|
|
This section describes the major Cisco Secure ACS Appliance 3.2 system administration tasks that you can perform via the serial console connection command line interface (CLI). For all other Cisco Secure ACS Appliance configuration and administration tasks, that is, those performed from the ACS HTML interface, see the User Guide for Cisco Secure ACS Appliance.
Serial console service starts automatically when the Cisco Secure ACS Appliance boots and prompts the user to log in. Successful login launches a command line application (shell) that operates the CLI.
This section contains the following topics:
This section details basic administrative tasks performed using a serial console connected the Cisco Secure ACS Appliance. This section contains the following procedures:
To log on to the Cisco Secure ACS Appliance via a serial console, follow these steps:
Step 2 At the login: prompt, enter the Cisco Secure ACS Appliance administrator name.
Step 3 At the password: prompt, enter the Cisco Secure ACS Appliance password.
Result: The system prompt appears in the following form:
 |
Note There is only one set of Cisco Secure ACS Appliance login credentials (administrator name and password) that have the serial connection privilege. |
 |
Caution Powering off the Cisco Secure ACS Appliance by using the Power button may cause the loss or corruption of data. Use this procedure to shut down the Cisco Secure ACS Appliance. |
To use the serial console to shut down the Cisco Secure ACS Appliance, follow these steps:
Step 2 At the system prompt, type shutdown, and then press Enter.
Step 3 At the Are you sure you want to shut down? (Y/N) prompt, type Y for yes and then press Enter.
Result: The Cisco Secure ACS Appliance displays the following message:
The Cisco Secure ACS Appliance then ends operations and powers OFF.
To log off the Cisco Secure ACS Appliance via the serial console, follow these steps:
Step 2 Press Enter.
Result: The serial console connection closes, and the login: prompt reappears.
To reboot the Cisco Secure ACS Appliance via the serial console, follow these steps:
Step 2 At the system prompt, type the reboot command, and then press Enter.
Result: The Cisco Secure ACS Appliance displays the following message:
Step 3 Type Y for yes and then press Enter.
Result: The Cisco Secure ACS Appliance reboots. When the reboot is finished, the login: prompt reappears.
You can use the serial console connection to obtain system and service status information.
|
Note Status determination is typically performed from within the Cisco Secure ACS Appliance HTML user interface. For more information, see "Determining the Status of Cisco Secure ACS Services" in the User Guide for Cisco Secure ACS Appliance. |
To determine the status of the Cisco Secure ACS Appliance and the Cisco Secure ACS Services, follow these steps:
Step 2 At the system prompt, type the show command, and then press Enter.
Result: The system displays the following status information:
If you are unfamiliar with the trace route command or want information on the command's optional arguments, see the Command Reference entry tracert.
To trace the network route taken by the Cisco Secure ACS Appliance to a given destination, follow these steps:
Step 2 Press Enter.
Result: The system displays the route tracing information followed by the message:
|
Note Stopping appliance services is a procedure that is typically performed from within the HTML interface. |
You can stop any of the Cisco Secure ACS Appliance services from the serial console. The Cisco Secure ACS Appliance services include the following:
 |
Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Appliance System and Services via Serial Console . |
To stop a service on the Cisco Secure ACS Appliance, follow these steps:
Step 2 Type stop followed by a single space and the name of the ACS service you want to stop.
|
Tip You can list more than one service to stop; type a single space between each. |
Step 3 Press Enter.
Result: The system immediately shows the message:
|
Note Starting appliance services is typically performed from within the HTML user interface. |
You can start any of the ACS services from the serial console. The Cisco Secure ACS Appliance services include the following:
|
Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Appliance System and Services via Serial Console . |
To start an ACS service, follow these steps:
Step 2 Type the start command followed by a single space and the name of the ACS service you want to start.
|
Tip You can list more than one service to start; type a single space between each. |
Step 3 Press Enter.
Result: The system immediately shows the message:
|
Note Restarting appliance services is a procedure that is typically performed from within the HTML interface. |
You can restart any Cisco Secure ACS Appliance service from the serial console. Cisco Secure ACS Appliance services include the following:
|
Tip To list the services and their status, you can use the show command. For more information, see Determining the Status of Appliance System and Services via Serial Console . |
To restart an ACS service, follow these steps:
Step 2 Type the restart command followed by a single space and the name of the ACS service you want to restart.
|
Tip You can list more than one service to restart; type a single space between each. |
Step 3 Press Enter.
