This chapter provides helpful tips for understanding and configuring Cisco Identity Services Engine using the command-line interface (CLI). Cisco ISE can be deployed in small, medium, and large deployments and is available on different platforms and also as a software that can run on VMware.
When you power up Cisco ISE appliances for the first time, you are prompted to run the setup utility to configure them. Before you run the utility using the
command, ensure that you have values for the following network configuration prompts:
IP address—Ethernet interface address
DNS domain name
Primary NTP server (Optional)
System time zone
This example shows sample output of the
Please type 'setup' to configure the appliance
localhost login: setup
Press 'Ctrl-C' to abort setup
Enter hostname: ise
Enter IP address: 172.16.90.183
Enter IP default netmask: 255.255.0.0
Enter IP default gateway: 172.16.90.1
Enter default DNS domain: mydomain.com
Enter primary nameserver: 172.16.168.183
Add/Edit another nameserver? Y/N : n
Enter primary NTP server[time.nist.gov]:
Add/Edit secondary NTP server? Y/N : n
Enter system timezone[UTC] :
Enter password again:
Bringing up network interface...
Pinging the gateway...
Pinging the primary nameserver...
Do not use 'Ctrl-C' from this point on...
Appliance is configured
After you enter the required information, the Cisco ISE appliance automatically reboots and the following login prompt appears:
identifies the hostname that you specified when you ran the
In the example, this prompt appears:
To log in, use the admin user account and the corresponding password that you created during the setup process. You must also use this Admin account to log in to the Cisco ISE CLI for the first time. After accessing the CLI as an administrator, you can create admin and operator user accounts with SSH access to the Cisco ISE CLI by running the username command in configuration mode.
Note The admin user account and the corresponding password (a CLI user account) that you created during the initial setup wizard can be used to manage the Cisco ISE application using the CLI. The CLI user has privileges to start and stop the Cisco ISE application software, backup and restore the Cisco ISE application data, apply software patches and upgrades to the Cisco ISE application software, view all system and application logs, and reload or shutdown the Cisco ISE appliance. To protect the CLI user credentials, explicitly create users with access to the CLI.
Note Any users that you create from the Cisco ISE web interface cannot automatically log in to the Cisco ISE CLI. You must explicitly create users with access to the CLI. To create these users, you must log in to the CLI using the admin user account that you created during setup; then, enter configuration mode, and run the username command.
To log in to the Cisco ISE server and access the CLI, use Secure Shell (SSH) client or the console port.
Note To access the Cisco ISE CLI, use any SSH client that supports SSH v2.
You can log in from:
A PC running Windows XP/Vista.
A PC running Linux.
An Apple computer running Mac OS X 10.4 or later.
Any terminal device compatible with VT100 or ANSI characteristics. On VT100-type and ANSI devices, you can use cursor-control and cursor-movement keys Keys including the left arrow, right arrow, up arrow, down arrow, Delete, and Backspace keys. The CLI senses the use of the cursor-control keys and automatically uses the optimal device characteristics (see the “Supported Hardware and Software Platforms” section).
To exit the CLI, use the
command in EXEC mode. If you are currently in another configuration modes and you want to exit the CLI, enter the
command to return to EXEC mode, and then enter the
command (see EXEC Mode).
SupportedHardware and Software Platforms
The following valid terminal types can access the Cisco ISE CLI:
See the terminfo database for a complete listing.
Accessing the Cisco ISE CLI with Secure Shell
Note To access the Cisco ISE CLI, use any SSH client that supports SSH v2.
The following example shows you how to log in with a Secure Shell (SSH) client (connecting to a wired WAN) via a PC by using Windows XP. Assuming that Cisco ISE is preconfigured through the setup utility to accept an admin (administrator) user, log in as admin.
Step 1 Use any SSH client and start an SSH session.
The SSH window appears.
Step 2 Press
The Connect to Remote Host window appears.
Step 3 Enter a hostname, username, port number, and authentication method.
In this example, you enter
for the hostname,
for the username, and
for the port number; and, for the authentication method, choose
from the drop-down list.
Step 4 Click
, or press
The Enter Password window appears.
Step 5 Enter your assigned password for the administrator.
The SSH with the Add Profile window appears.
Step 6 (Optional) Enter a profile name in the text box and click
Add to Profile
Step 7 Click
on the Add Profile window.
The Cisco ISE prompt ise/admin# appears. You can now enter Cisco ISE CLI commands.
Accessing the Cisco ISE CLI Using a Local PC
If you need to configure Cisco ISE locally (without connecting to a wired LAN), you can connect a PC to the console port in the Cisco ISE appliance by using a null-modem cable.
The serial console connector (port) provides access to the CLI locally by connecting a terminal to the console port. The terminal is a PC running terminal-emulation software or an ASCII terminal. The console port (EIA/TIA-232 asynchronous) requires only a null-modem cable.
