Table Of Contents
Command Reference
CLI Conventions
Command Privileges
Checking Command Syntax
System Help
Command Description Conventions
Commands
backup
dbcompact
download
exit
exportgroups
exportlogs
exportusers
help
ntpsync
ping
reboot
restart
restore
rollback
set admin
set domain
set hostname
set ip
set password
set time
set timeout
show
shutdown
start
stop
support
tracert
upgrade
Command Reference
This appendix summarizes the command line interface (CLI) commands of the Cisco Secure ACS Solution Engine 3.3.
This appendix contains the following sections:
•CLI Conventions
•Command Privileges
•Checking Command Syntax
•System Help
•Command Description Conventions
•Command Description Conventions
•Commands
CLI Conventions
The command-line interface (CLI) uses the following conventions:
•The key combination ^c, or Ctrl-c, means hold down the Ctrl key while you press the c key.
•A string is defined as a nonquoted set of characters.
Do not confuse the Cisco Secure ACS Solution Engine CLI with the IOS CLI. Though they are similar, they are not identical.
Command Privileges
Access to CLI commands on the Cisco Secure ACS Solution Engine is limited to those who physically connect via the console port and who possess the proper administrative credentials.
For more information about establishing the console connection, see Establishing a Serial Console Connection, page 3-15.
Checking Command Syntax
The serial console interface provides several types of responses to incorrect command entries:
•If you enter a command line that does not contain any valid commands, the system displays Command not found.
•If you enter a valid command but omit required options, the system displays Incomplete command.
•If you enter a valid command but provide invalid options or parameters, the system displays Invalid input.
In addition, some commands have command-specific error messages that notify you that a command is valid, but that it cannot run correctly.
System Help
You can obtain help using the following methods:
•For a list of all commands and their syntax, enter help, and then press Enter.
•For help on a specific command, type the command name, a space, and a question mark, and then press Enter, for example, show?. The help contains command usage information and syntax.
Command Description Conventions
Command descriptions in this document and in the CLI help system use the following conventions:
•Vertical bars (|) separate alternative, mutually exclusive elements.
•Square brackets ([ ]) indicate optional elements.
•Braces ({ }) indicate a required choice. Braces within square brackets ([{ }]) indicate a required choice within an optional element.
•Bold indicates commands and keywords that are entered literally as shown.
•Italics indicate arguments for which you supply values.
Commands
This section describes the Cisco Secure ACS Solution Engine commands. Command names are case insensitive.
backup
To backup ACS data to an FTP server, use the backup command.
backup [server] [username] [filepath]
Syntax Description
server Hostname for the FTP server to which the file will be sent.
username User account name used to authenticate the FTP session.
filepath Location under the FTP root for the server into which the backup will be sent.
Usage Guidelines
If you do not enter the parameters, the system prompts you for the information. Also you are prompted to encrypt the backup. If you indicate you want to encrypt the data, you are prompted for an encryption password. For more information, see Backing Up ACS Data via the Serial Console, page 4-17.
Example
The following command employs the user account joeadmin to backup the ACS data to the backupdata folder on the onyx FTP server:
backup onyx joeadmin backupdata
dbcompact
To compact the database by dumping, initializing the database, and loading the database from the dump file, use the dbcompact command.
Note The CSAuth service is temporarily halted while this command executes. This interrupts any user authentication.
dbcompact
Syntax Description
This command has no arguments or keywords.
Example
The following command compacts the database by dumping, initializing the database, and loading the database from the dump:
download
To download an upgrade image to the Cisco Secure ACS Solution Engine use the download command. Executing the download command establishes contact with the system specified, retrieves the manifest file from that system, and automatically downloads the upgrade image to the Cisco Secure ACS Solution Engine.
download [hostAddress]
Syntax Description
hostAddress The IP address from which the image will be sent
Usage Guidelines
This command is generally executed from within the HTML interface. After loading an upgrade image by executing the download command, you need to install the image by using the upgrade command. For more information see Upgrading the Solution Engine, page 4-29.
Example
The following command downloads an upgrade image from the system with the address 10.51.256.256
exit
To log out of the system, use the exit command.
exit
Syntax Description
This command has no arguments or keywords.
