Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x
Overview of the ISE Command-Line Interface
Downloads: This chapterpdf (PDF - 163.0KB) The complete bookPDF (PDF - 4.49MB) | Feedback

Overview of the Cisco ISE Command-Line Interface

Table Of Contents

Overview of the Cisco ISE Command-Line Interface

Accessing the Cisco ISE Command Environment

User Accounts and Modes in the Cisco ISE CLI

Command Modes in the Cisco ISE CLI

EXEC Commands

EXEC or System-Level Commands

Show Commands

Configuration Commands

CLI Audit


Overview of the Cisco ISE Command-Line Interface


This chapter provides an overview of how to access the Cisco ISE command-line interface (CLI), the different command modes, and the commands that are available in each mode.

You can configure and monitor the Cisco ISE by using the web interface. You can also use the CLI to perform configuration and monitoring tasks that this guide describes.

The following sections describe the Cisco ISE CLI:

Accessing the Cisco ISE Command Environment

User Accounts and Modes in the Cisco ISE CLI

Command Modes in the Cisco ISE CLI

CLI Audit

Accessing the Cisco ISE Command Environment

You can access the Cisco ISE CLI through a Secure Shell (SSH) client or the console port using one of the following machines:

Windows PC running Windows XP/Vista

Apple Computer running Mac OS X 10.4 or later

PC running Linux

For detailed information on accessing the CLI, see Chapter 2 "Using the Cisco ISE Command-Line Interface"

User Accounts and Modes in the Cisco ISE CLI

Two different types of accounts are available on the Cisco ISE CLI:

Admin (administrator)

Operator (user)

When you power up the Cisco ISE appliances for the first time, you are prompted to run the setup utility to configure the appliances. During this setup process, an administrator user account, also known as an Admin account, is created. After you enter the initial configuration information, the appliances automatically reboot and prompt you to enter the username and the password that you specified for the Admin account. You must use this Admin account to log into the Cisco ISE CLI for the first time.

An Admin can create and manage Operator (user) accounts, which have limited privileges and access to the Cisco ISE server. An Admin account also provides the functionality that is needed to use the Cisco ISE CLI.

To create more users (with admin and operator privileges) with SSH access to the Cisco ISE CLI, you must run the username command in the Configuration mode (see Command Modes in the Cisco ISE CLI).

Table 1-1 lists the command privileges for each type of user account: Admin and Operator (user).

Table 1-1 Command Privileges 

Command
User Account
Admin
Operator
(User)
application commands

*

 
backup

*

 
backup-logs

*

 
cdp run

*

 
clock

*

 
configure terminal

*

 
copy commands

*

 
debug

*

 
delete

*

 
dir

*

 
end

*

 
exit

*

*

forceout

*

 
halt

*

 
hostname

*

 
icmp

*

 
interface

*

 
ip default-gateway

*

 
ip domain-name

*

 
ip name-server

*

 
ip route

*

 
kron

*

 
logging commands

*

 
mkdir

*

 
nslookup

*

*

ntp

*

 
ntp server

*

 
password policy

*

 
patch

*

 
patch install

*

 
patch remove

*

 
pep

*

 
ping

*

*

ping6

*

*

reload

*

 
repository

*

 
restore commands

*

 
rmdir

*

 
service

*

 
show application

*

 
show backup

*

 
show cdp

*

*

show clock

*

*

show cpu

*

*

show disks

*

*

show icmp_status

*

*

show interface

*

*

show inventory

*

*

show ip route

*

 
show logging

*

*

show logins

*

*

show memory

*

*

show ntp

*

*

show pep

*

*

show ports

*

*

show process

*

*

show repository

*

 
show restore

*

 
show running-config

*

 
show startup-config

*

 
show tech-support

*

 
show terminal

*

*

show timezone

*

*

show timezones

*

 
show udi

*

*

show uptime

*

*

show users

*

 
show version

*

*

snmp-server commands

*

 
ssh

*

*

tech

*

 
telnet

*

*

terminal

*

*

traceroute

*

*

undebug

*

 
username

*

 
write

*

 

Logging into the Cisco ISE node places you in the Operator (user) mode or the Admin (EXEC) mode, which always requires a username and password for authentication.

You can tell which mode you are in by looking at the prompt. A right angle bracket (>) appears at the end of the Operator (user) mode prompt; a pound sign (#) appears at the end of the Admin mode prompt, regardless of the submode.

Command Modes in the Cisco ISE CLI

Cisco ISE supports these command modes:

EXEC—Use the commands in this mode to perform system-level configuration. See EXEC Commands. In addition, refer to the commands in the EXEC that generate operational logs as listed in Table 1-6.