To connect a PC running terminal-emulation software to the console port, use a DB-9 female to DB-9 female null-modem cable.
To connect an ASCII terminal to the console port, use a DB-9 female to DB-25 male straight-through cable with a DB-25 female to DB-25 female gender changer.
The default parameters for the console port are 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.
Note If you are using a Cisco switch on the other side of the connection, set the switchport to duplex auto, speed auto (the default).
To connect to the console port and open the CLI, complete the following steps:
Step 1 Connect a null-modem cable to the console port in the Cisco ISE appliance and to the COM port on your PC.
Step 2 Set up a terminal emulator to communicate with the Cisco ISE. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.
Step 3 When the terminal emulator activates and press Enter.
Step 4 At the window, enter your username and press Enter.
Step 5 Enter the password and press Enter.
When the CLI activates, you can enter CLI commands to configure the Cisco ISE.
Use question mark (?) and the Up Arrow and Down Arrow keys to help you enter commands:
For a list of available commands, enter a question mark (
To complete a command, enter a few known characters before
(with no space):
To display keywords and arguments for a command, enter
at the prompt or after entering part of a command followed by a space:
ise/admin# show ?
The Cisco ISE displays a list and brief description of available keywords and arguments.
Note The <cr> symbol in command help stands for “carriage return”, which means to press Enter. The <cr> at the end of command-help output indicates that you have the option to press Enter to complete the command and that the arguments and keywords in the list preceding the <cr> symbol are optional. The <cr> symbol by itself indicates that no more arguments or keywords are available, and that you must press Enter to complete the command.
To redisplay a command that you previously entered, press the
key. Continue to press the
key to see more commands.
Using the No and Default Forms of Commands
Some EXEC and configuration commands have a no form. In general, you use the no form of a command to disable a function. For example, an IP address is enabled by default. To disable the IP address, use the no ip address command; to reenable the IP address, use the ip address command.
Configuration commands can have a default form, which returns the command settings to the default values. Most commands disable by default, so in such cases using the default form has the same result as using the no form of the command. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default form of the command enables the command and sets the variables to their default values.
Cisco ISE provides a number of keyboard shortcuts that you can use to edit an entered line.
to try to finish the current command.
If you press the
At the beginning of a line, the system lists all short-form options.
When you enter a partial command, the system lists all short form options beginning with those characters.
When only one possible option is available, the system fills in the option automatically.
Press Ctrl-C to abort a sequence. Aborts any executing command and returns to the previous mode.
Press Ctrl-Z to exit configuration mode and return to the previous configuration mode.
Enter a question mark (?) at the prompt to list the available commands (see Getting Help).
Command Line Completion
Command-line completion makes the Cisco ISE CLI more user-friendly. It saves you extra key strokes and helps out when you cannot remember the syntax of a command.
For example, in the show running-config command:
ise/admin# show running-config
You could have used:
ise/admin# sh run
The Cisco ISE expands the command sh run to show running-config.
Another shortcut is to press the
key after you type sh; the Cisco ISE CLI fills in the rest of the command completion, in this case show.
If the Cisco ISE CLI does not understand a command, it repeats the entire command line and places a caret symbol (^) under the point at which it could not parse the command.
ise/admin# show unning-configuration
% Invalid input detected at ‘^’ marker.
The caret symbol (^) points to the first letter in the command line that the Cisco ISE does not understand. Usually, this means that you need to provide additional arguments to complete the command or you mispelled the command. In this case, you omitted the “r” in the “unning” command. To fix the error, retype the command.
In another form of command-line completion, you can start a command by entering the first few characters, then pressing the
key. As long as you can match one command, the Cisco ISE CLI will complete the command. For example, if you type sh and press
, the Cisco ISE completes the sh with show. If the Cisco ISE does not complete the command, you can enter a few more letters and press
again. For more information, see Tab.
Continuing Output at the --More-- Prompt
When working with the Cisco ISE CLI, output often extends beyond the visible screen length. For cases where output continues beyond the bottom of the screen, such as with the output of many ? or show commands, the output pauses and a --More-- prompt appears at the bottom of the screen. To resume output, press
to scroll down one line, or press the
to display the next full screen of output.
Tip If output pauses on your screen but you do not see the --More-- prompt, try entering a smaller value for the screen length by using the terminal length command in EXEC mode. Command output will not pause if you set the length value to zero (0).
Where to Go Next
Now that you are familiar with some of the Cisco ISE CLI basics, you can begin to configure the Cisco ISE by using the CLI.
You can use the question mark (?) and arrow keys as well as Tab to help you enter commands.
Each command mode restricts you to a set of commands. If you have difficulty entering a command, check the prompt and then enter the question mark (?) to see a list of available commands.
To disable a feature, enter the no form the command. For example, no ip address.
You must save your configuration changes so that you preserve them during a system reload or power outage.