CLI Reference Guide for the Cisco Secure Access Control System 5.0
Overview of the ACS Command Line Interface
Downloads: This chapterpdf (PDF - 176.0KB) The complete bookPDF (PDF - 4.59MB) | Feedback

Overview of the ACS Command Line Interface

Table Of Contents

Overview of the ACS Command Line Interface

Accessing the ACS Command Environment

User Accounts and Modes in ACS

Types of Command Modes in ACS

EXEC Commands

EXEC or System-Level Commands

Show Commands

ACS Configuration Commands

Configuration Commands


Overview of the ACS Command Line Interface


Cisco Secure Access Control System (ACS) 5.0 uses the CSACS 1120 appliance running the Cisco ADE OS 1.1. This chapter provides an overview of how to access the ACS command-line interface (CLI), the different command modes, and the commands that are available in each mode.

You can configure and monitor ACS 5.0 through the web interface. You can also use the CLI to perform the configuration tasks and monitoring that this guide describes.

The following sections describe the ACS CLI:

Accessing the ACS Command Environment

User Accounts and Modes in ACS

Types of Command Modes in ACS

Accessing the ACS Command Environment

ACS offers only one way to access the command environment, the CLI. You access this text-based interface having additional administration and configuration capabilities interface through a secure shell (SSH) client or the console port using a:

Windows PC running Windows XP/Vista.

Apple Computer running Mac OS X 10.4 or later.

PC running Linux.

For detailed information on accessing the CLI, see Chapter 2, "Using the ACS Command Line Interface."

User Accounts and Modes in ACS

Two different types of accounts are available on the ACS server:

Admin (administrator)

Operator (user)

When you power up the CSACS 1120 appliance for the first time, you are prompted to run the setup utility to configure the appliance. During this setup process, an administrator user account, also known as an Admin account, is created. After you enter the initial configuration information, the appliance automatically reboots and prompts you to enter the username and the password that you specified for the Admin account. It is this Admin account that you must use to log in to the ACS CLI for the first time.

While an Admin can create and manage Operator (user) accounts (which have limited privileges and access to the ACS server), an Admin account provides you the functionality you require to use the ACS CLI.

To create more users (with admin and operator privileges) with SSH access to the ACS CLI, you must run the username command in the Configuration mode (see Types of Command Modes in ACS).

Table 1-1 lists the command privileges for each type of user account: Admin and Operator (user).

Table 1-1 Command Privileges 

Command
User Account
Admin
Operator (User)
acs commands

P

 
acs-config

P

 
acs-migration-interface

P

 
application commands

P

 
backup

P

 
backup-logs

P

 
cdp run

P

 
clock

P

 
configure terminal

P

 
copy commands

P

 
debug

P

 
debug-adclient

P

 
debug-log

P

 
delete

P

 
dir

P

 
end

P

 
exit

P

P

forceout

P

 
halt

P

 
hostname

P

 
icmp

P

 
interface

P

 
ip default-gateway

P

 
ip domain-name

P

 
ip name-server

P

 
ip route

P

 
kron

P

 
logging commands

P

 
mkdir

P

 
nslookup

P

P

ntp server

P

 
password policy

P

 
patch

P

 
ping

P

P

reload

P

 
replication

P

 
repository

P

 
restore commands

P

 
rmdir

P

 
service

P

 
show acs-logs

P

P

show acs-migration-interface

P

P

show application

P

 
show backup

P

 
show cdp

P

P

show clock

P

P

show cpu

P

P

show debug-adclient

P

 
show debug-log

P

 
show disks

P

P

show icmp_status

P

P

show interface

P

P

show ip route

P

 
show logging

P

P

show logins

P

P

show memory

P

P

show ntp

P

P

show ports

P

P

show process

P

P

show repository

P

 
show restore

P

 
show running-configuration

P

 
show startup-configuration

P

 
show tac

P

 
show tech-support

P

 
show terminal

P

P

show timezone

P

P

show timezones

P

 
show udi

P

P

show uptime

P

P

show users

P

 
show version

P

P

snmp-server commands

P

 
ssh

P

P

ssh keygen

P

P

ssh rmkey

P

P

tech

P

 
telnet

P

P

terminal

P

P

traceroute

P

P

undebug

P

 
username

P

 
write

P

 

Logging in to the ACS server places you in the Operator (user) mode or the Admin (EXEC) mode. Typically, logging in requires a username and a password.

You can always tell when you are in the Operator (user) mode or Admin (EXEC) mode by looking at the prompt. A right angle bracket (>) appears at the end of the Operator mode prompt; a pound sign (#) appears at the end of the Admin mode prompt, regardless of the submode.

Types of Command Modes in ACS

The ACS server supports these command modes:

EXEC—Use the commands in this mode to perform system-level configuration. In addition, certain EXEC mode commands have ACS-specific abilities. See EXEC Commands.

ACS configuration—Use these commands to enable or disable debug log level for the ACS management and runtime components, and show system settings. See ACS Configuration Commands.

Configuration—Use the commands in this mode to perform additional configuration tasks for the ACS server. See Configuration Commands.

EXEC Commands

EXEC commands primarily include system-level commands such as show and reload (for example, application installation, application start and stop, copy files and installations, restore backups, and display information). In addition, certain EXEC-mode commands have ACS-specific abilities (for example, start an ACS instance, display and export ACS logs, and reset an ACS configuration to factory default settings.

Table 1-2 lists the EXEC commands and provides a short description.

Table 1-3 lists the show commands in the EXEC mode and provides a short description.

For detailed information on EXEC commands, see Understanding Command Modes, page 2-7.

EXEC or System-Level Commands

Table 1-2 describes the EXEC mode commands.

Table 1-2 Summary of EXEC Commands 

Command
Description
acs start | stop

Starts or stops an ACS server.

acs backup

Performs a backup of an ACS configuration.

acs-config

Enters the ACS Configuration mode.

acs migration-interface

Enables or disables an interface for ACS migration.

acs patch

Installs and removes ACS patches.

acs reset-config

Resets the ACS configuration to factory defaults.

acs reset-password

Resets the ACS password to the default setting.

acs restore

Restores an ACS configuration.

acs support

Gathers information for ACS troubleshooting.

application install

Installs a specific application bundle.

application remove

Removes a specific application.

application start

Starts or enables a specific application

application stop

Stops or disables a specific application.

application upgrade

Upgrades a specific application bundle.

backup

Performs a backup and places the backup in a repository.

backup-logs

Performs a backup of all the logs on the ACS server to a remote location.

clock

Sets the system clock on the ACS server.

configure

Enters the Configuration mode.

copy

Copies any file from a source to a destination.

debug

Displays any errors or events for various command situations; for example, backup and restore, configuration, copy, resource locking, file transfer, and user management.

delete

Deletes a file on the ACS server.

dir

Lists files on the ACS server.

exit

Exits from the EXEC mode.

forceout

Forces the logout of all the sessions of a specific ACS server system user.

halt

Disables or shuts down the ACS server.

help

Describes the help utility and how to use it on the ACS server.

mkdir

Creates a new directory.

nslookup

Queries the IPv4 address or hostname of a remote system.

ping

Determines the network connectivity to a remote system.

reload

Reboots the ACS server.

restore

Restores a previous backup.

rmdir

Removes an existing directory.

show

Provides information about the ACS server.

ssh

Starts an encrypted session with a remote system.

tech

Provides Technical Assistance Center (TAC) commands.

telnet

Telnets to a remote system.

terminal length

Sets terminal line parameters.

terminal session-timeout

Sets the inactivity timeout for all terminal sessions.

terminal session-welcome

Sets the welcome message on the system for all terminal sessions.

terminal terminal-type

Specifies the type of terminal connected to the current line of the current session.

traceroute

Traces the route of a remote IP address.

undebug

Disables the output (display of errors or events) of the debug command for various command situations; for example, backup and restore, configuration, copy, resource locking, file transfer, and user management.

write

Copies, displays, or erases the running ACS server information.


Show Commands

As you work with the ACS server, you will become familiar with the show commands. Among the most useful commands, you use the show commands to view most of the settings on the ACS server (see Table 1-3).

The commands in this table require the show command to be followed by a keyword; for example, show application. Some show commands require an argument or variable after the keyword to function; for example, show application version.

