Table Of Contents
Overview of the ACS Command Line Interface
Accessing the ACS Command Environment
User Accounts and Modes in ACS
Types of Command Modes in ACS
EXEC Commands
EXEC or System-Level Commands
Show Commands
ACS Configuration Commands
Configuration Commands
CLI Audit
Overview of the ACS Command Line Interface
Cisco Secure Access Control System (ACS) 5.2 uses the CSACS-1121 appliance running the Cisco Application Deployment Engine (ADE) OS 1.2. This chapter provides an overview of how to access the ACS command-line interface (CLI), the different command modes, and the commands that are available in each mode.
You can configure and monitor ACS 5.2 through the web interface. You can also use the CLI to perform the configuration and monitoring tasks that this guide describes.
The following sections describe the ACS CLI:
•
Accessing the ACS Command Environment
•User Accounts and Modes in ACS
•Types of Command Modes in ACS
•CLI Audit
Accessing the ACS Command Environment
You can access the ACS CLI through a secure shell (SSH) client or the console port using one of the following machines:
•Windows PC running Windows XP/Vista.
•Apple Computer running Mac OS X 10.4 or later.
•PC running Linux.
For detailed information on accessing the CLI, see Chapter 2 "Using the ACS Command Line Interface."
User Accounts and Modes in ACS
Two different types of accounts are available on the ACS server:
•Admin (administrator)
•Operator (user)
When you power up the CSACS-1121 appliance for the first time, you are prompted to run the setup utility to configure the appliance. During this setup process, an administrator user account, also known as an Admin account, is created.
After you enter the initial configuration information, the appliance automatically reboots and prompts you to enter the username and the password that you specified for the Admin account. It is this Admin account that you must use to log in to the ACS CLI for the first time.
While an Admin can create and manage Operator (user) accounts (which have limited privileges and access to the ACS server), an Admin account provides you the functionality you require to use the ACS CLI.
To create more users (with admin and operator privileges) with SSH access to the ACS CLI, you must run the username command in the Configuration mode (see Types of Command Modes in ACS).
Table 1-1 lists the command privileges for each type of user account: Admin and Operator (user).
Table 1-1 Command Privileges
Command
|
User Account
|
Admin
|
Operator (User)
|
access-setting accept-all
|
P
|
|
acs commands
|
P
|
|
acs config-web-interface
|
P
|
|
acs-config
|
P
|
|
application commands
|
P
|
|
backup
|
P
|
|
backup-logs
|
P
|
|
cdp run
|
P
|
|
clock
|
P
|
|
configure terminal
|
P
|
|
copy commands
|
P
|
|
debug
|
P
|
|
debug-adclient
|
P
|
|
debug-log
|
P
|
|
delete
|
P
|
|
dir
|
P
|
|
end
|
P
|
|
exit
|
P
|
P
|
export-data
|
P
|
|
forceout
|
P
|
|
halt
|
P
|
|
hostname
|
P
|
|
icmp
|
P
|
|
import-data
|
P
|
|
import-export-abort
|
P
|
|
import-export-status
|
P
|
|
interface
|
P
|
|
ip default-gateway
|
P
|
|
ip domain-name
|
P
|
|
ip name-server
|
P
|
|
ip route
|
P
|
|
kron
|
P
|
|
logging commands
|
P
|
|
mkdir
|
P
|
|
nslookup
|
P
|
P
|
ntp server
|
P
|
|
password policy
|
P
|
|
patch
|
P
|
|
ping
|
P
|
P
|
reload
|
P
|
|
replication
|
P
|
|
repository
|
P
|
|
reset-management-interface-certificate
|
P
|
|
restore commands
|
P
|
|
rmdir
|
P
|
|
service
|
P
|
|
show acs-cores
|
P
|
P
|
show acs-logs
|
P
|
P
|
show acs-config-web-interface
|
P
|
P
|
show application
|
P
|
|
show backup
|
P
|
|
show cdp
|
P
|
P
|
show clock
|
P
|
P
|
show cpu
|
P
|
P
|
show debug-adclient
|
P
|
|
show debug-log
|
P
|
|
show disks
|
P
|
P
|
show icmp_status
|
P
|
P
|
show interface
|
P
|
P
|
show inventory
|
P
|
P
|
show ip route
|
P
|
|
show logging
|
P
|
P
|
show logins
|
P
|
P
|
show memory
|
P
|
P
|
show ntp
|
P
|
P
|
show ports
|
P
|
P
|
show process
|
P
|
P
|
show repository
|
P
|
|
show restore
|
P
|
|
show running-configuration
|
P
|
|
show startup-configuration
|
P
|
|
show tac
|
P
|
|
show tech-support
|
P
|
|
show terminal
|
P
|
P
|
show timezone
|
P
|
P
|
show timezones
|
P
|
|
show udi
|
P
|
P
|
show uptime
|
P
|
P
|
show users
|
P
|
|
show version
|
P
|
P
|
snmp-server commands
|
P
|
|
ssh
|
P
|
P
|
tech
|
P
|
|
telnet
|
P
|
P
|
terminal
|
P
|
P
|
traceroute
|
P
|
P
|
undebug
|
P
|
|
username
|
P
|
|
write
|
P
|
|
Logging in to the ACS server places you in the Operator (user) mode or the Admin (EXEC) mode. Typically, logging in requires a username and password.
