The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the command-line interface (CLI) commands that you can use to manage and monitor the Cisco Broadband Access Center (Cisco BAC) Device Provisioning Engine (DPE).
If you run these commands on an unlicensed DPE, a message similar to this one appears:
This DPE is not licensed. Your request cannot be serviced. Please check with your
system administrator for a DPE license.
The commands described in this chapter are:
Use the aaa authentication command to configure the CLI for user authentication, authorization, and accounting services using the local login or remote TACACS+ or RADIUS servers. This setting applies to all Telnet and console CLI interfaces.
TACACS+ is a TCP-based protocol that supports centralized access control for several network devices and user authentication for the DPE CLI. Using TACACS+, a DPE supports multiple users (and their individual usernames) and the login and enable passwords configured at the TACACS+ server.
RADIUS is a UDP-based protocol used for enabling centralized authentication, authorization, and accounting for network access. It authenticates the users accessing the network services via the RADIUS server using the RADIUS standard protocol.
aaa authentication {local | tacacs | radius}
•local—In this mode, user authentication is enabled via a local login.
•tacacs—In this mode, the CLI server sequentially attempts a TACACS+ exchange with each server in the TACACS+ server list. The attempts continue for a specified number of retries. If the CLI reaches the end of the server list without a successful protocol exchange, authentication is automatically enabled in the local mode. In this manner, you can gain access to the CLI even if the TACACS+ service is unavailable.
•radius—In this mode, user authentication is performed via RADIUS server. The RADIUS server authentication details are similar to TACACS+ server. Cisco AV-pair needs to be configured in the radius server to support DPE CLI RADIUS authentication. Cisco IOS/PIX 6.x is the RADIUS server that supports Cisco AV-pair in the Access Control Server (ACS) server. The Cisco AV-pair attribute values are:
shell:priv-lvl=15—allowed for both login and enable mode
shell:priv-lvl=1—allowed only for login mode
Note When you configure TACACS+ or RADIUS authentication, you are prompted to enter the username and password configured at the TACACS+ or RADIUS server respectively. However, local authentication prompts only for the password.
AAA authentication is enabled by default in the local mode.
This result occurs when you enable user authentication in the local mode.
bac_dpe# aaa authentication local
% OK
This result occurs when you enable user authentication in the TACACS+ mode.
bac_dpe# aaa authentication tacacs
% OK
This result occurs when you enable user authentication in the radius mode.
bac_dpe# aaa authentication radius
% OK
This result occurs when you have configured user authentication in the TACACS+ or RADIUS mode and try to access the privileged mode on the DPE (using the enable command). If the CLI server is unable to establish a successful protocol exchange with the servers in the TACACS+ or RADIUS list, it reverts to local user authentication and prompts you for the local configured password.
Use the disable command to exit the privileged mode on the DPE. Once you exit the privileged mode, you can view only those commands that relate to system configuration.
No keywords or arguments.
No default behavior or values.
bac_dpe# disable
bac_dpe>
Use the enable command to access the DPE in the privileged mode. You need not access the privileged mode to view the system configuration; however, only in this mode can you change the system configuration, state, and data.
Once you enter the enable command, you are prompted to enter the local, configured, privileged mode password. For information on setting this password, see enable password.
No keywords or arguments.
The default password to access the privileged mode is changeme.
bac_dpe> enable
Password: <password2>
bac_dpe#
This result occurs when the CLI server prompts for the local configured password in TACACS+.
bac_dpe> enable
TACACS+: all hosts unreachable or no hosts configured
Reverting to local authentication mode
Password: <changeme>
This result occurs when the CLI server prompts for the local configured password in RADIUS.
bac_dpe> enable
RADIUS: all hosts unreachable or no hosts configured
Reverting to local authentication mode
Password: <changeme>
Note If you enter an incorrect password, the following error message appears:
Sorry, invalid password.
Use the enable password command to change the local password that allows you to access the DPE in the privileged mode. You can change the privileged mode password only in the privileged mode.
Once the password is changed, all users who, from that point forward, attempt to access the privileged mode must use the new password.
Note This command does not change the login password; it only changes the local privileged mode password. Do not use the enable password command when you enable user authentication in the TACACS+ or RADIUS mode. TACACS+ or RADIUS authentication prompts for the username and password configured at the TACACS+ or RADIUS server. For more information, see aaa authentication.
When entering the enable password command, you can specify the password on the command line or when prompted.
enable password password
password—Specifies the local configured password currently in effect or, optionally, provides a new password. If you omit this parameter, you are prompted for the password.
The default password to access the privileged mode is changeme.
This result occurs when you enter the password without being prompted, and the password is changed successfully.
bac_dpe# enable password password1
Password changed successfully.
