526-7209 or call directly into the fax-on-demand service at 415 596-4408.
For information about configuring the access server to enable IP clients to access AppleTalk resources, refer to the later section "Enabling PPP Clients to Dial In and Access AppleTalk Resources." Figure 5-6 shows a typical dial in scenario.
Figure 5-6 shows a Macintosh with ARA 2.0 dialing in to a corporate network through an access server. The Macintosh client is a node on network 2500 in zone Mac-dialup.
After connecting to a corporate network with ARA, clients can also launch applications that enable them to communicate with IP devices, such as UNIX servers, although you must have configured a MacIP server on the network first.
The following configuration provides a range of 16 IP addresses, which can be assigned to each of the dial-in remote nodes. The MacIP server resides in the same zone and IP subnet it is providing IP addresses for. This is highly recommended for a gateway server of this kind. The IP address under interface Ethernet 0 strengthens the correlation of subnet to server.
To enable ARA dial in on the access server, perform the following steps:
Step 1 Enable AppleTalk Routing.
Step 2 Create a new internal AppleTalk network in the access server. In the following example, the network number is 2500 and the zone name is Mac-dialup.
Step 3 Bring up the interface Ethernet 0, assign it an IP address, and configure a cable range. In this example, the cable range is 110 to 110.
Step 4 Create an AppleTalk zone on the Ethernet interface 0. In the following example, the zone is given the name Corporate.
Step 5 Enter line configuration mode for the lines on which you need to allow ARA clients to dial in and enable ARA. The following example shows lines 1 through 16 being configured for ARA dial in (these are the physical asynchronous TTY lines) and disables guest access to the AppleTalk network.
Step 6 Configure an AppleTalk zone for ARA dial-in sessions. (In Step 4, the zone that was created was Corporate. This example uses the same zone.)
Step 7 Allocate IP addresses for Macintosh users if you are using dynamic addressing
Table 5-2 lists other useful dial-in parameters for ARA.
Makes the line only available for ARA dial-in access. Do not issue this command if you are also allowing PPP users to dial in through the line or if you issue the autoselect ppp command on the line.
Sets a time limit on dial-in sessions. This prevents clients from staying connected indefinitely.
Sets the amount of time before which the connection is closed because of the arap timelimit command. A reasonable amount of time is 15 minutes.
The configuration examples in this section show comprehensive configurations that enable remote clients to dial in to networks and access resources. The configurations in this section borrow information from the previous chapters and present each component (such as modem configuration and security) as a separate piece. Examples in this section include the following:
The following example configures an access server to enable a PC running a Windows 95 PPP application to dial in to an IP network. It also enables the Windows 95 client to access AppleTalk resources. The example starts with the modem configuration, then moves on to the security configuration, then the protocol configuration. This example assumes that you are using a local username database that is set up inside the access server for authentication.
The following sample configures lines 1 through 16 on a Cisco 2511 access server for modem control. It assumes you have a Telebit T3000 modem or one that can be automatically initialized using the Telebit_3000 initialization string.
line 1 16 speed 115200 flowcontrol hardware modem inout modem autoconfigure Telebit_t3000 ! autoselect during-login autoselect ppp ! interface group-async 0 group-range 1 16
The following sample configuration uses a local authentication database inside the access server. It prevents unauthenticated login to all vty lines. It assumes dial-in users rely on autoselect and do not log in to the EXEC on the access server, but have immediate access to the network when their connection session begins. No security is configured on the console port, which is physically secure. This configuration uses defaults in most cases, except that it uses CHAP authentication for PPP instead of the default of PAP (because CHAP is more secure). It uses the username command to populate the local authentication database. The password that appears has been automatically encrypted automatically.
aaa new-model aaa authentication login default local aaa authentication ppp default local enable secret 5 $1$h7dd$VTNs4.BAfQMUU0Lrvw6570 enable password cloudcity ! username hansolo password 7 095E470B1110 username leiaorga password 7 0215055500070C294D username anakin password 7 032A5K39068R1935 username jacen password 7 087X2G10385V8148 username jaina password 7 075V3W50429L2943 ! line vty 10 47 login authentication default ! line 1 16 arap authentication default ! interface Group-Async1 ppp authentication chap default group-range 1 16
The following sample configuration enables an IP client to dial in to a network via an access server (with an IGRP routing process of 101) and be assigned an IP address from a locally defined pool (from 172.16.80.1 to 172.16.80.200). It also places all 16 asynchronous interfaces in a group interface and PPP encapsulation. IP clients (such as Windows 95 clients) dial in and automatically have a PPP session started (after the security dialog appears).