You can always tell when you are in the Operator (user) mode or Admin (EXEC) mode by looking at the prompt. A right angle bracket (>) appears at the end of the Operator (user) mode prompt; a pound sign (#) appears at the end of the Admin mode prompt, regardless of the submode.
The ACS configuration mode requires a specific, authorized user role to execute each ACS configuration command; see ACS Configuration Commands.
Types of Command Modes in ACS
ACS supports these command modes:
•EXEC—Use the commands in this mode to perform system-level configuration. In addition, certain EXEC mode commands have ACS-specific abilities. See EXEC Commands.
•ACS configuration—Use the commands in this mode to import or export configuration data, synchronize configuration information between the primary and secondary ACS, reset IP address filtering and management interface certificate, define debug logging and show the logging status.
This mode requires an administrator user account to log in and perform the ACS configuration-related commands. See ACS Configuration Commands.
•Configuration—Use the commands in this mode to perform additional configuration tasks in ACS. See Configuration Commands.
EXEC Commands
EXEC commands primarily include system-level commands such as show and reload (for example, application installation, application start and stop, copy files and installations, restore backups, and display information).
In addition, certain EXEC-mode commands have ACS-specific abilities (for example, start an ACS instance, display and export ACS logs, and reset an ACS configuration to factory default settings.
•Table 1-2 lists the EXEC commands and provides a short description of each.
•Table 1-3 lists the show commands in the EXEC mode and provides a short description of each.
For detailed information on EXEC commands, see Understanding Command Modes.
EXEC or System-Level Commands
Table 1-2 describes the EXEC mode commands.
Table 1-2 Summary of EXEC Commands
Command
|
Description
|
acs start | stop
|
Starts or stops an ACS server.
|
acs start | stop process
|
Starts or stops a process in ACS.
|
acs backup
|
Performs a backup of an ACS configuration.
|
acs-config
|
Enters the ACS Configuration mode.
|
acs delete core
|
Deletes an ACS run-time core file or JVM core log.
|
acs delete log
|
Deletes an ACS run-time core file or JVM core log excluding the latest log.
|
acs config-web-interface
|
Enables or disables an interface for ACS configuration web.
|
acs patch
|
Installs and removes ACS patches.
|
acs reset-config
|
Resets the ACS configuration to factory defaults.
|
acs reset-password
|
Resets the `acsadmin' administrator password to the default setting.
|
acs restore
|
Restores an ACS configuration.
|
acs support
|
Gathers information for ACS troubleshooting.
|
acs zeorize-machine
|
Starts the zeroization, deletes key and sensitive files, running memory, and swap files.
|
application install
|
Installs a specific application bundle.
|
application remove
|
Removes a specific application.
|
application reset-config
|
Resets an ACS configuration to factory defaults.
|
application start
|
Starts or enables a specific application.
|
application stop
|
Stops or disables a specific application.
|
application upgrade
|
Upgrades a specific application bundle.
|
backup
|
Performs a backup and places the backup in a repository.