Configuration—Use the commands in this mode to perform configuration tasks in the Cisco ISE. See Configuration Commands. In addition, refer to the commands in the configuration mode that generate operational logs as listed in Table 1-5.

EXEC Commands

EXEC commands primarily include system-level commands such as show and reload (for example, application installation, application start and stop, copy files and installations, restore backups, and display information).

Table 1-2 describes the EXEC commands

Table 1-3 describes the show commands in the EXEC mode

For detailed information on EXEC commands, see Understanding Command Modes.

EXEC or System-Level Commands

Table 1-2 describes the EXEC mode commands.

Table 1-2 Summary of EXEC Commands 

Command
Description
application configure

Configures a specific application.

application install

Installs a specific application bundle.

application remove

Removes a specific application.

application reset-config

Resets the Cisco ISE configuration to factory defaults.

application reset-passwd

Resets the application password for a specific user (admin) in the application.

application start

Starts or enables a specific application.

application stop

Stops or disables a specific application.

application upgrade

Upgrades a specific application bundle.

backup

Performs a backup and places the backup in a repository.

backup-logs

Performs a backup of all the logs on the Cisco ISE to a remote location.

clock

Sets the system clock on the Cisco ISE server.

configure

Enters the Configuration mode.

copy

Copies any file from a source to a destination.

debug

Displays any errors or events for various command situations; for example, backup and restore, configuration, copy, resource locking, file transfer, and user management.

delete

Deletes a file in the Cisco ISE server.

dir

Lists the files in the Cisco ISE server.

exit

Disconnects the encrypted session with a remote system. Exits from the current command mode to the previous command mode.

forceout

Forces the logout of all the sessions of a specific Cisco ISE server system user.

halt

Disables or shuts down the Cisco ISE server.

help

Describes the help utility and how to use it in the Cisco ISE server.

mkdir

Creates a new directory.

nslookup

Queries the IPv4 address or hostname of a remote system.

patch

Installs System or Application patch.

pep

Configures the Inline Posture node.

ping

Determines the IPv4 network connectivity to a remote system.

ping6

Determines the IPv6 network connectivity to a remote system.

reload

Reboots the Cisco ISE server.

restore

Restores a previous backup.

rmdir

Removes an existing directory.

show

Provides information about the Cisco ISE server.

ssh

Starts an encrypted session with a remote system.

tech

Provides Cisco Technical Assistance Center (TAC) commands.

telnet

Establishes a Telnet connection to a remote system.

terminal length

Sets terminal line parameters.

terminal session-timeout

Sets the inactivity timeout for all terminal sessions.

terminal session-welcome

Sets the welcome message on the system for all terminal sessions.

terminal terminal-type

Specifies the type of terminal connected to the current line of the current session.

traceroute

Traces the route of a remote IP address.

undebug

Disables the output (display of errors or events) of the debug command for various command situations; for example, backup and restore, configuration, copy, resource locking, file transfer, and user management.

write

Erases the startup configuration that forces to run the setup utility and prompt the network configuration, copies the running configuration to the startup configuration, and displays the running configuration on the console.


Show Commands

The show commands are used to display the Cisco ISE settings and are among the most useful commands. See Table 1-3 for a summary of the show commands.

The commands in Table 1-3 require the show command to be followed by a keyword; for example, show application status. Some show commands require an argument or variable after the keyword to function; for example, show application version.

Table 1-3 Summary of show Commands 

Command
Description
application
(requires keyword)

Displays information about the installed application; for example, status information or version information.

backup
(requires keyword)

Displays information about the backup.

cdp
(requires keyword)

Displays information about the enabled Cisco Discovery Protocol interfaces.

clock

Displays the day, date, time, time zone, and year of the system clock.

cpu

Displays CPU information.

disks

Displays file-system information of the disks.

icmp-status

Displays the Internet Control Message Protocol (ICMP) echo response configuration information.

interface

Displays statistics for all the interfaces configured on the Cisco ISE.

inventory

Displays information about the hardware inventory, including the Cisco ISE appliance model and serial number.

ip route

Displays information in the IP routing table for a Cisco ISE server.

logging
(requires keyword)

Displays the Cisco ISE server logging information.

logins
(requires keyword)

Displays the login history of the Cisco ISE server.

memory

Displays memory usage by all running processes.

ntp

Displays the status of the Network Time Protocol (NTP) servers.

pep

Displays the Inline Posture node information.

ports

Displays all the processes listening on the active ports.

process

Displays information about the active processes of the Cisco ISE server.

repository
(requires keyword)

Displays the file contents of a specific repository.

restore
(requires keyword)

Displays the restore history in the Cisco ISE.

running-config

Displays the contents of the configuration file that currently runs in the Cisco ISE.

startup-config

Displays the contents of the startup configuration in the Cisco ISE.

tech-support

Displays system and configuration information that you can provide to the TAC when you report a problem.

terminal

Displays information about the terminal configuration parameter settings for the current terminal line.

timezone

Displays the current time zone in the Cisco ISE.

timezones

Displays all the time zones available for use in the Cisco ISE.

udi

Displays information about the unique device identifier (UDI) of the Cisco ISE.

uptime

Displays how long the system you are logged in to has been up and running.

users

Displays information about the system users.

version

Displays information about the currently loaded software version, along with hardware and device information.


