CLI Reference Guide for Cisco Secure Access Control System 5.3
Overview of the ACS Command Line Interface
Downloads: This chapterpdf (PDF - 202.0KB) The complete bookPDF (PDF - 5.41MB) | Feedback

Overview of the ACS Command Line Interface

Table Of Contents

Overview of the ACS Command Line Interface

Accessing the ACS Command Environment

User Accounts and Modes in ACS

Types of Command Modes in ACS

EXEC Commands

EXEC or System-Level Commands

Show Commands

ACS Configuration Commands

Configuration Commands

CLI Audit


Overview of the ACS Command Line Interface


Cisco Secure Access Control System (ACS) 5.3 uses the CSACS-1121 appliance running the Cisco Application Deployment Engine (ADE) OS 1.2. This chapter provides an overview of how to access the ACS command-line interface (CLI), the different command modes, and the commands that are available in each mode.

You can configure and monitor ACS 5.3 through the web interface. You can also use the CLI to perform the configuration and monitoring tasks that this guide describes.

The following sections describe the ACS CLI:

Accessing the ACS Command Environment

User Accounts and Modes in ACS

Types of Command Modes in ACS

CLI Audit

Accessing the ACS Command Environment

You can access the ACS CLI through a secure shell (SSH) client or the console port using one of the following machines:

Windows PC running Windows XP/Vista.

Apple Computer running Mac OS X 10.4 or later.

PC running Linux.

For detailed information on accessing the CLI, see Chapter 2 "Using the ACS Command Line Interface."

User Accounts and Modes in ACS

Two different types of accounts are available on the ACS server:

Admin (administrator)

Operator (user)

When you power up the CSACS-1121 appliance for the first time, you are prompted to run the setup utility to configure the appliance. During this setup process, an administrator user account, also known as an Admin account, is created.

After you enter the initial configuration information, the appliance automatically reboots and prompts you to enter the username and the password that you specified for the Admin account. It is this Admin account that you must use to log in to the ACS CLI for the first time.

While an Admin can create and manage Operator (user) accounts (which have limited privileges and access to the ACS server), an Admin account provides you the functionality you require to use the ACS CLI.

To create more users (with admin and operator privileges) with SSH access to the ACS CLI, you must run the username command in the Configuration mode (see Types of Command Modes in ACS).

Table 1-1 lists the command privileges for each type of user account: Admin and Operator (user).

Table 1-1 Command Privileges 

Command
User Account
Admin
Operator (User)
access-setting accept-all

P

 
acs commands

P

 
acs config-web-interface

P

 
acs-config

P

 
application commands

P

 
backup

P

 
backup-logs

P

 
cdp run

P

 
clock

P

 
configure terminal

P

 
copy commands

P

 
debug

P

 
debug-adclient

P

 
debug-log

P

 
delete

P

 
dir

P

 
end

P

 
exit

P

P

export-data

P

 
forceout

P

 
halt

P

 
hostname

P

 
icmp

P

 
import-data

P

 
import-export-abort

P

 
import-export-status

P

 
interface

P

 
ip default-gateway

P

 
ip domain-name

P

 
ip name-server

P

 
ip route

P

 
kron

P

 
logging commands

P

 
mkdir

P

 
nslookup

P

P

ntp server

P

 
password policy

P

 
patch

P

 
ping

P

P

reload

P

 
replication

P

 
repository

P

 
reset-management-interface-certificate

P

 
restore commands

P

 
rmdir

P

 
service

P

 
show acs-cores

P

P

show acs-logs

P

P

show acs-config-web-interface

P

P

show application

P

 
show backup

P

 
show cdp

P

P

show clock

P

P

show cpu

P

P

show debug-adclient

P

 
show debug-log

P

 
show disks

P

P

show icmp_status

P

P

show interface

P

P

show inventory

P

P

show ip route

P

 
show logging

P

P

show logins

P

P

show memory

P

P

show ntp

P

P

show ports

P

P

show process

P

P

show repository

P

 
show restore

P

 
show running-configuration

P

 
show startup-configuration

P

 
show tac

P

 
show tech-support

P

 
show terminal

P

P

show timezone

P

P

show timezones

P

 
show udi

P

P

show uptime

P

P

show users

P

 
show version

P

P

snmp-server commands

P

 
ssh

P

P

tech

P

 
telnet

P

P

terminal

P

P

traceroute

P

P

undebug

P

 
username

P

 
write

P

 

When you log into the ACS server, it places you in the Operator (user) mode or the Admin (EXEC) mode. Typically, logging in requires a username and password.