If you want to obtain IP addresses for dial-in clients from a Dynamic Host Configuration Protocol (DHCP) server, you must change the peer default ip address pool pool-1 command to peer default ip address dhcp. If you want to assign a static address to a remote client, you must change this command (for an address of 172.18.24.48, for example) to peer default ip address 172.18.24.48.
router igrp 101 network 172.16.0.0 ! ip address-pool local ip local pool pool-1 172.16.80.1 172.16.80.200 appletalk virtual-net 101 AT-zone ! ethernet 0 ip-address 172.16.42.24 255.255.255.0 ! group-async1 ip unnumbered ethernet0 encapsulation ppp async mode interactive peer default ip address pool pool-1 ip tcp header-compression passive appletalk client-mode group-range 1 16 ! ip domain-name eapp.com ip name-server charlatan
The following configuration example enables a PC client running a PPP application to dial in to a network and access IPX resources. The modem attached to the access server is a Telebit T3000 modem. For security, the access server uses TACACS+ for lines and asynchronous interfaces and RADIUS for an ISDN interface (attached via an external ISDN terminal adaptor).
The following sample configures lines 1 through 16 on a Cisco 2511 access server for modem control. It assumes you have a Telebit T 3000 modem.
line 1 16 speed 115200 flowcontrol hardware modem inout modem autoconfigure discovery modem autoconfigure type t_3000 ! autoselect during-login autoselect ppp !
This configuration uses remote security. It uses TACACS+ security for lines and asynchronous interfaces, and RADIUS security for ISDN interfaces. This portion of the configuration only contains security commands. Modem and protocol configuration commands are presented in the sections "Modem and Line Configuration" and "Protocol Configuration."
aaa new-model aaa authentication login default tacacs+ local aaa authentication con-special tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authentication ppp use-radius radius ! enable secret 5 $1$Kv7T$yjdYBYi70X56gOpEtLj.Q.! ! line 1 16 ! Modem commands deleted autoselect ppp autoselect during-login ! line con 0 login authentication con-special ! interface Group-Async1 ip unnumbered ether 0 encapsulation ppp async mode interactive ppp authentication chap pap default group range 1 16 ! interface Group-Async2 ip unnumbered ether 0 encapsulation ppp async mode interactive ppp authentication chap use-radius group range 9 16
The following sample configuration enables an IPX client to dial in to a network to access IPX resources (IPXCP). In this sample configuration, the IPX client connections are permitted on group asynchronous interface 8, which is associated with loopback interface 0. Loopback interface 0 is configured to run IPX. Routing updates have been filtered on all asynchronous interfaces.
ipx routing 0000.0c07.b509 ! loopback0 no ip address ipx network 544 ! interface ethernet0 ip address 172.21.14.64 255.255.255.0 ipx network AC150E00 ipx encapsulation SAP ! interface group-async1 ip unnumbered ethernet0 encapsulation ppp async mode interactive async default ip address 172.18.1.128 ipx ppp-client loopback0 ipx sap-interval 0 interface group-async2 ip unnumbered ethernet0 encapsulation ppp async mode interactive async default ip address 172.18.1.128 ipx ppp-client loopback0 ipx sap-interval 0
The following example configures an access server to enable a Macintosh running ARA 2.0 to dial in to an AppleTalk network. It also permits IP clients to dial in and access AppleTalk resources. The example starts with the modem configuration, then moves on to the security configuration, then the protocol configuration. This example assumes you are using a local username database that is set up inside the access server for authentication.
The following example configures lines 1 through 16 on a Cisco 2511 access server for modem control. It assumes you have a modem that uses an initialization string that corresponds to the Usr_sportster string that is used to configure a modem automatically.
line 1 16 arap enable flowcontrol hardware modem inout modem autoconfigure Usr_sportster autoselect during-login autoselect arap !
The following example uses a TACACS+ security database. No security is configured on the console port, which is physically secure. This configuration uses default configuration parameters. ARA authentication permits guests to log in and access network resources.
aaa new-model aaa authentication login default tacacs+ aaa authentication arap default guest tacacs+ enable secret 5 $17dd$VTNs4.BAfQMUU0Lrvw6570 ! line 1 16 arap authentication default login authentication default
The following example enables an ARA client to dial in with AppleTalk over PPP (ATCP). ARA clients dial in and automatically have an ARA session started (after the security dialog appears). In this example, IP is enabled on Ethernet interface 0 to allow basic IP connectivity.
appletalk routing arap network 108 dialin14 appletalk virtual-net 107 dialin14 ! ethernet 0 ip-address 172.16.42.24 255.255.255.0 appletalk cable-range 20-22 appletalk zone marketing ! line 1 16 arap enable arap timelimit 180 arap warningtime 15 autoselect arap autoselect during-login
ip domain-name eapp.com ip name-server alices-diner ! ! the following commands enable IP clients to dial in and access AppleTalk resources interface group-async1 encapsulation ppp appletalk client-mode group-range 1 16
The following configuration example enables remote clients to dial in to IP, IPX, AppleTalk networks and permits users to log in and connect to the EXEC facility.