Example
The following command logs you out of the system:
exportgroups
To export a list of user groups, use the exportgroups command.
exportgroups [server] [username] [filepath]
Note The CSAuth service is temporarily halted while this command executes. This interrupts any user authentication.
Syntax Description
server Hostname for the FTP server to which the file will be sent.
username User account name used to authenticate the FTP session.
filepath Location under the FTP root for the server into which the group list will be sent.
Usage Guidelines
If you do not enter the parameters, the system prompts you for the information.
Example
The following command employs the user account joeadmin to send a list of user groups to the groupdata folder on the diamond FTP server:
exportgroups diamond joeadmin groupdata
exportlogs
To list and send selected logs to an FTP server, use the exportlog command.
exportlogs [filename] [filename]
Syntax Description
filename Name of the file to be exported.
Usage Guidelines
This command lists all the log files that can be downloaded to an FTP server if no filenames are supplied. Otherwise, you can enter each filename with a space separating each filename. You are then prompted for the FTP server address, user login name, password, and the filepath for the file or files to be uploaded.
Example
The following command exports the log files mylog2002-01-31.csv and mylog2002-02-01.csv:
exportlog mylog2002-01-31.csv mylog2002-02-01.csv
exportusers
To export a list of users, use the exportusers command.
exportusers [server] [username] [filepath]
Note The CSAuth service is temporarily halted while this command executes. This interrupts any user authentication.
Syntax Description
server Hostname for the FTP server to which the file will be sent.
username User account name used to authenticate the FTP session.
filepath Location under the FTP root for the server into which the users list will be sent.
Usage Guidelines
If you do not enter the parameters, the system prompts you for the information.
Example
The following command employs the user account joeadmin to send a list of users to the userdata folder on the emerald FTP server:
exportusers emerald joeadmin userdata
help
To list descriptions of commands, use the help command.
help
Syntax Description
This command has no arguments or keywords.
Example
The following command lists descriptions of commands:
ntpsync
To perform Network Time Protocol (NTP) synchronization with a predefined NTP server, use the ntpsync command. For information on setting the NTP server see set time.
ntpsync
Syntax Description
This command has no arguments or keywords.
Example
The following command uses the predefined NTP synchronization server to synchronize Cisco Secure ACS Solution Engine time to the NTP server time:
ping
To send ICMP echo_request packets for diagnosing basic network connectivity, use the ping command.
ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [{-j host-list}|{-k
host-list}] [-w timeout] destination-list
Syntax Description
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Break.
To stop - type Control-C.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
Examples
acsappl1> ping 10.19.253.228
Pinging 10.19.253.228 with 32 bytes of data:
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120
Reply from 10.19.253.228: bytes=32 time=160ms TTL=120
Reply from 10.19.253.228: bytes=32 time=150ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120
Ping statistics for 10.19.253.228:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 140ms, Maximum = 160ms, Average = 147ms
acsappl1> ping -n 6 10.19.253.228
Pinging 10.19.253.228 with 32 bytes of data:
Reply from 10.19.253.228: bytes=32 time=130ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120
Reply from 10.19.253.228: bytes=32 time=130ms TTL=120
Reply from 10.19.253.228: bytes=32 time=130ms TTL=120
Ping statistics for 10.19.253.228:
Packets: Sent = 6, Received = 6, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 130ms, Maximum = 140ms, Average = 135ms
reboot
To restart the Cisco Secure ACS Solution Engine, use the reboot command.
reboot
Note AAA services are temporarily halted while this command executes.
Syntax Description
This command has no arguments or keywords.
Example
The following command causes a soft reboot of the Cisco Secure ACS Solution Engine:
restart
To restart one or more of the ACS services, use the restart command.
restart [service name(s)]
Note AAA services are temporarily halted while this command executes.
Syntax Description
This command uses as an argument the name of the service or services to be restarted.
Usage Guidelines
Use the restart command to stop and restart any of the ACS services. You can determine the status of each service by using the show command. For more information, see Restarting Solution Engine Services via Serial Console, page 4-9.