Configuration Commands

Configuration commands include interface and repository. To access the Configuration mode, run the configure command in the EXEC mode.

Some of the configuration commands require that you enter the configuration submode to complete the configuration.

Table 1-4 describes the configuration commands.

Table 1-4 Summary of Configuration Commands 

Command
Description
backup-staging-url

Specifies a Network File System (NFS) temporary space or staging area for the remote directory for backup and restore operations.

cdp holdtime

Specifies the amount of time the receiving device should hold a Cisco Discovery Protocol packet from the Cisco ISE server before discarding it.

cdp run

Enables Cisco Discovery Protocol.

cdp timer

Specifies how often the Cisco ISE server sends Cisco Discovery Protocol updates.

clock timezone

Sets the time zone for display purposes.

do

Executes an EXEC-level command from the configuration mode or any configuration submode.

Note To initiate, the do command precedes the EXEC command.

end

Returns to the EXEC mode.

exit

Exits the Configuration mode.

hostname

Sets the hostname of the system.

icmp echo

Configures the ICMP echo requests.

interface

Configures an interface type and enters the interface configuration mode.

ipv6 address autoconfig

Enables IPv6 stateless autoconfiguration in the interface configuration mode.

ipv6 address dhcp

Enables IPv6 address DHCP in the interface configuration mode.

ip address

Sets the IP address and netmask for the Ethernet interface.

Note This is an interface configuration command.

ip default-gateway

Defines or sets a default gateway with an IP address.

ip domain-name

Defines a default domain name that a Cisco ISE server uses to complete hostnames.

ip name-server

Sets the Domain Name System (DNS) servers for use during a DNS query.

ip route

Configures an IProute for an IP address.

kron occurrence

Schedule one or more Command Scheduler commands to run at a specific date and time or a recurring level.

kron policy-list

Specifies a name for a Command Scheduler policy.

logging

Enables the system to forward logs to a remote system.

logging loglevel

Configures the log level for the logging command.

no

Disables or removes the function associated with the command.

ntp

Synchronizes the software clock through the NTP server for the system.

ntp authenticate

Enables authentication of all time sources.

ntp authentication-key

Adds Message Digest 5 (MD5)-type authentication keys for trusted time sources.

ntp server

Specifies an NTP server to use.

ntp trusted-key

Specifies the key numbers for trusted time sources.

password-policy

Enables and configures the password policy.

repository

Enters the repository submode.

service

Specifies the type of service to manage.

snmp-server community

Sets up the community access string to permit access to the Simple Network Management Protocol (SNMP).

snmp-server contact

Configures the SNMP contact the Management Information Base (MIB) value on the system.

snmp-server host

Sends SNMP traps to a remote system.

snmp-server location

Configures the SNMP location MIB value on the system.

username

Adds a user to the system with a password and a privilege level.


For detailed information on Configuration mode and submode commands, see Understanding Command Modes.

CLI Audit

You must have administrator access to execute the Cisco ISE configuration commands. Whenever an administrator logs in to the configuration mode and executes a command that causes configurational changes in the Cisco ISE server, the information related to those changes is logged in the Cisco ISE operational logs.

Table 1-5 describes the Configuration mode commands that generate operational logs.

Table 1-5 Configuration Mode Commands for the Operation Log 

Command
Description
clock

Sets the system clock on the Cisco ISE server.

ip name-server

Sets the DNS servers for use during a DNS query.

hostname

Sets the hostname of the system.

ip address

Sets the IP address and netmask for the Ethernet interface.

ntp server

Allows synchronization of the software clock by the NTP server for the system.


In addition to the configuration mode commands, some commands in the EXEC generate operational logs.

Table 1-6 describes the EXEC mode commands that generate operational logs.

Table 1-6 EXEC Mode Commands for the Operation Log 

Command
Description
backup

Performs a backup (Cisco ISE and Cisco ADE OS) and places the backup in a repository.

restore

Restores from backup the file contents of a specific repository.

backup-logs

Backs up system logs.