You can always tell when you are in the Operator (user) mode or Admin (EXEC) mode by looking at the prompt. A right angle bracket (>) appears at the end of the Operator (user) mode prompt; a pound sign (#) appears at the end of the Admin mode prompt, regardless of the submode.

The ACS configuration mode requires a specific, authorized user role to execute each ACS configuration command; see ACS Configuration Commands.

Types of Command Modes in ACS

ACS supports these command modes:

EXEC—Use the commands in this mode to perform system-level configuration. In addition, certain EXEC mode commands have ACS-specific abilities. See EXEC Commands.

ACS configuration—Use the commands in this mode to import or export configuration data, synchronize configuration information between the primary and secondary ACS, reset IP address filtering and management interface certificate, define debug logging and show the logging status.

This mode requires an administrator user account to log in and perform the ACS configuration-related commands. See ACS Configuration Commands.

Configuration—Use the commands in this mode to perform additional configuration tasks in ACS. See Configuration Commands.

EXEC Commands

EXEC commands primarily include system-level commands such as show and reload (for example, application installation, application start and stop, copy files and installations, restore backups, and display information).

In addition, certain EXEC-mode commands have ACS-specific abilities (for example, start an ACS instance, display and export ACS logs, and reset an ACS configuration to factory default settings.

Table 1-2 lists the EXEC commands and provides a short description of each.

Table 1-3 lists the show commands in the EXEC mode and provides a short description of each.

For detailed information on EXEC commands, see Understanding Command Modes.

EXEC or System-Level Commands

Table 1-2 describes the EXEC mode commands.

Table 1-2 Summary of EXEC Commands 

Command
Description
acs start | stop

Starts or stops an ACS server.

acs start | stop process

Starts or stops a process in ACS.

acs backup

Performs a backup of an ACS configuration.

acs-config

Enters the ACS Configuration mode.

acs delete core

Deletes an ACS run-time core file or JVM core log.

acs delete log

Deletes an ACS run-time core file or JVM core log excluding the latest log.

acs config-web-interface

Enables or disables an interface for ACS configuration web.

acs patch

Installs and removes ACS patches.

acs reset-config

Resets the ACS configuration to factory defaults.

acs reset-password

Resets the `acsadmin' administrator password to the default setting.

acs restore

Restores an ACS configuration.

acs support

Gathers information for ACS troubleshooting.

acs zeorize-machine

Starts the zeroization, deletes key and sensitive files, running memory, and swap files.

application install

Installs a specific application bundle.

application remove

Removes a specific application.

application reset-config

Resets an ACS configuration to factory defaults.

application start

Starts or enables a specific application.

application stop

Stops or disables a specific application.

application upgrade

Upgrades a specific application bundle.

backup

Performs a backup and places the backup in a repository.

backup-logs

Performs a backup of all the logs on ACS to a remote location.

clock

Sets the system clock on the ACS server.

configure

Enters the Configuration mode.

copy

Copies any file from a source to a destination.

debug

Displays any errors or events for various command situations; for example, backup and restore, configuration, copy, resource locking, file transfer, and user management.

delete

Deletes a file in the ACS server.

dir

Lists the files in the ACS server.

exit

Exits from the EXEC mode.

forceout

Forces the logout of all the sessions of a specific ACS server system user.

halt

Disables or shuts down the ACS server.

help

Describes the help utility and how to use it in the ACS server.

mkdir

Creates a new directory.

nslookup

Queries the IPv4 address or hostname of a remote system.

ping

Determines the network connectivity to a remote system.

reload

Reboots the ACS server.

restore

Restores a previous backup.

rmdir

Removes an existing directory.