Result: The system immediately shows the message:
To obtain a list and description of commands on the Cisco Secure ACS Appliance via the serial console, follow these steps:
Step 2 At the system prompt, type the help command, and then press Enter.
|
Tip Press Enter again to scroll through the list of commands, as necessary. |
Result: The Cisco Secure ACS Appliance displays the following list of commands and their descriptions:
For more information on Cisco Secure ACS Appliance commands, see "Command Reference."
This section details basic data manipulation tasks performed from a serial console connected to the Cisco Secure ACS Appliance. This section contains the following procedures:
This section details the procedure for running the support tool. The support tool first collects logs, system Registry information, and other ancillary data, and then compresses the collected information into a single file with the extension .cab. This file can then be sent to support personnel for analysis.
|
Caution Performing this procedure stops and restarts all services and will interrupt use of the Cisco Secure ACS Appliance. |
|
Note This procedure is typically performed from within the Cisco Secure ACS Appliance HTML interface. |
This procedure uses the support command. For more information on this command, see support, of "Command Reference." The arguments for the support command include the following:.
To generate a .cab file of log and system Registry information, follow these steps:
Step 2 Type the support command and the arguments necessary to your purpose.
Step 3 Press Enter.
Step 4 To collect user database information, at the Collect User Data? prompt, type Y and then press Enter.
Step 5 At the Collect Previous days logs? prompt, type the number of days for which you want to collect information (from 1 to 9999) and press Enter.
Step 6 At the Enter FTP Server Hostname prompt, enter your FTP server hostname or IP address and press Enter.
Step 7 At the Enter FTP Server Filepath prompt, enter the filepath to the location on your FTP server that you want to send the file to and then press Enter.
Step 8 At the Enter FTP Server Username prompt, enter your FTP server user account name and press Enter.
|
Caution Performing this next step begins the procedure that stops and restarts all services and will, therefore, interrupt use of the Cisco Secure ACS Appliance. |
Step 9 At the Enter FTP Server Password prompt, enter your FTP server password and press Enter.
Result: The Cisco Secure ACS Appliance displays a series of messages detailing the writing and dumping of the files and the stopping and starting of services. At file transfer conclusion the system displays the following messages:
This indicates the Cisco Secure ACS Appliance has packaged and transferred the .cab file as specified and restarts services.
Step 10 Press Enter.
Result: The system returns to the system prompt.
This section details the procedure for exporting Cisco Secure ACS Appliance log files to an FTP server for further examination and processing. Using the exportlogs command, you can either enter the name of the log or logs to exported or select log names from a list.
You must have the FTP server address and filepath, as well as the proper credentials for writing to the FTP server (user name and password).
|
Caution Performing this procedure stops and restarts all services and will interrupt use of the Cisco Secure ACS Appliance. |
To export log files to an FTP server, follow these steps:
Step 2 Type exportlogs logname.
|
Tip You can enter more than one log name separating each with a space. If you enter no log name, after you press Enter, the system displays the names of the log files available for export. |
|
Caution Performing this procedure stops and restarts all services and will interrupt use of the Cisco Secure ACS Appliance. |
Step 3 Press Enter.
Step 4 At the prompt, enter the IP address or hostname of the FTP server and press Enter.
Step 5 At the prompt, enter your FTP server username and press Enter.
Step 6 At the prompt, enter your FTP server password and press Enter.
Step 7 At the prompt, enter the FTP server directory filepath and press Enter.
Result: The Cisco Secure ACS Appliance exports the specified files to the specified location.
This section details the procedure for exporting a list of Cisco Secure ACS Appliance user groups to an FTP server for further examination and processing.
You must have the FTP server address and filepath, as well as the proper credentials for writing to the FTP server (username and password).
|
Caution Performing this procedure stops and restarts the csauth service and will interrupt use of the Cisco Secure ACS Appliance. |
To export a user group list to an FTP server, follow these steps:
Step 2 Type exportgroups.
|
Tip You can enter the following parameters following the command or in response to subsequent prompts: [server] [username] [filepath] |
Step 3 Press Enter.
Result: The system displays the following message:
|
Caution Performing this procedure stops and restarts the csauth service and will interrupt use of the Cisco Secure ACS Appliance. |
Step 4 To proceed, type Y and press Enter.
Step 5 At the Enter IP Address or hostname of the FTP Server prompt, enter the FTP server IP address or hostname and press Enter.
Step 6 At the Login: prompt, enter your FTP server username and press Enter.
Step 7 At the Password: prompt, enter your FTP server password and press Enter.
Step 8 At the Directory: prompt, enter the FTP server filepath and press Enter.
Result: The Cisco Secure ACS Appliance exports the group list file to the specified location. When done the system displays following message:
This section details the procedure for exporting a list of Cisco Secure ACS Appliance users to an FTP server for further examination and processing.
You must have the FTP server address and filepath, as well as the proper credentials for writing to the FTP server (username and password).
|
Caution Performing this procedure stops and restarts the csauth service and will interrupt use of the Cisco Secure ACS Appliance. |
To export a list of users to an FTP server, follow these steps:
Step 2 Type exportusers.
|
Tip You can enter the following parameters following the command or in response to subsequent prompts: [server] [username] [filepath] |
Step 3 Press Enter.
Result: The system displays the following message:
|
Caution Performing this procedure stops and restarts the csauth service and will interrupt use of the Cisco Secure ACS Appliance. |
Step 4 To proceed, type Y and press Enter.
Step 5 At the Enter IP Address or hostname of the FTP Server prompt, enter the FTP server IP address or hostname and press Enter.
Step 6 At the Login: prompt, enter your FTP server username and press Enter.
Step 7 At the Password: prompt, enter your FTP server password and press Enter.
Step 8 At the Directory: prompt, enter the FTP server filepath and press Enter.
Result: The Cisco Secure ACS Appliance exports the list of users file to the specified location. When done the system displays following message:
This section details how to use the serial console to backup Cisco Secure ACS Appliance data to an FTP server.
|
Note This procedure is typically performed from within the HTML interface. |
During backup, AAA services are interrupted and Cisco Secure ACS Appliance data is packaged and sent in a file to an FTP server. You may choose to encrypt this file package. For information on how to restore the backup data to the system, see Restoring ACS Data via the Serial Console.
You must have the FTP server address and filepath, as well as the proper credentials for writing to the FTP server (username and password).
|
Caution This procedure interrupts the use of the Cisco Secure ACS Appliance for AAA services. |
To export Cisco Secure ACS Appliance data to an FTP server, follow these steps:
Step 2 Type backup.
|
Tip You can enter the following parameters following the command or in response to subsequent prompts: [server] [username] [filepath] |
Step 3 Press Enter.
Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname and press Enter.
Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server filepath and press Enter.
Step 6 At the Enter FTP Server Username: prompt, enter your FTP server username and press Enter.
Step 7 At the Enter FTP Server Password: prompt, enter your FTP server password and press Enter.
Step 8 At the File: prompt, enter the name you want to give the backup file and then press Enter.
Step 9 At the Encrypt Backup File? (Y or N) prompt, type Y to encrypt the backup file or N not to encrypt it, and then press Enter.
|
Caution This procedure interrupts the use of the Cisco Secure ACS Appliance for AAA services. |
Step 10 If you previously chose to encrypt the backup file, at the Encryption Enter FTP Server Password: prompt, type a password and then press Enter.
Result: The Cisco Secure ACS Appliance displays the following messages:
Step 11 To proceed, type Y and press Enter.
Result: The Cisco Secure ACS Appliance exports the backup file to the specified location and displays messages regarding the progress of the backup. Before returning to the system prompt, the following message signifies the completion of the backup process:
This section details how use the serial console to restore Cisco Secure ACS Appliance data from an FTP server after having performed a backup. For more information on backing up Cisco Secure ACS Appliance data, see Backing Up ACS Data via the Serial Console.
|
Note This procedure is typically performed from within the HTML interface. |
You must have the FTP server address and filepath, as well as the proper credentials for writing to the FTP server (username and password). You also need the name of the backup file and, if the backup was encrypted, the decryption password.
|
Caution This procedure interrupts the use of the Cisco Secure ACS Appliance for AAA services. |
|
Caution This procedure overwrites current system data and replaces it with the backup data. |
To restore Cisco Secure ACS Appliance data from an FTP server, follow these steps:
Step 2 Type restore.
|
Tip You can enter the following parameters following the command or in response to subsequent prompts: [server] [username] [filepath] |
Step 3 Press Enter.