Example
The following command restarts the CSAuth and CSAdmin services:
restore
To restore ACS data from an FTP server, use the restore command.
restore [server] [username] [filepath] [filename]
Syntax Description
server Hostname for the FTP server from which the file will be sent.
username User account name used to authenticate the FTP session.
filepath Location under the FTP server root in which the restore file is located.
filename Name of the restore file to be used.
Usage Guidelines
If you do not enter the parameters, the system prompts you for the information. Also, you will be prompted to enter a decrypt password; and you will be prompted to restore the user/group database and or the Cisco Secure ACS system configuration.
Example
The following command employs the user account joeadmin to retrieve a restore file, allofit, from the restoredata folder on the topaz FTP server:
restore topaz joeadmin restoredata allofit
rollback
To remove any patches and roll back to the originally installed version, use the rollback command.
rollback [appName]
Syntax Description
appName Name of the program (provided as part of patch distribution) to remove a specific patch and roll back to original installed version.
Usage Guidelines
Use this command to return a Cisco Secure ACS to its original condition after having installed a patch program. The rollback command has the effect of stopping all ACS services, copying all files in the backup directory to the originally installed directories, restoring a specified list of Registry entries, and starting all ACS services once again.
Example
The following command executes the program remvptch4 and returns the system to the state that existed before the patch program was applied:
set admin
To set the name of the Cisco Secure ACS Solution Engine administrator, use the set admin command.
set admin [administratorname]
Syntax Description
administratorname Name of system administrator.
Usage Guidelines
Use the set admin command to reset the name of the Cisco Secure ACS Solution Engine administrator. For more information, see Resetting the Solution Engine Administrator Password, page 4-21.
Example
This command sets the administrator name to john:
set domain
To set the DNS domain of the Cisco Secure ACS Solution Engine, use the set domain command.
set domain [domain-name]
Syntax Description
domain-name Name of DNS domain.
Example
This command sets the domain name to xyz.com:
set hostname
To set the hostname of the Cisco Secure ACS Solution Engine, use the set hostname command.
set hostname [hostname]
Syntax Description
hostname Name of the Cisco Secure ACS Solution Engine.
Example
This command sets the Cisco Secure ACS Solution Engine name to acs1:
set ip
To set the Cisco Secure ACS Solution Engine IP configuration, use the set ip command.
set ip
Syntax Description
This command has no arguments or keywords.
Usage Guidelines
Use the set ip command to reset the system IP address in response to subsequent prompts. For more information, see Reconfiguring the Solution Engine IP Address, page 4-23.
Example
The following command begins the system IP address configuration.
set password
To set the Cisco Secure ACS Solution Engine administrator's password, use the set password command. Subsequent prompts take you through the process.
set password
Syntax Description
This command has no arguments or keywords.
Usage Guidelines
Use the set password command to begin resetting the administrator's password. Subsequent prompts take you through the process. For more information, see Resetting the Solution Engine Administrator Password, page 4-21.
Example
The following command initiates the system ip setting procedure:
set time
To set the Cisco Secure ACS Solution Engine time zone, NTP server, date, or time, use the set time command:
set time
Syntax Description
This command has no arguments or keywords.
Usage Guidelines
Use the set time command to begin the setting of the timezone, current date, and current time. Subsequent prompts take you through the process. For more information, see Setting the System Time and Date Manually, page 4-25.
You can also use the set time command to enable an NTP server to synchronize the Cisco Secure ACS Solution Engine. You can configure one or more NTP servers by separating each NTP IP address entry with a space. For more information, see Setting the System Time and Date with NTP, page 4-26 and the command reference ntpsync.
Example
The following command initiates the system time setting procedure:
set timeout
To set the period, in minutes, after which the serial console will time out, use the set timeout command.
set timeout [minutes]
Syntax Description
This command has a single argument: the number of minutes before timing out. If you enter the command with no argument, the system prompts you for a value in minutes.
Example
The following command establishes a serial console timeout after10 minutes:
show
To show the version of the Cisco Secure ACS Solution Engine, system load status, ACS service status, IP configuration, system time and NTP settings, Cisco Secure ACS Solution Engine hostname, DNS domain, and timeout value use the show command.
show
Syntax Description
This command has no arguments or keywords.