show

Provides information about the ACS server.

ssh

Starts an encrypted session with a remote system.

tech

Provides Technical Assistance Center (TAC) commands.

telnet

Telnets to a remote system.

terminal length

Sets terminal line parameters.

terminal session-timeout

Sets the inactivity timeout for all terminal sessions.

terminal session-welcome

Sets the welcome message on the system for all terminal sessions.

terminal terminal-type

Specifies the type of terminal connected to the current line of the current session.

traceroute

Traces the route of a remote IP address.

undebug

Disables the output (display of errors or events) of the debug command for various command situations. For example, backup and restore, configuration, copy, resource locking, file transfer, and user management.

write

Copies, displays, or erases the running ACS server information.


Show Commands

The show commands are used to view the ACS settings and are among the most useful commands. See Table 1-3 for a summary of the show commands.

The commands in Table 1-3 require the show command to be followed by a keyword; for example, show application. Some show commands require an argument or variable after the keyword to function; for example, show application version.

Table 1-3 Summary of Show Commands 

Command
Description
acs-cores

Displays ACS run-time core files and JVM core logs.

acs-logs

Displays ACS server debug logs.

acs config-web-interface

Indicates whether an interface is disabled or enabled for ACS configuration web.

application
(requires keyword)

Displays information about the installed application. For example, status information or version information.

backup
(requires keyword)

Displays information about the backup.

cdp
(requires keyword)

Displays information about the enabled Cisco Discovery Protocol (CDP) interfaces.

clock

Displays the day, date, time, time zone, and year of the system clock.

cpu

Displays CPU information.

disks

Displays file-system information of the disks.

icmp-status

Displays the Internet Control Message Protocol (ICMP) echo response configuration information.

interface

Displays statistics for all the interfaces configured on ACS.

inventory

Displays information about the hardware inventory, including the ACS appliance model and serial number.

logging
(requires keyword)

Displays ACS server logging information.

logins
(requires keyword)

Displays the login history of an ACS server.

memory

Displays memory usage by all running processes.

ntp

Displays the status of the Network Time Protocol (NTP) servers.

ports

Displays all the processes listening on the active ports.

process

Displays information about the active processes of the ACS server.

repository
(requires keyword)

Displays the file contents of a specific repository.

restore
(requires keyword)

Displays the restore history in ACS.

running-config

Displays the contents of the configuration file that currently runs in ACS.

startup-config

Displays the contents of the startup configuration in ACS.

tech-support

Displays system and configuration information that you can provide to the Cisco Technical Assistance Center (TAC) when you report a problem.

terminal

Displays information about the terminal configuration parameter settings for the current terminal line.

timezone

Displays the current time zone in ACS.

timezones

Displays all the time zones available for use in ACS.

udi

Displays information about the CSACS-1121's Unique Device Identifier (UDI).

uptime

Displays how long the system you are logged in to has been up and running.

users

Displays information about the system users.

version

Displays information about the currently loaded software version, along with hardware and device information.

ip route

Displays information for specific IP addresses, network masks or protocols.


ACS Configuration Commands

Use ACS configuration commands to set the debug log level for the ACS management and runtime components, show system settings, reset server certificate and IP address access list, and manage import and export processes.

The ACS configuration mode requires a specific, authorized user role to execute each ACS configuration command. These commands are briefly described in Table 1-4. For detailed information on roles in ACS 5.3, refer to the User Guide for the Cisco Secure Access Control System 5.3.

To access the ACS configuration mode, run the acs-config command in EXEC mode.

Table 1-4 lists the ACS Configuration commands and provides a short description of each.

Table 1-4 Summary of ACS Configuration Commands 

Command
Description
Required User Role
access-setting accept-all

Resets IP address filtering to allow all IP addresses to access the management pages of an ACS server.

Only the super admin can run this command on a primary ACS node.

acsview-db-compress

Compresses the ACS view database by rebuilding each table in the database and release the unused space. As a result, the physical size of the database is reduced.

Any authorized user, irrespective of role, can run this command.

acsview merge-from-supportbundle

Merges the ACS view database with the specified support bundle data.

Only the super admin or system admin can run this command.

acsview rebuild-database

Rebuilds the ACS view database and keeps the log data only for the specified number of days.

Only the super admin or system admin can run this command.

acsview replace-clean-activesessionsdb

Removes the active session information from the ACS view database and make it as a fresh database.

Only the super admin or system admin can run this command.

acsview replace-cleandb

Removes all data from the ACS view database and makes the current view database as a fresh view database.

Only the super admin or system admin can run this command.

acsview show-dbsize

Displays the physical and actual size of the ACS view database and the transaction log files.

Only the super admin or system admin can run this command.

acsview truncate-log

Truncates the ACS view database transaction logs.

Only the super admin or system admin can run this command.

ad-agent-configuration

Adds the parameter to the end of the file if the parameter is not found in the Centrify Configuration file.

Note There is no validity check on the parameters values.

Any authorized user, irrespective of role, can run this command.

ad-agent-reset-configuration

Resets the configuration of the ad agent.

Any authorized user, irrespective of role, can run this command.

debug-adclient

Enables debug logging of an Active Directory client.

Only the network-device admin can run this command.

debug-log

Defines the local debug logging level for the ACS components.

Any authorized user, irrespective of role, can run this command.

export-data

Exports configuration data from an ACS local store to a remote repository.

Only users who have Read permission to a specific configuration object in the GUI can export that particular configuration data to a remote repository.

import-data

Imports configuration data from a remote repository to an ACS local store.

Only users who have Create, Read, Update, and Delete (CRUD) permissions to a specific configuration object in the GUI can import that particular configuration data to an ACS local store.

import-export-abort

Aborts specific (or all) import and export processes.

Only the super admin can simultaneously abort a running process and all pending import and export processes.

However, a user who owns a particular import or export process can terminate that particular process by using the process ID, or by stopping the process when it is in progress.

import-export-status

Displays the status of the import and export processes.

Any authorized user, irrespective of their role, can run this command.

no ad-agent-configuration

It comment out the lines which contains the <parameter-name>

Any authorized user, irrespective of their role, can run this command.

no debug-adclient

Disables debug logging of an Active Directory client.

Only the network-device admin can run this command.

no debug-log

Restores the default local debug logging level of the ACS components.

Any authorized user, irrespective of their role, can run this command.

replication force-sync

Synchronizes configuration information between the primary and secondary ACS.

Only the super admin or system admin can run this command on a secondary ACS node.

replication status

Shows the replication status of the ACS database

Only the super admin or system admin can run this command.

reset-management-interface-certificate

Resets the management interface certificate to the default self-signed certificate.

Only the super admin or system admin can run this command.

show ad-agent-configuration

Prints the lines which contain the <parameter-name> in the Centrify Configuration file.

Any authorized user, irrespective of their role, can run this command.

show debug-adclient

Displays debug logging status for an Active Directory client.

Any authorized user, irrespective of their role, can run this command.

show debug-log

Displays the local debug logging status for subsystems.

Any authorized user, irrespective of their role, can run this command.

database-
compress

Reduces the ACS database size by removing unused disk space from within ACS database file.

Any authorized user, irrespective of their role, can run this command.


For detailed information on ACS Configuration mode commands, see Understanding Command Modes.

Configuration Commands

Configuration commands include interface and repository. To access the Configuration mode, run the configure command in the EXEC mode.

Some of the configuration commands will require you to enter the configuration submode to complete the configuration.

Table 1-5 lists the configuration commands and provides a short description of each.

Table 1-5 Summary of Configuration Commands 

Command
Description
backup-staging-url

Specifies a Network File System (NFS) temporary space or staging area for the remote directory for backup and restore operations.

cdp holdtime

Specifies the amount of time the receiving device should hold a CDP packet from the ACS server before discarding it.

cdp run

Enables CDP.

cdp timer

Specifies how often the ACS server sends CDP updates.

clock

Sets the time zone for display purposes.

do

Executes an EXEC-level command from the configuration mode or any configuration submode.

