The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco Secure Access Control System (ACS) 5.8.1 uses the CSACS-1121, Cisco SNS-3415, Cisco SNS-3495, Cisco SNS-3515, or Cisco SNS-3595 appliances running the Cisco Application Deployment Engine (ADE) OS 2.2.2.011. This chapter provides an overview of how to access the ACS CLI, the different command modes, and the commands that are available in each mode.
You can configure and monitor ACS 5.8.1 through the web interface. You can also use the CLI to perform the configuration and monitoring tasks that this guide describes.
The following sections describe the ACS CLI:
■Accessing the ACS Command Environment
■User Accounts and Modes in ACS
■Types of Command Modes in ACS
You can access the ACS CLI through a secure shell (SSH) client or the console port using one of the following machines:
■Windows PC running Windows 7/XP/Vista.
■Apple computer running Mac OS X 10.4 or later.
For detailed information on accessing the CLI, see Using the ACS CLI
Two different types of accounts are available on the ACS server:
When you power up the CSACS-1121, Cisco SNS-3415, Cisco SNS-3495, Cisco SNS-3515, or Cisco SNS-3595 appliance for the first time, you are prompted to run the setup utility to configure the appliance. During this setup process, an administrator user account, also known as an Admin account, is created.
After you enter the initial configuration information, the appliance automatically reboots and prompts you to enter the username and the password that you specified for the Admin account. It is this Admin account that you must use to log in to the ACS CLI for the first time.
While an Admin can create and manage Operator (user) accounts (which have limited privileges and access to the ACS server), an Admin account provides you the functionality you require to use the ACS CLI. In ACS 5.8.1, you have one more role, called R/O Admin (read only Admin). R/O Admin can run all the show commands but cannot modify the configurations.
To create more users (with admin and operator privileges) with SSH access to the ACS CLI, you must run the username command in the configuration mode (see Types of Command Modes in ACS).
Table 1 lists the command privileges for each type of user account: Admin and Operator (user).
When you log in to the ACS server, it places you in the Operator (user) mode or the Admin (EXEC) mode. Typically, logging in requires a username and password.
You can always tell when you are in the Operator (user) mode or Admin (EXEC) mode by looking at the prompt. A right angle bracket (>) appears at the end of the Operator (user) mode prompt; a pound sign (#) appears at the end of the Admin mode prompt, regardless of the submode.
ACS configuration mode requires a specific, authorized user role to execute each ACS configuration command; see ACS Configuration Commands.
ACS supports these command modes:
■EXEC—Use the commands in this mode to perform system-level configuration. In addition, certain EXEC mode commands have ACS-specific abilities. See EXEC Commands.
■ACS configuration—Use the commands in this mode to import or export configuration data, synchronize configuration information between the primary and secondary ACS, reset IP address filtering and management interface certificate, define debug logging and show the logging status.
This mode requires an administrator user account to log in and perform the ACS configuration-related commands. See ACS Configuration Commands.
■Configuration—Use the commands in this mode to perform additional configuration tasks in ACS. See Configuration Commands.
EXEC commands primarily include system-level commands such as show and reload (for example, application installation, application start and stop, copy files and installations, restore backups, and display information).
In addition, certain EXEC-mode commands have ACS-specific abilities (for example, start an ACS instance, display and export ACS logs, and reset an ACS configuration to factory default settings.
■Table 2 lists the EXEC commands and provides a short description of each.
■Table 3 lists the show commands in the EXEC mode and provides a short description of each.
For detailed information on EXEC commands, see Understanding the Command Modes.
The show commands are used to view the ACS settings and are among the most useful commands. See Table 3 for a summary of the show commands.
The commands in Table 3 require the show command to be followed by a keyword; for example, show application. Some show commands require an argument or variable after the keyword to function; for example, show application version.
Use ACS configuration commands to set the debug log level for the ACS management and runtime components, to show system settings, to reset server certificates and IP address access lists, and to manage import and export processes.
The ACS configuration mode requires a specific, authorized user role to execute each ACS configuration command. These commands are briefly described in Table 4. For detailed information on the roles in ACS 5.8.1, see the User Guide for Cisco Secure Access Control System 5.8.1.
To access the ACS configuration mode, enter the acs-config command in EXEC mode.
Table 4 lists the ACS configuration commands and provides a short description of each.
For detailed information on ACS Configuration mode commands, see Understanding the Command Modes.
Configuration commands include interface and repository. To access the configuration mode, run the configure command in the EXEC mode.
Some of the configuration commands will require you to enter the configuration submode to complete the configuration.
Table 5 lists the configuration commands and provides a short description of each.
For detailed information on configuration mode and submode commands, see Understanding the Command Modes.
You must have administrator access to execute ACS configuration commands. Whenever an administrator logs in to the configuration mode and executes a command that causes configuration changes in the ACS server, the information related to those changes is logged in the ACS operational logs.
Table 6 lists the configuration mode commands that, when executed, generate operational logs.
|
|
---|---|
|
|
|
|
|
|
|
|
|
|
|
Allows synchronization of the software clock by the NTP server for the system. |
You can view these logs using the show acs-logs command. For more information on log file types and the information that is stored in each log file, see show acs-logs.
In addition to the configuration mode commands, there are some commands in the EXEC and ACS configuration mode that generate operational logs, as listed in Table 7 and Table 8: