The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the command line interface (CLI) commands that you use to manage and monitor aspects of the Cisco Broadband Access Center (BAC) Device Provisioning Engine (DPE).
The system commands that affect the entire DPE are:
•exit
•help
•show
Use this command to configure the CLI to perform local user (login) authentication, or remote TACACS+ user authentication. This setting applies to all Telnet and console CLI interfaces.
TACACS+ is a TCP-based protocol that supports centralized access control for large numbers of network devices and user authentication for the DPE CLI. Using TACACS+, a DPE supports multiple users (and their individual usernames) and the login and enable passwords configured at the TACACS+ server.
aaa authentication mode
mode specifies either:
•local—In this mode, user authentication is enabled via a local login.
•tacacs—In this mode, the CLI sequentially attempts a TACACS+ exchange with each server in the TACACS+ server list. The attempts continue for a specified number of retries. If the end of the server list is reached before a successful protocol exchange occurs, the local authentication mode is automatically enabled. In this manner, you can gain access to the CLI even if the TACACS+ service is completely unavailable.
Note TACACS+ authentication prompts you for your TACACS+ configured username and password; local authentication, however, prompts only for the local configured password.
The CLI user's login authentication is, by default, enabled in the local mode.
dpe# aaa authentication tacacs
% OK
Use this command to exit from the privileged mode on the DPE. When the disabled mode is activated, only those commands that allow viewing the system configuration are available on the CLI.
No keywords or arguments.
dpe# disable
dpe>
Use this command to enable the privileged mode on the DPE. Viewing system configuration does not require the privileged mode; however, only in the privileged mode you can change the system configuration, state, and data.
After entering the command, you are prompted to enter the local, configured, enable password. For information on setting the password for the privileged mode, see enable password.
No keywords or arguments.
dpe> enable
Password:
dpe#
Use this command to change the local password for accessing the DPE in the privileged mode. You can change the enable password only in the privileged mode.
Once the password is changed, all users who, from that point onward, attempt to enter into the privileged mode are required to use the new password.
Note This command does not change the login password; it only changes the local enable password.
When entering the enable password command, you can provide the password on the command line or when prompted.
enable password password
password—Specifies the local configured password currently in effect or, optionally, provides a new password. If you omit this parameter, you are prompted for the password.
Note In these examples, please note the different password messages that might appear.
Example 1
dpe# enable password
New enable password:
Retype new enable password:
Password changed successfully.
This result occurs when you are prompted to enter the password, and the password is changed successfully.
Example 2
dpe# enable password
New enable password:
Retype new enable password:
Sorry, passwords do not match.
This result occurs when the password is entered incorrectly.
Example 3
dpe# enable password cisco
Password changed successfully
This result occurs when you enter the password without being prompted, and the password is changed successfully.
Use this command to close a Telnet connection to the DPE and return to the login prompt. After running this command, a message indicates that the Telnet connection has been closed.
No keywords or arguments.
dpe# exit
% Connection closed.
Use this command to display a help screen to assist you in using the DPE CLI. If you need help on a particular command, or to list all available commands, enter command ? or ?, respectively.
After entering the command, a screen prompt appears to explain how you can use the help function.
Two types of help are available:
1. Full help is available when you enter a command argument, such as show ?, and describes each possible argument.
2. Partial help is provided when you enter an abbreviated argument and want to know what arguments match the input; for example, show c?.
No keywords or arguments.
Note In these examples, please note the different help messages that might appear.
Example 1
dpe# help
Help may be requested at any point in a command by entering a question mark '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a command argument (e.g. "show ?") and describes each possible argument.
2. Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (e.g. "show c?").
This result occurs when you use the help command.
Example 2
dpe# show ?
bundles Shows the archived bundles.
clock Shows the current system time.
commands Shows the full command hierarchy.
cpu Shows the current CPU usage.
device-config Show device configuration.
disk Shows the current disk usage.
dpe Shows the status of the DPE process if started.
files Shows files in DPE cache.
hostname Shows the system hostname.
ip Shows IP configuration details.
log Shows recent log entries.
memory Shows the current memory usage.
running-config Shows the appliance configuration.
version Shows DPE version.