This result occurs when you are prompted to enter the password, and the password is changed successfully.
bac_dpe# enable password
New enable password: <password2>
Retype new enable password: <password2>
Password changed successfully.
This result occurs when you enter an incorrect password.
bac_dpe# enable password
New enable password: <password2>
Retype new enable password: <paswsord2>
Sorry, passwords do not match.
Use the exit command to close a Telnet connection to the DPE and return to the login prompt. After running this command, a message indicates that the Telnet connection has been closed.
No keywords or arguments.
No default behavior or values.
This result occurs when you have accessed the CLI by specifying the hostname of the DPE.
bac_dpe# exit
% Connection closed.
Connection to 10.10.2.10 closed by foreign host.
This result occurs when you have accessed the CLI without specifying the hostname.
bac_dpe# exit
% Connection closed.
Connection to 0 closed by foreign host.
This result occurs when the Telnet connection closes because the CLI has been idle and the timeout period expired.
bac_dpe#
% Connection timed out.
Connection to 0 closed by foreign host.
Use the help command to display a help screen that can assist you in using the DPE CLI. If you need help on a particular command, or to list all available commands, enter command ? or ?, respectively.
Once you enter the command, a screen prompt appears to explain how you can use the help function.
Two types of help are available:
1. Full help is available when you are ready to enter a command argument, such as show ?, and describes each possible argument.
2. Partial help is available when you enter an abbreviated argument and want to know what arguments match the input; for example, show c?.
No keywords or arguments.
No default behavior or values.
This result occurs when you use the help command.
bac_dpe# help
Help may be requested at any point in a command by entering a question mark '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options.
1) Full help is available when you are ready to enter a command argument (e.g. 'show ?') and describes each possible argument.
2) Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (e.g. "show c?").
This result occurs when you invoke the full help function for a command; for example, show ?.
Note The help command output differs depending on the mode-login or privileged-in which you run the command.
bac_dpe# show ?
bundles Shows the archived bundles.
clock Shows the current system time.
commands Shows the full command hierarchy.
cpu Shows the current CPU usage.
device-config Shows a device configuration
disk Shows the current disk usage.
dpe Shows the status of the DPE process if started.
hostname Shows the system hostname.
ip Shows IP configuration details.
log Shows recent log entries.
memory Shows the current memory usage.
running-config Shows the appliance configuration.
tftp Shows TFTP details.
version Shows DPE version.
This result occurs when you invoke the partial help function for arguments of a command; for example, show clock.
bac_dpe# show c?
clock commands cpu
bac_dpe# show clock
Thu Oct 25 01:20:14 EDT 2007
Use the password command to change the local system password, which you use to access the DPE and which is different from the one used to access the privileged mode on the DPE. The system password is changed automatically for future logins and for FTP access.
Note The changes that you introduce through this command take effect for new users, but users who are currently logged in are not disconnected.
If you enable TACACS+ or RADIUS user authentication and the DPE is unable to communicate with a TACACS+ or RADIUS server, the system prompts for the local system password.
password password
password—Identifies the new DPE password.
The default password for accessing the DPE is changeme.
This result occurs when you change the password without being prompted (using an approach easier for scripting).
bac_dpe# password password2
Password changed successfully.
This result occurs when you are prompted for the password, and the password is changed successfully.
bac_dpe# password
New password: <password1>
Retype new password: <password1>
Password changed successfully.
This result occurs when you enter an incorrect password.
bac_dpe# password
New password: <password1>
Retype new password: <paswsord1>
Sorry, passwords do not match.
Use the show command to view system settings and status. Table 2-1 lists the keywords that you can use with this command.
Note To view the output for show cpu, show disk, show ip, show ip route, and show memory on Solaris and Linux, see man mpstat.
Use the tacacs-server command to configure user authentication settings in TACACS+. Table 2-2 lists the keywords that you can use with this command.