To initiate, the do command precedes the EXEC command.

end

Returns to the EXEC mode.

exit

Exits the Configuration mode.

host-key-sync

Generates RSA keys between the host and ACS machine when you configure SFTP repository.

hostname

Sets the hostname of the system.

Note When you intend to use AD ID store and set up multiple ACS instances with same name prefix, use maximum of 15 characters as the host name so that it does not affect the AD functionality.

icmp echo

Configures the ICMP echo requests.

interface

Configures an interface type and enters the interface configuration mode.

ip address

Sets the IP address and netmask for the Ethernet interface.

This is an interface configuration command.

ip default-gateway

Defines or sets a default gateway with an IP address.

ip domain-name

Defines a default domain name that an ACS server uses to complete hostnames.

ip name-server

Sets the Domain Name System (DNS) servers for use during a DNS query.

kron occurrence

Schedule one or more Command Scheduler commands to run at a specific date and time or a recurring level.

kron policy-list

Specifies a name for a Command Scheduler policy.

logging

Enables the system to forward logs to a remote system.

logging loglevel

Configures the log level for the logging command.

no

Disables or removes the function associated with the command.

ntp

Synchronizes the software clock through the NTP server for the system.

password-policy

Enables and configures the password policy.

repository

Enters the repository submode.

service

Specifies the type of service to manage.

snmp-server community

Sets up the community access string to permit access to the Simple Network Management Protocol (SNMP).

snmp-server contact

Configures the SNMP contact MIB value on the system.

snmp-server host

Sends SNMP traps to a remote system.

snmp-server location

Configures the SNMP location MIB value on the system.

username

Adds a user to the system with a password and a privilege level.



Note The modifications done on Centrify Configuration file is not distributed. It is done for each ACS instance.


For detailed information on Configuration mode and submode commands, see Understanding Command Modes.

CLI Audit

You must have administrator access to execute ACS configuration commands. Whenever an administrator logs in to the configuration mode and executes a command that causes configurational changes in the ACS server, the information related to those changes is logged in the ACS operational logs.

Table 1-7 lists the configuration mode commands that, when executed, generate operational logs.

Table 1-6 Configuration Mode Commands for the Operation Log 

Command
Description
clock

Sets the system clock on the ACS server.

ip name-server

Sets the DNS servers for use during a DNS query.

hostname

Sets the hostname of the system.

ip address

Sets the IP address and netmask for the Ethernet interface.

ntp server

Allows synchronization of the software clock by the NTP server for the system.


You can view these logs, using the show acs-logs command. For more information on log file types and the information stored in each log file, see show acs-logs.

In addition to the configuration mode commands, there are some commands in the EXEC and ACS Configuration mode that generate operational logs as listed in Table 1-7 and Table 1-8:

Table 1-7 EXEC Mode Commands for the Operation Log 

Command
Description
acs (Instance)

Starts or stops an ACS instance.

acs (Process)

Starts or stops an ACS process.

backup

Performs a backup (ACS and ADE OS) and places the backup in a repository. If View exists, View data will also get backed up.

restore

Restores from backup the file contents of a specific repository.

acs backup

Performs a backup of an ACS configuration.

acs restore

Performs a restoration of an ACS configuration.

acs reset-config

Resets the ACS configuration to factory defaults.

acs delete core

Deletes an ACS run-time core file or JVM core log.

acs delete log

Deletes an ACS run-time core file or JVM core log excluding the latest log.

backup-logs

Backs up system logs.

acs patch

Installs and removes ACS patches.

acs support

Gathers information for ACS troubleshooting.


Table 1-8 ACS Configuration Mode Commands for the Operation Log 

Command
Description
access-setting accept-all

Resets the IP address filtering to allow all IP addresses to access the management pages of an ACS server.

debug-adclient

Enables debug logging of an Active Directory client.

debug-log

Defines the local debug logging level for the ACS components.

export-data

Exports configuration data from an ACS local store to a remote repository.

import-data

Imports configuration data from a remote repository to an ACS local store.

import-export-abort

Aborts specific (or all) import and export processes.

reset-management-interface-certificate

Resets the management interface certificate to the default self-signed certificate.

replication

Synchronizes configuration information between the primary and secondary ACS.