Cisco Identity Services Engine CLI Reference Guide, Release 1.2
Overview of the ISE Command-Line Interface
Downloads: This chapterpdf (PDF - 184.0KB) The complete bookPDF (PDF - 2.01MB) | Feedback

Table of Contents

Overview of the Cisco ISE CLI

User Accounts in the Cisco ISE CLI

Command Modes in the Cisco ISE CLI

Understanding Command Modes

EXEC Mode

Configuration Mode

Configuration Submodes

EXEC Commands

Show Commands

Configuration Commands

CLI Audit

Overview of the Cisco ISE CLI

This chapter contains the following sections:

User Accounts in the Cisco ISE CLI

Here are two types of Cisco ISE CLI user accounts:

  • admin (administrator)—an administrator user account that creates and manages other user accounts as well as configures functions in the Cisco ISE CLI.
  • operator (user)—a user account with limited privileges and access to the Cisco ISE server.

When you power up Cisco ISE appliances for the first time, you are prompted to run the setup utility to configure them. During this setup process, an admin account is created. After you enter the initial configuration information, the appliances automatically reboot and prompt you to enter the username and the password that you specified for the admin account. You must use this admin account to log in to the Cisco ISE CLI for the first time.

To create additional admin and operator user accounts and access the Cisco ISE CLI using SSH, you enter the username command in configuration mode (see the username).

You can tell which mode you are in by looking at the prompt. Logging in to the Cisco ISE node places you in the admin (EXEC) mode or the Operator (user) mode, which always requires a username and password for authentication. A pound sign (#) appears at the end of the prompt for an admin account and a right angle bracket (>) appears at the end of the prompt for an Operator account, regardless of the submode.

 

Table 1-1 Cisco ISE CLI User Account Command Privileges

Command
Command Mode
User Account
Admin
Operator
application
EXEC

*

backup
EXEC

*

backup-logs
EXEC

*

cdp run
Configuration,

*

clock
EXEC, Configuration

*

conn-limit
Configuration

*

configure terminal
EXEC

*

copy
EXEC

*

crypto
EXEC

*

debug
EXEC

*

delete
EXEC

*

dir
EXEC

*

end
Configuration

*

exit
EXEC

*

*

forceout
EXEC

*

halt
EXEC

*

hostname
Configuration

*

icmp
Configuration

*

interface
Configuration

*

ip default-gateway
Configuration

*

ip domain-name
Configuration

*

ip host
Configuration

*

ip name-server
Configuration

*

ip route
Configuration

*

kron
Configuration

*

logging
Configuration

*

max-ssh-sessions
Configuration

*

mkdir
EXEC

*

nslookup
EXEC

*

*

ntp
Configuration

*

ntp server
Configuration

*

password
EXEC

*

password policy
Configuration

*

patch
EXEC

*

patch install
EXEC

*

patch remove
EXEC

*

pep (Inline Posture node)
EXEC

*

ping
EXEC

*

ping6
EXEC

*

*

reload
EXEC

*

rate-limit
Configuration

*

repository
Configuration

*

restore
EXEC

*

rmdir
EXEC

*

service
Configuration

*

show application
EXEC

*

show backup
EXEC

*

show cdp
EXEC

*

*

show clock
EXEC

*

*

show cpu
EXEC

*

*

show disks
EXEC

*

*

show icmp_status
EXEC

*

*

show interface
EXEC

*

*

show inventory
EXEC

*

*

show ip route
EXEC

*

show logging
EXEC

*

show logins
EXEC

*

*

show memory
EXEC

*

*

show ntp
EXEC

*

*

show pep
EXEC

*

*

show ports
EXEC

*

*

show process
EXEC

*

*

show repository
EXEC

*

show restore
EXEC

*

show running-config
EXEC

*

show startup-config
EXEC

*

show tech-support
EXEC

*

show terminal
EXEC

*

*

show timezone
EXEC

*

*

show timezones
EXEC

*

show udi
EXEC

*

*

show uptime
EXEC

*

*

show users
EXEC

*

show version
EXEC

*

*

snmp-server
Configuration

*

ssh
EXEC

*

*

tech
EXEC

*

 

telnet
EXEC

*

*

terminal
EXEC

*

*

traceroute
EXEC

*

*

undebug
EXEC

*

username
Configuration

*

write
EXEC

*

Command Modes in the Cisco ISE CLI

The Cisco ISE CLI supports the following command modes:

  • EXEC—Use commands in EXEC mode to perform system-level configuration and generate operational logs. See EXEC Commands. and Table 1-7 .
  • Configuration—Use commands in configuration mode to perform configuration tasks in Cisco ISE and generate operational logs. See Configuration Commands and Table 1-6 .

Understanding Command Modes

This section describes the Cisco ISE command modes in detail. The primary modes of operation are:

EXEC Mode

When you start a session in the Cisco ISE CLI, you begin in EXEC mode. From the EXEC mode, you can enter in to the configuration mode. Most of the EXEC commands (one-time commands), such as show commands, display the current configuration status. The EXEC mode prompt consists of the device name or hostname before a pound sign (#), as shown:

ise/admin# (EXEC mode)
 

NoteThroughout this guide in the examples, we use ise for the hostname and Throughout this guide in the examples, we use ise for the hostname and admin for the user account.


You can always tell when you are in EXEC mode or configuration mode by looking at the prompt.

  • In EXEC mode, a pound sign (#) appears after the Cisco ISE server hostname and your username.

For example:

ise/admin#
 
  • In configuration mode, the ‘config’ keyword and a pound sign (#) appear after the hostname of the Cisco ISE server and your username.

For example:

ise/admin# config
Enter configuration commands, one per line. End with CNTL/Z.
ise/admin(config)# (configuration mode)
 

If you are familiar with UNIX, you can equate EXEC mode to root access. It is also similar to the administrator level in Windows NT and the supervisor in NetWare. In EXEC mode, you have permission to access everything in the Cisco ISE server, including configuration commands. However, you cannot enter configuration commands directly. Before you can change the actual configuration of the Cisco ISE server, you must enter configuration mode by running the configure or configure terminal (conf t) command. Enter this command only when in EXEC mode.

For example:

ise/admin# configure terminal
Enter configuration commands, one per line. End with CNTL-Z.
ise(config)# (configuration mode)
 

The configuration mode has several submodes; each has its own prompt. To enter these submodes, you must first enter configuration mode by entering the configure terminal command.

To exit configuration mode, enter the end, exit, or Ctrl-z command. To exit EXEC mode, enter the exit command. To exit both Configuration and EXEC modes, enter this sequence of commands:

ise/admin(config)# exit
ise/admin# exit
 

To obtain a listing of commands in EXEC mode, enter a question mark (?):

ise/admin# ?

Configuration Mode

Use configuration mode to make changes to the existing configuration. When you save the configuration, these commands remain across Cisco ISE server reboots, but only if you run either of these commands:

  • copy running-config startup-config
  • write memory

To enter configuration mode, run the configure or configure terminal (conf t) command in EXEC mode. When in configuration mode, the Cisco ISE expects configuration commands.

For example:

ise/admin# configure
Enter configuration commands, one per line. End with CNTL-Z.
ise/admin(config)# (configuration mode)
 

From this level, you can enter commands directly into the Cisco ISE configuration. To obtain a listing of commands in this mode, enter a question mark (?):

ise/admin(config)# ?
 

The configuration mode has several configuration submodes. Each of these submodes places you deeper in the prompt hierarchy. When you enter exit, the Cisco ISE backs you out one level and returns you to the previous level. When you enter exit again, the Cisco ISE backs you out to the EXEC level.


NoteIn configuration mode, you can alternatively enter Ctrl-z instead of the end or exit command. In configuration mode, you can alternatively enter Ctrl-z instead of the end or exit command.


Configuration Submodes

In the configuration submodes, you can enter commands for specific configurations. For example:

ise/admin# configure terminal
ise/admin(config)# interface GigabitEthernet 0
ise/admin(config-GigabitEthernet)#
 

To obtain a list of commands in this mode, enter a question mark (?):

ise/admin(config-GigabitEthernet)# ?
 

Use the exit or end command to exit this prompt and return to the configuration prompt.

Table 1-2 lists the commands in the interface GigabitEthernet 0 configuration submode. Other configuration submodes exist including those specific to the kron , repository , and password policy commands.

 

Table 1-2 Command Options in the Interface GigabitEthernet 0 Configuration Submode

Command
Comment
ise/admin(config)# interface GigabitEthernet 0
ise/admin(config-GigabitEthernet)# ?
Configure ethernet interface:
do EXEC command
end Exit from configure mode
exit Exit from this submode
ip Configure IP features
ipv6 Configure IPv6 features
no Negate a command or set its defaults
shutdown Shutdown the interface
ise/admin(config-GigabitEthernet)#

Enter the command that you want to configure for the interface. This example uses the interface GigabitEthernet command.

Enter ? to display what you must enter next on the command line. This example shows the available interface GigabitEthernet configuration submode commands.

ise/admin(config-GigabitEthernet)# ip ?
address Configure IP address
ise/admin(config-GigabitEthernet)# ip

Enter the command that you want to configure for the interface. This example uses the ip command.

Enter ? to display what you must enter next on the command line. This example shows the available ip configuration submode commands.

ise/admin(config-GigabitEthernet)# ip address ?
<A.B.C.D> IPv4 address
ise/admin(config-GigabitEthernet) ip address

Enter the command that you want to configure for the interface. This example uses the ip addresss command.

Enter ? to display what you must enter next on the command line. In this example, you must enter an IPv4 address.

A carriage return <cr> does not appear; therefore, you must enter additional arguments to complete the command.

ise/admin(config-GigabitEthernet)# ip address 172.16.0.1 ?
<A.B.C.D> Network mask
ise/admin(config-GigabitEthernet)# ip address 172.16.0.1
 

Enter the keyword or argument that you want to use. This example uses the 172.16.0.1 IP address.

Enter ? to display what you must enter next on the command line. In this example, you must enter a network mask.

A carriage return <cr> does not display; therefore, you must enter additional arguments to complete the command.

ise/admin(config-GigabitEthernet)# ip address 172.16.0.1 255.255.255.224 ?
<cr> Carriage Return
ise/admin(config-GigabitEthernet)# ip address 172.16.0.1 255.255.255.224
 

Enter the network mask. This example uses the 255.255.255.224 IP address.

Enter ? to display what you must enter next on the command line. In this example, you can press Enter.

A carriage return <cr> displays; you can press Enter to complete the command.

EXEC Commands

EXEC commands are primarily system-level configuration commands.

For detailed information on EXEC and configuration command modes, see Navigating CLI Commands.

 

Table 1-3 EXEC Commands

Command
Description
application configure

Configures a specific application.

application install

Installs a specific application bundle.

application remove

Removes a specific application.

application reset-config

Resets the Cisco ISE configuration to factory defaults.

application reset-passwd

Resets the application password for a specific user (admin) in the application.

application start

Starts or enables a specific application.

application stop

Stops or disables a specific application.

application upgrade

Upgrades a specific application bundle.

backup

Performs a backup and places the backup in a repository.

backup-logs

Performs a backup of all logs in the Cisco ISE server to a remote location.

clock

Sets the system clock in the Cisco ISE server.

configure

Enters configuration mode.

copy

Copies any file from a source to a destination.

crypto key

performs crypto key operations.

debug

Displays any errors or events for various commands executed. For example, displays backup and restore, configuration, copy, resource locking, file transfer, and user management debugging information.

delete

Deletes a file in the Cisco ISE server.

dir

Lists the files in the Cisco ISE server.

exit

Disconnects the encrypted session with a remote system. Exits from the current command mode to the previous command mode.

forceout

Forces the logout of all sessions of a specific Cisco ISE server system user.

halt

Disables or shuts down the Cisco ISE server.

help

Describes the help utility and how to use it in the Cisco ISE server.

mkdir

Creates a new directory.