|
|
|
---|---|---|
tacacs-server host |
Adds the TACACS+ server host address to the list of hosts. When you enable TACACS+ authentication, the client attempts to authenticate the user with each server in the list sequentially until a successful authentication exchange is executed, or the list is exhausted. If the list is exhausted, the client automatically falls into the local authentication mode (using the local system password). To remove a TACACS+ server from the list of TACACS+ servers in the CLI, use the no form of this command. See no tacacs-server host. |
|
tacacs-server host host [key encryption-key] •host—Specifies the IP address or the hostname of the TACACS+ server. •encryption-key—Identifies the encryption key (optional). |
No default behavior or values. |
|
This result occurs when you add a TACACS+ server using its IP address (10.0.1.1) without encryption. bac_dpe# tacacs-server host 10.0.1.1
% OK This result occurs when you add a TACACS+ server using its IP address (10.0.1.1) and an encryption key (hg667YHHj). bac_dpe# tacacs-server host 10.0.1.1 key hg667YHHj
% OK This result occurs when you add a TACACS+ server using its hostname (tacacs1.cisco.com) without encryption. bac_dpe# tacacs-server host tacacs1.example.com
% OK This result occurs when you add a TACACS+ server using its hostname (tacacs1.cisco.com) and an encryption key (hg667YHHj). bac_dpe# tacacs-server host tacacs1.example.com key hg667YHHj
% OK |
||
no tacacs-server host |
Removes the TACACS+ server host address from the list of hosts. To add a TACACS+ server, see tacacs-server host. |
|
no tacacs-server host host host—Specifies either the IP address or the hostname of the TACACS+ server. |
No default behavior or values. |
|
This result occurs when you remove a TACACS+ server using its IP address. bac_dpe# no tacacs-server host 10.0.1.1
% OK This result occurs when you remove a TACACS+ server using its hostname. bac_dpe# no tacacs-server host tacacs1.example.com % OK |
||
tacacs-server retries |
Sets the maximum number of times the TACACS+ protocol exchange is tried before the TACACS+ client considers a specific TACACS+ server unreachable. When this limit is reached, the TACACS+ client moves to the next server in its TACACS+ server list or, if the TACACS+ list has been exhausted, falls back into local authentication mode. |
|
tacacs-server retries value value—Specifies a dimensionless number from 1 to 100. This value applies to all TACACS+ servers. |
The default is 3. |
|
This result occurs when you configure retry value for TACACS+ server: bac_dpe# tacacs-server retries 10
% OK |
||
tacacs-server timeout |
Sets the maximum length of time that the TACACS+ client waits for a response from the TACACS+ server before it considers the protocol exchange to |
|
tacacs-server timeout value value—Specifies the maximum length of time that the TACACS+ client waits for a TACACS+ server response. This value must be from 1 to 300 seconds, and applies to all TACACS+ servers. |
The default is 5 seconds. |
|
This result occurs when you configure timeout value for TACACS+ server: bac_dpe# tacacs-server timeout 10
% OK |
Use the radius-server command to configure user authentication settings in RADIUS. Table 2-3 lists the keywords that you can use with this command.
|
|
|
---|---|---|
radius-server host |
Adds the RADIUS server host address to the list of hosts. When you enable RADIUS authentication, the client attempts to authenticate the user with each server in the list sequentially until a successful authentication exchange is executed, or the list is exhausted. If the list is exhausted, the client automatically falls into the local authentication mode (using the local system password). The order of the commands that appears in show run is the order in which they are contacted. To remove a RADIUS server from the list of RADIUS servers in the CLI, use the no form of this command. See no radius-server host. |
|
radius-server host host [key encryption-key] •host—Specifies the IP address or the hostname of the RADIUS server. •encryption-key—Identifies the encryption key (optional). •port-number—Identifies the port number (optional). |
No default behavior or values. |
|
This result occurs when you add a RADIUS server using its IP address with key and port number. bac_dpe# radius-server host 10.10.10.10 key secret port 1812
% OK |
||
no radius-server host |
Removes the RADIUS server host address from the list of hosts. For details about adding a RADIUS server, see radius-server host. |
|
no radius-server host host host—Specifies either the IP address or the hostname of the RADIUS server. |
No default behavior or values. |
|
This result occurs when you remove a RADIUS server using its IP address: bac_dpe# no radius-server host 10.10.10.10 % OK |
||
radius-server retries |
Sets the maximum number of times the RADIUS protocol exchange is tried before the RADIUS client considers a specific RADIUS server unreachable. When this limit is reached, the RADIUS client moves to the next server in its RADIUS server list or if the RADIUS list has been exhausted, falls back into local authentication mode |
|
radius-server retries value value—Specifies a dimensionless number from 1 to 10. This value applies to all RADIUS servers. |
The default is 3. |
|
This result occurs when you configure retry value for RADIUS server: bac_dpe# radius-server retries 10
% OK |
||
radius-server timeout |
Sets the maximum length of time that the RADIUS client waits for a response from the RADIUS server before it considers the protocol exchange to |
|
radius-server timeout value value—Specifies maximum length of time that the RADIUS client waits for a RADIUS server response. This value must be from 1 to 30 seconds, and applies to all RADIUS servers. |
The default is |
|
This result occurs when you configure timeout value for RADIUS server: bac_dpe# radius-server timeout 5
% OK |
Use the uptime command to identify how long the system has been operational. This information is useful for determining how frequently the device is rebooted. It is also helpful when checking the reliability of the DPE when it is in a stable condition.
No keywords or arguments.
No default behavior or values.
bac_dpe# uptime
1:47am up 496 day(s), 8:49, 1 user, load average: 0.14, 0.07, 0.06