This result occurs when you invoke the full help function for a command; in this instance, show ?.
Example 3
dpe# show c?
clock commands cpu
dpe# show clock
Sat Jul 15 01:43:19 EDT 2006
This result occurs when you invoke the partial help function for arguments of a command; in this instance, show clock.
Use this command to change the local system password, which you use to access the DPE and is different from the one used to access the privileged mode on the DPE. The system password is changed automatically for future logins by using the administrator account.
Note The changes that you introduce through this command take effect for new users, but users who are currently logged on are not disconnected.
If TACACS+ user authentication is used, the local system password is used only if the DPE is unable to communicate with a TACACS+ server.
password password
password—Identifies the new DPE password.
Example 1
dpe# password
New password:
Retype new password:
Password changed successfully.
This result occurs when you are prompted for the password, and the password is changed successfully.
Example 2
dpe# password
New password:
Retype new password:
Sorry, passwords do not match.
This result occurs when the password is entered incorrectly.
Example 3
dpe# password cisco
Password changed successfully.
This result occurs when the password is changed (using an approach easier for scripting).
Use the show command to view system settings and status. Table 2-1 lists the various keywords that you can use with the show command.
Use this command to add a TACACS+ server to the end of the TACACS+ client's list of TACACS+ servers. When TACACS+ authentication is enabled, the client attempts user login authentication to each server sequentially in the list until a successful authentication exchange is executed, or the list is exhausted. If the list is exhausted, the client automatically falls back into the local authentication mode (using the local system password).
You have to specify an encryption key for each TACACS+ server. This encryption key is matched with the key configured at the specified TACACS+ server.
To remove a TACACS+ server from the list of TACACS+ servers in the CLI, use the no form of this command. For more information, see no tacacs-server host.
tacacs-server host host key encryption-key
•host—Specifies either the IP address or the hostname of the TACACS+ server.
•encryption-key—Specifies the encryption key used for each TACACS+ server.
Example 1
This example adds a TACACS+ server, by using its IP address (10.0.1.1) with an encryption key (hg667YHHj).
dpe# tacacs-server host 10.0.1.1 key hg667YHHj
% OK
Example 2
This example adds a TACACS+ server, by using its hostname (tacacs1.cisco.com) with an encryption key (hg667YHHj).
dpe# tacacs-server host tacacs1.cisco.com key hg667YHHj
% OK
Use this command to remove a TACACS+ server from the list of TACACS+ servers in the CLI.
no tacacs-server host host
host—Specifies the IP address or the hostname of the TACACS+ server.
Example 1
This example removes a TACACS+ server by using its IP address.
dpe# no tacacs-server host 10.0.1.1
% OK
Example 2
This example removes a TACACS+ server by using its hostname.
dpe# no tacacs-server host tacacs1.abc.com
% OK
Use this command to set the number of times the TACACS+ protocol exchanges are retried before the TACACS+ client considers a specific TACACS+ server unreachable. When this limit is reached, the TACACS+ client moves to the next server in its TACACS+ server list, or falls back into local authentication mode if the TACACS+ list has been exhausted.
tacacs-server retries value
value—Specifies a dimensionless number from 1 to 100.
Note This value applies to all TACACS+ servers.
The number of times the TACACS+ protocol exchanges are retried before the TACACS+ client considers a specific TACACS+ server unreachable is, by default, set to 2.
dpe# tacacs-server retries 10
% OK
Use this command to set the maximum time that the TACACS+ client waits for a TACACS+ server response before it considers the protocol exchange to have failed.
tacacs-server timeout value
value—Specifies the duration for which the CLI waits for a TACACS+ server response. This value must be within the range of 1 to 300 seconds.
Note This value applies to all TACACS+ servers.
The maximum time that the CLI waits for a TACACS+ server response before it times out is, by default, 5 seconds.
dpe# tacacs-server timeout 10
% OK
Use this command to identify how long the system has been operational. This information is useful when determining how frequently the device is rebooted. It is also helpful when checking the reliability of the DPE when it is in a stable condition.
No keywords or arguments.
dpe# uptime
11:42pm up 72 day(s), 8:02, 1 user, load average: 0.00, 0.02, 0.02