|
backup-logs
|
Performs a backup of all the logs on ACS to a remote location.
|
clock
|
Sets the system clock on the ACS server.
|
configure
|
Enters the Configuration mode.
|
copy
|
Copies any file from a source to a destination.
|
debug
|
Displays any errors or events for various command situations; for example, backup and restore, configuration, copy, resource locking, file transfer, and user management.
|
delete
|
Deletes a file in the ACS server.
|
dir
|
Lists the files in the ACS server.
|
exit
|
Exits from the EXEC mode.
|
forceout
|
Forces the logout of all the sessions of a specific ACS server system user.
|
halt
|
Disables or shuts down the ACS server.
|
help
|
Describes the help utility and how to use it in the ACS server.
|
mkdir
|
Creates a new directory.
|
nslookup
|
Queries the IPv4 address or hostname of a remote system.
|
ping
|
Determines the network connectivity to a remote system.
|
reload
|
Reboots the ACS server.
|
restore
|
Restores a previous backup.
|
rmdir
|
Removes an existing directory.
|
show
|
Provides information about the ACS server.
|
ssh
|
Starts an encrypted session with a remote system.
|
tech
|
Provides Technical Assistance Center (TAC) commands.
|
telnet
|
Telnets to a remote system.
|
terminal length
|
Sets terminal line parameters.
|
terminal session-timeout
|
Sets the inactivity timeout for all terminal sessions.
|
terminal session-welcome
|
Sets the welcome message on the system for all terminal sessions.
|
terminal terminal-type
|
Specifies the type of terminal connected to the current line of the current session.
|
traceroute
|
Traces the route of a remote IP address.
|
undebug
|
Disables the output (display of errors or events) of the debug command for various command situations. For example, backup and restore, configuration, copy, resource locking, file transfer, and user management.
|
write
|
Copies, displays, or erases the running ACS server information.
|
Show Commands
The show commands are used to view the ACS settings and are among the most useful commands. See Table 1-3 for a summary of the show commands.
The commands in Table 1-3 require the show command to be followed by a keyword; for example, show application. Some show commands require an argument or variable after the keyword to function; for example, show application version.
Table 1-3 Summary of Show Commands
Command
|
Description
|
acs-cores
|
Displays ACS run-time core files and JVM core logs.
|
acs-logs
|
Displays ACS server debug logs.
|
acs config-web-interface
|
Indicates whether an interface is disabled or enabled for ACS configuration web.
|
application
(requires keyword)
|
Displays information about the installed application. For example, status information or version information.
|
backup
(requires keyword)
|
Displays information about the backup.
|
cdp
(requires keyword)
|
Displays information about the enabled Cisco Discovery Protocol (CDP) interfaces.
|
clock
|
Displays the day, date, time, time zone, and year of the system clock.
|
cpu
|
Displays CPU information.
|
disks
|
Displays file-system information of the disks.
|
icmp-status
|
Displays the Internet Control Message Protocol (ICMP) echo response configuration information.
|
interface
|
Displays statistics for all the interfaces configured on ACS.
|
inventory
|
Displays information about the hardware inventory, including the ACS appliance model and serial number.
|
logging
(requires keyword)
|
Displays ACS server logging information.
|
logins
(requires keyword)
|
Displays the login history of an ACS server.
|
memory
|
Displays memory usage by all running processes.
|
ntp
|
Displays the status of the Network Time Protocol (NTP) servers.
|
ports
|
Displays all the processes listening on the active ports.
|
process
|
Displays information about the active processes of the ACS server.
|
repository
(requires keyword)
|
Displays the file contents of a specific repository.
|
restore
(requires keyword)
|
Displays the restore history in ACS.
|
running-config
|
Displays the contents of the configuration file that currently runs in ACS.
|
startup-config
|
Displays the contents of the startup configuration in ACS.
|
tech-support
|
Displays system and configuration information that you can provide to the Cisco Technical Assistance Center (TAC) when you report a problem.
|
terminal
|
Displays information about the terminal configuration parameter settings for the current terminal line.
|
timezone
|
Displays the current time zone in ACS.
|
timezones
|
Displays all the time zones available for use in ACS.
|
udi
|
Displays information about the CSACS-1121's Unique Device Identifier (UDI).
|
uptime
|
Displays how long the system you are logged in to has been up and running.
|
users
|
Displays information about the system users.
|
version
|
Displays information about the currently loaded software version, along with hardware and device information.
|
ip route
|
Displays information for specific IP addresses, network masks or protocols.
|
ACS Configuration Commands
Use ACS configuration commands to set the debug log level for the ACS management and runtime components, show system settings, reset server certificate and IP address access list, and manage import and export processes.