Step 4 At the Enter FTP Server Hostname or IP Address: prompt, enter the FTP server IP address or hostname and press Enter.
Step 5 At the Enter FTP Server Directory: prompt, enter the FTP server filepath and press Enter.
Step 6 At the Enter FTP Server Username: prompt, enter your FTP server username and press Enter.
Step 7 At the Enter FTP Server Password: prompt, enter your FTP server password and press Enter.
Step 8 At the File: prompt, enter the name of the backup file and then press Enter.
Step 9 At the Select Components to Restore: User and Group Database: prompt, to restore the user and group database type Y and then press Enter.
Step 10 At the CiscoSecure ACS System Configuration: (Y or N) prompt, to restore the system configuration data type Y and then press Enter.
Step 11 At the Decrypt Backup file? (Y or N) prompt, if you previously encrypted the backup file, type Y and then press Enter.
Step 12 At the Encryption Password: prompt, type the FTP password, and then press Enter.
|
Note The system displays a warning message: Reloading a system backup will overwrite ALL current configuration information. All services will be stopped and started automatically |
Step 13 At the Are you sure you want to proceed? (Y or N) prompt, type Y and then press Enter.
Result: The Cisco Secure ACS Appliance receives the backup file from the specified location and displays messages regarding the restoration. You may see warnings about components not included in the backup file. For example, if Cisco Secure ACS Appliance has no shared profile components configured, you see a message about DCS (device command sets) not on the backup. This is normal.
When completed the system displays the message:
This section details the procedure you perform to compact the Cisco Secure ACS Appliance user database. Like many relational databases, the Cisco Secure ACS Appliance user database handles the deletion of records by marking deleted records as deleted but not removing the record from the database. Over time, your Cisco Secure ACS Appliance user database may be substantially larger than is required by the number of users it contains. To reduce the CiscoSecure user database size, you can compact it periodically.
Database compaction includes three basic operations that take place automatically when you issue the dbcompact command:
Performing this procedure can reduce the amount of space that the database takes up and improve the database response time.
|
Caution Compacting the CiscoSecure user database requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated. |
|
Note This procedure is typically performed from within the Cisco Secure ACS Appliance HTML user interface. |
To compact the Cisco Secure ACS Appliance use database, follow these steps:
Step 2 Type dbcompact.
Result: The system displays the following message:
|
Caution Compacting the CiscoSecure user database requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated. |
Step 3 Type y, and then press Enter.
Result: The system displays a series of messages similar to the following:
Finally, the system returns to displaying the system prompt.
This section details basic reconfiguration tasks performed from a serial console connected the Cisco Secure ACS Appliance. This section contains the following procedures:
There is always a single set of Cisco Secure ACS Appliance administrator credentials consisting of administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the Cisco Secure ACS HTML user interface.
You can reset the Cisco Secure ACS Appliance administrator name, the administrator password, or both. This procedure details how to reset the password after having logged on with the existing credentials. To reset the administrator name see Resetting the Appliance Administrator Name.
If you do not have the existing Cisco Secure ACS Appliance administrator login credentials with which to log on, you must have the recovery CD ROM to reset these credentials. For information on resetting the administrator login and password without first logging on, see Recovering from Loss of Administrator Credentials .
To reset the Cisco Secure ACS Appliance administrator login credentials, follow these steps:
Step 2 At the system prompt, type set password and then press Enter.
Result: The Cisco Secure ACS Appliance displays the following prompt:
Step 3 Type the new password, and then press Enter.
|
Note The new password must not contain the administrator account name, must contain a minimum of 6 characters, and it must include a mix of at least 3 character types (numerals, special characters, upper case letters, and lowercase letters). Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word. |
Step 4 At the Set password again prompt, type the password again and then press Enter.