The following example configures lines 1 through 16 on a Cisco 2511 access server for modem control. It assumes lines 1 through 8 have Hayes Optima modems. (The Cisco IOS software can configure a Hayes Optima modem automatically.)
This configuration assumes that lines 9 through 16 have Practical Peripherals PC28800SA V.42bis modems. If you issue the modem autoconfigure discovery line configuration command, the Cisco IOS software attempts to identify the modem string that initializes the Practical Peripherals modem. If it cannot find a string that automatically initializes the Practical Peripherals modems, you must initialize them manually, as specified in the following section, "Initializing the Practical Peripherals Modems."
In this example, the access server is configured to allow dial-in clients to launch ARA, PPP, or an EXEC session on lines 1 through 16.
version 11.2 ! hostname 2511 ! line 1 16 modem autoconfigure type hayes_optima speed 115200 flowcontrol hardware modem inout transport input all autoselect arap autoselect during-login autoselect ppp arap enabled ! line con 0 speed 9600 flowcontrol software
The following steps show how to initialize a Practical Peripherals modem to function with a Cisco 2509 access server.
Step 1 Connect with the modem, which is attached to asynchronous port 4. The IP address of the Ethernet interface is 172.18.2.24:
Step 2 Issue an at command to ensure the modem connection has been established:
Step 3 Configure the modem initialization string (the following is the string for a Practical Peripherals 28.8 modem):
Step 4 Store the modem settings in the modem NVRAM:
Step 5 Suspend and disconnect your Telnet session:
This sample configuration uses a RADIUS security server for asynchronous interfaces and local authentication for lines, because ARA, which is configured on lines, does not support RADIUS authentication. The login authentication in this configuration works as follows:
This sample configuration only contains security commands. It does not contain modem or protocol configuration commands. For modem and line commands, refer to the "Modem and Line Configuration" section. For protocol configuration commands, refer to the "Protocol Configuration" section.
aaa new-model aaa authentication login default radius local aaa authentication arap default auth-guest local aaa authentication ppp default if-needed radius ! radius-server host 172.23.4.28 radius-server key s2imm3r ! username pumba password 7 095E470B1110 username timone password 7 095E470B1110 username rafiki password 7 0215055500070C294D username simba password 7 032A5K39068R1935 username nala password 7 087X2G10385V8148 username mufasa password 7 075V3W50429L2943 username sarabi password 7 0215055500070C294D enable secret 5 $1$Kv7T$yjdYBYi70X56gOpEtLj.Q.! ! line 1 16 arap authentication default ! line con 0 login authentication default ! interface Group-Async1 ppp authentication chap default group range 1 8 ! interface Group-Async2 ppp authentication pap default group range 9 16
The following sample configuration enables remote clients to dial in and access IP, IPX, and AppleTalk resources. In this example, IP and IPX client connections are permitted on group asynchronous interface 1 to IP, IPX, and AppleTalk resources. The IPX network number of loopback interface 1 is assigned to the group asynchronous interface. Routing updates have been filtered on all asynchronous interfaces.
ARA has also been enabled on all lines. Macintosh clients can also dial in and access IP network resources.
ip domain-name cisco.com ip name-server scar ipx routing 0040.0d05.c601 ip address-pool local ! appletalk routing appletalk virtual-net 2000 Mac-dialup arap network 2500 Mac-dialup ! async dns-server 172.16.80.34 async nbns-server 172.16.80.35 ! interface loopback0 no ip address ipx network 544 ipx sap-interval 0 ! interface ethernet0 ip address 172.21.14.64 255.255.255.0 appletalk cable-range 110-110 appletalk zone corporate ip tcp header-compression passive ipx network AC150E00 ipx encapsulation SAP ! interface group-async1 ip unnumbered ethernet0 encapsulation ppp async mode interactive appletalk client-mode peer default ip address pool singi ipx ppp-client loopback0 netbios nbf group-range 1 8 ! interface group-async2 ip unnumbered ethernet0 encapsulation ppp async mode interactive peer default ip address pool bonsai ipx ppp-client loopback0 group-range 9 16 ! ip local pool singi 172.16.80.1 172.16.80.16 ip local pool bonsai 172.16.80.17 172.16.80.32 ! ipx router rip no network 544 ! line 1 16 arap enable autoselect arap autoselect during-login autoselect ppp arap timelimit 240 arap warningtime 15 ! the following commands enable Macintosh clients to access IP network resources appletalk macip server 172.21.14.64 zone corporate appletalk macip dynamic 172.21.14.65 172.21.14.81 zone corporate