The ACS configuration mode requires a specific, authorized user role to execute each ACS configuration command. These commands are briefly described in Table 1-4. For detailed information on roles in ACS 5.2, refer to the User Guide for the Cisco Secure Access Control System 5.2.
To access the ACS configuration mode, run the acs-config command in EXEC mode.
Table 1-4 lists the ACS Configuration commands and provides a short description of each.
Table 1-4 Summary of ACS Configuration Commands
Command
|
Description
|
Required User Role
|
access-setting accept-all
|
Resets IP address filtering to allow all IP addresses to access the management pages of an ACS server.
|
Only the super admin can run this command on a primary ACS node.
|
acsview-db-compress
|
Compresses the ACS View database by rebuilding each table in the database and release the unused space. As a result, the physical size of the database is reduced.
|
Any authorized user, irrespective of role, can run this command.
|
debug-adclient
|
Enables debug logging of an Active Directory client.
|
Only the network-device admin can run this command.
|
debug-log
|
Defines the local debug logging level for the ACS components.
|
Any user, irrespective of role, can run this command.
|
export-data
|
Exports configuration data from an ACS local store to a remote repository.
|
Only users who have Read permission to a specific configuration object in the GUI can export that particular configuration data to a remote repository.
|
import-data
|
Imports configuration data from a remote repository to an ACS local store.
|
Only users who have Create, Read, Update, and Delete (CRUD) permissions to a specific configuration object in the GUI can import that particular configuration data to an ACS local store.
|
import-export-abort
|
Aborts specific (or all) import and export processes.
|
Only the super admin can simultaneously abort a running process and all pending import and export processes.
However, a user who owns a particular import or export process can terminate that particular process by using the process ID, or by stopping the process when it is in progress.
|
import-export-status
|
Displays the status of the import and export processes.
|
Any user, irrespective of role, can run this command.
|
no debug-adclient
|
Disables debug logging of an Active Directory client.
|
Only the network-device admin can run this command.
|
no debug-log
|
Restores the default local debug logging level of the ACS components.
|
Any user, irrespective of role, can run this command.
|
replication force-sync
|
Synchronizes configuration information between the primary and secondary ACS.
|
Only the super admin or system admin can run this command on a secondary ACS node.
|
reset-management-interface-certificate
|
Resets the management interface certificate to the default self-signed certificate.
|
Only the super admin or system admin can run this command.
|
show debug-adclient
|
Displays debug logging status for an Active Directory client.
|
Any user, irrespective of role, can run this command.
|
show debug-log
|
Displays the local debug logging status for subsystems.
|
Any user, irrespective of role, can run this command.
|
For detailed information on ACS Configuration mode commands, see Understanding Command Modes.
Configuration Commands
Configuration commands include interface and repository. To access the Configuration mode, run the configure command in the EXEC mode.
Some of the configuration commands will require you to enter the configuration submode to complete the configuration.
Table 1-5 lists the configuration commands and provides a short description of each.
Table 1-5 Summary of Configuration Commands
Command
|
Description
|
backup-staging-url
|
Specifies a Network File System (NFS) temporary space or staging area for the remote directory for backup and restore operations.
|
cdp holdtime
|
Specifies the amount of time the receiving device should hold a CDP packet from the ACS server before discarding it.
|
cdp run
|
Enables CDP.
|
cdp timer
|
Specifies how often the ACS server sends CDP updates.
|
clock
|
Sets the time zone for display purposes.
|
do
|
Executes an EXEC-level command from the configuration mode or any configuration submode.
To initiate, the do command precedes the EXEC command.
|
end
|
Returns to the EXEC mode.
|
exit
|
Exits the Configuration mode.
|
hostname
|
Sets the hostname of the system.
|
icmp echo
|
Configures the ICMP echo requests.
|
interface
|
Configures an interface type and enters the interface configuration mode.
|
ip address
|
Sets the IP address and netmask for the Ethernet interface.
This is an interface configuration command.
|
ip default-gateway
|
Defines or sets a default gateway with an IP address.
|
ip domain-name
|
Defines a default domain name that an ACS server uses to complete hostnames.
|
ip name-server
|
Sets the Domain Name System (DNS) servers for use during a DNS query.
|
kron occurrence
|
Schedule one or more Command Scheduler commands to run at a specific date and time or a recurring level.
|
kron policy-list
|
Specifies a name for a Command Scheduler policy.
|
logging
|
Enables the system to forward logs to a remote system.
|
logging loglevel
|
Configures the log level for the logging command.
|
no
|
Disables or removes the function associated with the command.
|
ntp
|
Synchronizes the software clock through the NTP server for the system.
|
password-policy
|
Enables and configures the password policy.
|
repository
|
Enters the repository submode.
|
service
|
Specifies the type of service to manage.
|
snmp-server community
|
Sets up the community access string to permit access to the Simple Network Management Protocol (SNMP).
|
snmp-server contact
|
Configures the SNMP contact MIB value on the system.
|
snmp-server host
|
Sends SNMP traps to a remote system.
|
snmp-server location
|
Configures the SNMP location MIB value on the system.
|
username
|
Adds a user to the system with a password and a privilege level.
|
For detailed information on Configuration mode and submode commands, see Understanding Command Modes.
CLI Audit
You must have administrator access to execute ACS configuration commands. Whenever an administrator logs in to the configuration mode and executes a command that causes configurational changes in the ACS server, the information related to those changes is logged in the ACS operational logs.
Table 1-7 lists the configuration mode commands that, when executed, generate operational logs.
Table 1-6 Configuration Mode Commands for the Operation Log
Command
|
Description
|
clock
|
Sets the system clock on the ACS server.
|
ip name-server
|
Sets the DNS servers for use during a DNS query.
|
hostname
|
Sets the hostname of the system.
|
ip address
|
Sets the IP address and netmask for the Ethernet interface.
|
ntp server
|
Allows synchronization of the software clock by the NTP server for the system.
|
You can view these logs, using the show acs-logs command. For more information on log file types and the information stored in each log file, see show acs-logs.
In addition to the configuration mode commands, there are some commands in the EXEC and ACS Configuration mode that generate operational logs as listed in Table 1-7 and Table 1-8:
Table 1-7 EXEC Mode Commands for the Operation Log
Command
|
Description
|
acs (Instance)
|
Starts or stops an ACS instance.
|
acs (Process)
|
Starts or stops an ACS process.
|
backup
|
Performs a backup (ACS and ADE OS) and places the backup in a repository. If View exists, View data will also get backed up.
|
restore
|
Restores from backup the file contents of a specific repository.
|
acs backup
|
Performs a backup of an ACS configuration.
|
acs restore
|
Performs a restoration of an ACS configuration.
|
acs reset-config
|
Resets the ACS configuration to factory defaults.
|
acs delete core
|
Deletes an ACS run-time core file or JVM core log.
|
acs delete log
|
Deletes an ACS run-time core file or JVM core log excluding the latest log.
|
backup-logs
|
Backs up system logs.
|
acs patch
|
Installs and removes ACS patches.
|
acs support
|
Gathers information for ACS troubleshooting.
|
Table 1-8 ACS Configuration Mode Commands for the Operation Log
Command
|
Description
|
access-setting accept-all
|
Resets the IP address filtering to allow all IP addresses to access the management pages of an ACS server.
|
debug-adclient
|
Enables debug logging of an Active Directory client.
|
debug-log
|
Defines the local debug logging level for the ACS components.
|
export-data
|
Exports configuration data from an ACS local store to a remote repository.
|
import-data
|
Imports configuration data from a remote repository to an ACS local store.
|
import-export-abort
|
Aborts specific (or all) import and export processes.
|
reset-management-interface-certificate
|
Resets the management interface certificate to the default self-signed certificate.
|
replication
|
Synchronizes configuration information between the primary and secondary ACS.
|
Feedback