nslookup

Queries the IPv4 address or hostname of a remote system.

password

Updates the CLI password.

patch

Installs system or application patch.

pep

Configures the Inline Posture node.

ping

Determines the IPv4 network connectivity to a remote system.

ping6

Determines the IPv6 network connectivity to a remote system.

reload

Reboots the Cisco ISE server.

restore

Restores a previous backup.

rmdir

Removes an existing directory.

show

Provides information about the Cisco ISE server.

ssh

Starts an encrypted session with a remote system.

tech

Lists Cisco Technical Assistance Center (TAC) commands.

telnet

Establishes a Telnet connection to a remote system.

terminal length

Sets terminal line parameters.

terminal session-timeout

Sets the inactivity timeout for all terminal sessions.

terminal session-welcome

Sets the welcome message on the system for all terminal sessions.

terminal terminal-type

Specifies the type of terminal connected to the current line of the current session.

traceroute

Traces the route of a remote IP address.

undebug

Disables the output of errors or events of the debug command for various command executed. For example, disables the output of backup and restore, configuration, copy, resource locking, file transfer, and user management debugging information.

write

Erases the startup configuration that forces to run the setup utility and prompt the network configuration, copies the running configuration to the startup configuration, and displays the running configuration on the console.

Show Commands

The show commands are used to display the Cisco ISE settings.

The commands in Table 1-4 require the show command to be followed by a keyword. Some show commands require an argument or a variable after the keyword to function.

 

Table 1-4 Show Commands

Command
Description
show application
(requires keyword)

Displays information about the installed Cisco ISE application. For example, status information or version information of the installed Cisco ISE application.

show backup
(requires keyword)

Displays information about Cisco ISE backup.

show banner

Shows login banners.

show cdp
(requires keyword)

Displays information about the enabled Cisco Discovery Protocol interfaces.

show clock

Displays the day, date, time, time zone, and year of the system clock.

show cpu

Displays CPU information.

show crypto

Displays crypto information.

show disks

Displays file-system information of the disks.

show icmp-status

Displays the Internet Control Message Protocol (ICMP) echo response configuration information.

show interface

Displays statistics for all interfaces configured in the Cisco ISE server.

show inventory

Displays information about the hardware inventory, including the Cisco ISE appliance model and serial number.

show ip route

Displays information in the IP routing table for a Cisco ISE server.

show logging
(requires keyword)

Displays the Cisco ISE server logging information.

show logins
(requires keyword)

Displays the login history of the Cisco ISE server.

show memory

Displays memory usage by all running processes.

show ntp

Displays the status of the Network Time Protocol (NTP) servers.

show pep

Displays the Inline Posture node information.

show ports

Displays all processes listening on the active ports.

show process

Displays information about the active processes of the Cisco ISE server.

show repository
(requires keyword)

Displays the file contents of a specific repository.

show restore
(requires keyword)

Displays the restore history in Cisco ISE.

show running-config

Displays the contents of the configuration file that currently runs in Cisco ISE.

show startup-config

Displays the contents of the startup configuration in Cisco ISE.

show tech-support

Displays system and configuration information that you can provide to the TAC when you report a problem.

show terminal

Displays information about the terminal configuration parameter settings for the current terminal line.

show timezone

Displays the current time zone in the Cisco ISE.

show timezones

Displays all time zones available for use in the Cisco ISE.

show udi

Displays information about the unique device identifier (UDI) of the Cisco ISE.

show uptime

Displays how long the system you are logged in to has been up and running.

show users

Displays information about the system users.

show version

Displays information about the currently loaded software version, along with hardware and device information.

Configuration Commands

Configuration commands are used to configure Cisco ISE. To access configuration mode, run the configure command in EXEC mode. Some of the configuration commands require that you enter the applicable configuration submode to complete the configuration.