Result: The system displays the following message on the console:
There is always a single set of Cisco Secure ACS Appliance administrator credentials consisting of administrator name and password. Unlike other ACS administrative accounts, this unique administrative account is granted all privileges, cannot be deleted, and is not listed in the Administrators table of the Administrative Control page in the Cisco Secure ACS HTML user interface.
You can reset the Cisco Secure ACS Appliance administrator name, the administrator password, or both. This procedure details how to reset the administrator name after having logged on with the existing credentials. To reset the password, see Resetting the Appliance Administrator Password.
If you do not have the existing Cisco Secure ACS Appliance administrator login credentials with which to log on, you must have the recovery CD ROM to reset these credentials. For information on resetting the administrator login and password without first logging on, see Recovering from Loss of Administrator Credentials .
To reset the Cisco Secure ACS Appliance administrator name, follow these steps:
Step 2 At the system prompt, type the set admin command, and then press Enter.
Result: The Cisco Secure ACS Appliance displays the Set administrator's name prompt.
Step 3 Type the new administrator name, and then press Enter.
Step 4 At the Set administrator name again prompt, type the administrator name again and then press Enter.
Result: The system displays the following message on the console:
Typically, you configure the IP address only once, during initial configuration. See Configuring the Cisco Secure ACS Appliance.
|
Caution Reconfiguring the IP address may cause other network devices to fail to recognize the Cisco Secure ACS Appliance. |
|
Caution Reconfiguring the IP address causes services to restart. AAA services to users will be interrupted. |
To reconfigure the IP address, follow these steps:
Step 2 Type the set ip command, and then press Enter.
Step 3 At the Use Static IP Address [Y]: prompt, type Y for yes or N for No, and then press Enter.
Step 4 If you answered no to using a static IP address, the system displays a confirmation of DHCP and the message IP Address is reconfigured. Continue the procedure with Step 5 .
If you responded yes in the previous step to use a static IP address, do the following:
a. To specify the Cisco Secure ACS Appliance IP address, at the IP Address [xx.xx.xx.xx]: prompt, type the IP address, and then press Enter.
b. At the Subnet Mask [xx.xx.xx.xx]: prompt, type the subnet mask, and then press Enter.
c. At the Default Gateway [xx.xx.xx.xx]: prompt, type the default gateway, and then press Enter.
d. At the DNS Servers [xx.xx.xx.xx]: prompt, type the address of any DNS servers you intend to use (separate each by a single space), and then press Enter.
Result: The system displays the new configuration information and the following message:
Step 5 Review the information presented and, at the Confirm the changes? [Y]: prompt, press Enter.
Result: The Cisco Secure ACS Appliance restarts. The system displays the following message:
Step 6 At the prompt, Test network connectivity [Yes]:, type Y, and then press Enter.
|
Tip This step executes a ping command to ensure the connectivity of the Cisco Secure ACS Appliance. |
Step 7 At the prompt, Enter hostname or IP address:, type the IP address or hostname of a device connected to the Cisco Secure ACS Appliance and then press Enter.
Result: If successful, the system displays the ping statistics. Once again the system displays the prompt: Test network connectivity [Yes]:.
Step 8 If network connectivity is proven okay in the previous two steps, at the prompt, Test network connectivity [Yes]:, type N, and then press Enter.
|
Tip The system will continue to provide you with the opportunity to test network connectivity until you answer no. This gives you an opportunity, if required, to correct network connections or retype the IP address. |
Result: The Cisco Secure ACS Appliance restarts services, after which, it displays the system prompt.
You can set and maintain the system date and time using either of two methods:
To set the Cisco Secure ACS Appliance system time and date using an NTP, see Setting the System Time and Date with NTP.
To set the Cisco Secure ACS Appliance system time and date manually, follow these steps:
Step 2 At the system prompt, type set time, and then press Enter.
Result: The system displays the following message on the console:
Step 3 To set the time zone, time, or date type Y, and then press Enter.
Result: The system displays a list of indexed time zones and the following message:
Step 4 Enter the desired time zone index number from the time zone setting list, and then press Enter.
|
Tip You can also type 0 and press Enter to see more time zone index nu |