Table 1-3 Summary of Show Commands 

Command
Description
acs-logs

Displays ACS system debug logs.

acs-migration-interface

Displays if an interface is disabled or enabled for ACS migration.

application

(requires keyword)

Displays information about the installed application; for example, status information or version information.

backup

(requires keyword)

Displays information about the backup.

cdp

(requires keyword)

Displays information about the enabled Cisco Discovery Protocol (CDP) interfaces.

clock

Displays the day, date, time, time zone, and year of the system clock.

cpu

Displays CPU information.

disks

Displays file-system information of the disks.

icmp-status

Displays the Internet Control Message Protocol (ICMP) echo response configuration information.

interface

Displays statistics for all the interfaces configured on the ACS server.

logging

(requires keyword)

Displays ACS server logging information.

logins

(requires keyword)

Displays ACS server login history.

memory

Displays memory usage by all running processes.

ntp

Displays the status of the Network Time Protocol (NTP) servers.

ports

Displays all the processes listening on the active ports.

process

Displays information about the active processes of the ACS server.

repository

(requires keyword)

Displays the file contents of a specific repository.

restore

(requires keyword)

Displays ACS server restore history.

running-config

Displays the contents of the currently running configuration file on the ACS server.

startup-config

Displays the contents of the startup configuration on the ACS server.

tech-support

Displays system and configuration information you can provide to the Cisco Technical Assistance Center (TAC) when you report a problem.

terminal

Displays information about the terminal configuration parameter settings for the current terminal line.

timezone

Displays the current time zone of the ACS server.

timezones

Displays all the time zones available for use on the ACS server.

udi

Displays information about the CSACS 1120's Unique Device Identifier (UDI).

uptime

Displays how long the system you are logged in to has been up and running.

users

Displays information about the system users.

version

Displays information about the currently loaded software version, along with hardware and device information.


ACS Configuration Commands

You can use the ACS configuration commands to set the debug log level (enable or disable) for the ACS management and runtime components, and show system settings.

To access the ACS configuration mode, run the acs-config command in EXEC mode.

Table 1-4 lists the ACS Configuration commands and provides a short description.

Table 1-4 Summary of ACS Configuration Commands 

Command
Description
debug-adclient

Enables debug logging of Active Directory client.

no debug-adclient

Disables debug logging of Active Directory client.

debug-log

Enables local debug logging.

no debug-log

Disables local debug logging.

replication force-sync

Synchronizes configuration information between the primary ACS and a secondary ACS.

show debug-adclient

Displays debug logging status for Active Directory client.

show debug-log

Displays the local debug logging status for subsystems.


For detailed information on ACS Configuration mode commands, see Understanding Command Modes, page 2-7.

Configuration Commands

Configuration commands include commands such as interface and repository. To access the Configuration mode, run the configure command in the EXEC mode.

Some of the configuration commands will require you to enter the configuration submode to complete the configuration.

Table 1-5 lists the Configuration commands and provides a short description.

Table 1-5 Summary of Configuration Commands 

Command
Description
backup-staging-url

Specifies a Network File System (NFS) temporary space or staging area for the remote directory for backup and restore operations.

cdp holdtime

Specifies the amount of time the receiving device should hold a CDP packet from the ACS server before discarding it.

cdp run

Enables CDP.

cdp timer

Specifies how often the ACS server sends CDP updates.

clock

Sets the time zone for display purposes.

do

Executes an EXEC-level command from the configuration mode or any configuration submode.

Note To initiate, the do command precedes the EXEC command.

end

Returns to the EXEC mode.

exit

Exits the Configuration mode.

hostname

Sets the hostname of the system.

icmp echo

Configures the ICMP echo requests.

interface

Configures an interface type and enters the interface configuration mode.

ip address

Sets the IP address and netmask for the Ethernet interface.

Note This is an interface configuration command.

ip default-gateway

Defines or sets a default gateway with an IP address.

ip domain-name

Defines a default domain name that the ACS server uses to complete hostnames.

ip name-server

Sets the Domain Name Server (DNS) servers for use during a DNS query.

kron occurrence

Schedule one or more Command Scheduler commands to run at a specific date and time or a recurring level.

kron policy-list

Specifies a name for a Command Scheduler policy.

logging

Enables the system to forward logs to a remote system.

logging loglevel

Configures the log level for the logging command.

no

Disables or removes the function associated with the command.

ntp

Synchronizes the software clock through the NTP server for the system.

password-policy

Enables and configures the password policy.

repository

Enters the repository submode.

service

Specifies the type of service to manage.

snmp-server community

Sets up the community access string to permit access to the Simple Network Management Protocol (SNMP).

snmp-server contact

Configures the SNMP contact MIB value on the system.

snmp-server host

Sends SNMP traps to a remote system.

snmp-server location

Configures the SNMP location MIB value on the system.

username

Adds a user to the system with a password and a privilege level.


For detailed information on Configuration mode and submode commands, see Understanding Command Modes, page 2-7.