For more information on configuration mode and submode commands, see Navigating CLI Commands

 

Table 1-5 Configuration Commands

Command
Description
cdp holdtime

Specifies the amount of time the receiving device should hold a Cisco Discovery Protocol packet from the Cisco ISE server before discarding it.

cdp run

Enables Cisco Discovery Protocol.

cdp timer

Specifies how often the Cisco ISE server sends Cisco Discovery Protocol updates.

clock timezone

Sets the time zone for display purposes.

conn-limit

Configures the TCP connection limit from the source IP.

do

Executes an EXEC-level command from configuration mode or any configuration submode.

Note To initiate, the do command precedes the EXEC command.

end

Returns to EXEC mode.

exit

Exits configuration mode.

hostname

Sets the hostname of the system.

icmp echo

Configures the ICMP echo requests.

interface

Configures an interface type and enters interface configuration mode.

ipv6 address autoconfig

Enables IPv6 stateless autoconfiguration in the interface configuration mode.

ipv6 address dhcp

Enables IPv6 address DHCP in the interface configuration mode.

ip address

Sets the IP address and netmask for the Ethernet interface.

Note This is an interface configuration command.

ip default-gateway

Defines or sets a default gateway with an IP address.

ip domain-name

Defines a default domain name that a Cisco ISE server uses to complete hostnames.

ip host

Configures host aliases and FQDN string to IP address mapping.

ip name-server

Sets the Domain Name System (DNS) servers for use during a DNS query.

ip route

Configures an IProute for an IP address.

kron occurrence

Schedules one or more Command Scheduler commands to run at a specific date and time or at a recurring time.

kron policy-list

Specifies a name for a Command Scheduler policy.

logging loglevel

Configures the log level for the logging command.

max-ssh-sessions

Configures the number of concurrent SSH sessions.

no

Disables or removes the function associated with a command.

ntp

Synchronizes the software clock through the NTP server for the system.

ntp authenticate

Enables authentication of all time sources.

ntp authentication-key

Adds Message Digest 5 (MD5)-type authentication keys for trusted time sources.

ntp server

Specifies an NTP server to use.

ntp trusted-key

Specifies the key numbers for trusted time sources.

password-policy

Enables and configures the password policy.

rate-limit

Configures the TCP/UDP/ICMP packet-rate limit from the source IP.

repository

Enters the repository submode.

service

Specifies the type of service to manage.

snmp-server community

Sets up the community access string to permit access to the Simple Network Management Protocol (SNMP).

snmp-server contact

Configures the SNMP contact the Management Information Base (MIB) value on the system.

snmp-server host

Sends SNMP traps to a remote system.

snmp-server location

Configures the SNMP location MIB value on the system.

username

Adds a user to the system with a password and a privilege level.

CLI Audit

You must have administrator access to execute Cisco ISE configuration commands. Whenever an administrator logs in to configuration mode and executes a command that causes configurational changes in the Cisco ISE server, the information related to those changes is logged in the Cisco ISE operational logs.

 

Table 1-6 Configuration Mode Commands for Operational Logs

Command
Description
clock

Configures timezone.

hostname

Configures the hostname of the system.

interface

Configures an interface type and enters the interface configuration mode.

ip address

Sets the IP address and netmask for the Ethernet interface.

ip name-server

Sets the DNS servers to be used during a DNS query.

ip default -gateway

Defines or sets a default gateway with an IP address.

kron

Configures Command Scheduler.

logging

Configures system logging.

ntp

Specifies NTP configuration.

ntp server

Allows synchronization of the software clock by the NTP server for the system.

repository

Configures repository

service sshd

Specifies the service to be managed.

snmp-server

Configures SNMP server.

username

User creation

In addition to configuration mode commands, some commands in the EXEC generate operational logs.

 

Table 1-7 EXEC Mode Commands for Operational Logs

Command
Description
application

Application install and administration.

backup

Performs a backup (Cisco ISE and Cisco ADE OS) and places the backup in a repository.

backup-logs

Backs up system and application logs.

copy

Copy commands.

delete

Deletes a file.

forceout

Forces the logout of all sessions of a specific Cisco ISE server system user.

halt

Shuts down the system.

mkdir

Creates a new directory.

patch

Installs system or application patch.

reload

Reboots the system.

restore

Restores the system.