Example
The following command lists Cisco Secure ACS Solution Engine information:
shutdown
To shut down the appliance from the serial console, use the shutdown command.
shutdown
Syntax Description
This command has no arguments or keywords.
Example
The following command shuts down the appliance:
start
To start one or more of the ACS services, use the start command.
start [service name(s)]
Syntax Description
This command uses as an argument the name of the service or services to be started.
Usage Guidelines
Use the start command to start any ACS service. You can determine the status of each service by using the show command. For more information, see Starting Solution Engine Services via Serial Console, page 4-8.
Example
The following command starts the CSAuth and CSAgent services:
stop
To stop one or more of the ACS services, use the stop command.
stop [service name(s)]
Note Services subject to this command are halted until restarted. This may interfere with AAA services.
Note When you stop the CSAgent service, not only does the Cisco Secure ACS Solution Engine stop CSAgent, but it also changes the startup type to manual. This has the effect of keeping it stopped even after reboot. Likewise, starting CSAgent resets the startup type to automatic.
Syntax Description
This command uses as an argument the name of the service or services to be stopped.
Usage Guidelines
Use the stop command to stop any ACS service. You can determine the status of each service by using the show command. For more information, see Stopping Solution Engine Services via Serial Console, page 4-6.
Example
The following command stops the CSAuth and CSAdmin services:
support
The support command collects a set of logs, Registry information, and other useful information that details activity. Executing the command compresses this set of logs into a single cab file, which can then be analyzed by support personnel.
To initiate the support program, use the support command.
support [-d n] server filepath [username]
Syntax Description
-d n Collect the previous n days logs (up to 9999).
-u Collect user database information.
server The hostname for the FTP server to which the file is to be sent.
filepath The location under the FTP root for the server into which the package.cab is to be sent.
username The account used to authenticate the FTP session.
Note Unlike its counterpart in the HTML interface, this command restarts the Cisco Secure ACS services. This means that AAA services are interrupted.
Example
The following command packages logs from the past 3 days, together with user database information, and sends it to the FTP server on the machine host, as diagdir/diag.cab where the user will be prompted for the password to the sammy account on the FTP server:
support -d3 -u ftp://host/diagdir/diag.cab sammy
tracert
To display the network route to a specified host and identify faulty gateways, use the tracert command.
tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
Syntax Description
-d Do not resolve addresses to hostnames.
-h maximum_hops Maximum number of hops to search for target.
-j host-list Loose source route along host-list.
-w timeout Wait timeout milliseconds for each reply.
Example
acsappl1> tracert 10.19.253.228
Tracing route to 10.19.253.228 over a maximum of 30 hops
1 <10 ms <10 ms <10 ms champaign-gw1.cisco.com [171.69.180.1]
2 40 ms 50 ms 60 ms sjce-wan-gw1.cisco.com [171.69.8.17]
3 40 ms 70 ms 70 ms sjce-wbb-gw1.cisco.com [10.18.255.1]
4 60 ms 70 ms 60 ms sjce-rbb-gw1.cisco.com [171.69.7.233]
5 71 ms 70 ms 60 ms sjce-sbb1-gw1.cisco.com [171.69.14.34]
6 80 ms 51 ms 70 ms sjck-as-gw2.cisco.com [171.69.14.246]
7 60 ms 90 ms 80 ms sj-frame-1.cisco.com [171.70.192.54]
8 150 ms 180 ms 161 ms 10.19.253.225
9 141 ms 160 ms 170 ms 10.19.253.228
upgrade
To perform the second stage of an upgrade, use the upgrade command.
upgrade
Note This command typically reboots the Cisco Secure ACS services. This means that AAA services are interrupted.
Syntax Description
This command has no arguments or keywords.
Usage Guidelines
Use the upgrade command to install an upgrade package that you have already loaded to the Cisco Secure ACS Solution Engine. Ensure that you have stopped CSAgent prior to employing the upgrade command. For more information, see Upgrading the Solution Engine, page 4-29.
Example
The following initiates the second stage of an upgrade: