Overview of the Cisco ISE Command-Line Interface
This chapter provides an overview of how to access the Cisco ISE command-line interface (CLI), the different command modes, and the commands that are available in each mode.
You can configure and monitor the Cisco ISE by using the web interface. You can also use the CLI to perform configuration and monitoring tasks that this guide describes.
The following sections describe the Cisco ISE CLI:
Accessing the Cisco ISE Command Environment
You can access the Cisco ISE CLI through a Secure Shell (SSH) client or the console port using one of the following machines:
- Windows PC running Windows XP/Vista
- Apple Computer running Mac OS X 10.4 or later
- PC running Linux
For detailed information on accessing the CLI, see Chapter 2, “Using the Cisco ISE Command-Line Interface”
User Accounts and Modes in the Cisco ISE CLI
Two different types of accounts are available on the Cisco ISE CLI:
- Admin (administrator)
- Operator (user)
When you power up the Cisco ISE appliances for the first time, you are prompted to run the setup utility to configure the appliances. During this setup process, an administrator user account, also known as an Admin account, is created. After you enter the initial configuration information, the appliances automatically reboot and prompt you to enter the username and the password that you specified for the Admin account. You must use this Admin account to log into the Cisco ISE CLI for the first time.
An Admin can create and manage Operator (user) accounts, which have limited privileges and access to the Cisco ISE server. An Admin account also provides the functionality that is needed to use the Cisco ISE CLI.
To create more users (with admin and operator privileges) with SSH access to the Cisco ISE CLI, you must run the username command in the Configuration mode (see Command Modes in the Cisco ISE CLI).
Table 1-1 lists the command privileges for each type of user account: Admin and Operator (user).
Table 1-1 Command Privileges
|
|
|
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
* |
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
* |
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
* |
|
* |
* |
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
|
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
|
|
* |
* |
|
* |
* |
|
* |
|
|
* |
* |
|
* |
* |
|
* |
|
|
* |
* |
|
* |
|
|
* |
* |
|
* |
|
|
* |
* |
|
* |
* |
|
* |
* |
|
* |
|
|
* |
|
|
* |
|
Logging into the Cisco ISE node places you in the Operator (user) mode or the Admin (EXEC) mode, which always requires a username and password for authentication.
You can tell which mode you are in by looking at the prompt. A right angle bracket (>) appears at the end of the Operator (user) mode prompt; a pound sign (#) appears at the end of the Admin mode prompt, regardless of the submode.
Command Modes in the Cisco ISE CLI
Cisco ISE supports these command modes:
- EXEC—Use the commands in this mode to perform system-level configuration. See EXEC Commands. In addition, refer to the commands in the EXEC that generate operational logs as listed in Table 1-6 .
- Configuration—Use the commands in this mode to perform configuration tasks in the Cisco ISE. See Configuration Commands. In addition, refer to the commands in the configuration mode that generate operational logs as listed in Table 1-5 .
EXEC Commands
EXEC commands primarily include system-level commands such as show and reload (for example, application installation, application start and stop, copy files and installations, restore backups, and display information).
- Table 1-2 describes the EXEC commands
- Table 1-3 describes the show commands in the EXEC mode
For detailed information on EXEC commands, see Understanding Command Modes.
EXEC or System-Level Commands
Table 1-2 describes the EXEC mode commands.
Table 1-2 Summary of EXEC Commands
|
|
|
Installs a specific application bundle. |
|
Removes a specific application. |
|
Resets the Cisco ISE configuration and clears the Cisco ISE database. |
|
Resets the application password for a specific user (admin) in the application. |
|
Starts or enables a specific application. |
|
Stops or disables a specific application. |
|
Upgrades a specific application bundle. |
|
Performs a backup and places the backup in a repository. |
|
Performs a backup of all the logs on the Cisco ISE to a remote location. |
|
Sets the system clock on the Cisco ISE server. |
|
Enters the Configuration mode. |
|
Copies any file from a source to a destination. |
|
Displays any errors or events for various command situations; for example, backup and restore, configuration, copy, resource locking, file transfer, and user management. |
|
Deletes a file in the Cisco ISE server. |
|
Lists the files in the Cisco ISE server. |
|
Disconnects the encrypted session with a remote system. Exits from the current command mode to the previous command mode. |
|
Forces the logout of all the sessions of a specific Cisco ISE server system user. |
|
Disables or shuts down the Cisco ISE server. |
|
Describes the help utility and how to use it in the Cisco ISE server. |
|
Creates a new directory. |
|
Queries the IPv4 address or hostname of a remote system. |
|
Installs System or Application patch. |
|
Configures the Inline PEP node. |
|
Determines the IPv4 network connectivity to a remote system. |
|
Determines the IPv6 network connectivity to a remote system. |
|
Reboots the Cisco ISE server. |
|
Restores a previous backup. |
|
Removes an existing directory. |
|
Provides information about the Cisco ISE server. |
|
Starts an encrypted session with a remote system. |
|
Provides Cisco Technical Assistance Center (TAC) commands. |
|
Establishes a Telnet connection to a remote system. |
|
Sets terminal line parameters. |
|
Sets the inactivity timeout for all terminal sessions. |
|
Sets the welcome message on the system for all terminal sessions. |
|
Specifies the type of terminal connected to the current line of the current session. |
|
Traces the route of a remote IP address. |
|
Disables the output (display of errors or events) of the debug command for various command situations; for example, backup and restore, configuration, copy, resource locking, file transfer, and user management. |
|
Erases the startup configuration that forces to run the setup utility and prompt the network configuration, copies the running configuration to the startup configuration, and displays the running configuration on the console. |
Show Commands
The show commands are used to display the Cisco ISE settings and are among the most useful commands. See Table 1-3 for a summary of the show commands.
The commands in Table 1-3 require the show command to be followed by a keyword; for example, show application status. Some show commands require an argument or variable after the keyword to function; for example, show application version.
Table 1-3 Summary of show Commands
|
|
application (requires keyword)
|
Displays information about the installed application; for example, status information or version information. |
backup
(requires keyword)
|
Displays information about the backup. |
|
Displays information about the enabled Cisco Discovery Protocol interfaces. |
|
Displays the day, date, time, time zone, and year of the system clock. |
|
Displays CPU information. |
|
Displays file-system information of the disks. |
|
Displays the Internet Control Message Protocol (ICMP) echo response configuration information. |
|
Displays statistics for all the interfaces configured on the Cisco ISE. |
|
Displays information about the hardware inventory, including the Cisco ISE appliance model and serial number. |
logging
(requires keyword)
|
Displays the Cisco ISE server logging information. |
logins
(requires keyword)
|
Displays the login history of the Cisco ISE server. |
|
Displays memory usage by all running processes. |
|
Displays the status of the Network Time Protocol (NTP) servers. |
|
Displays the Inline PEP node information. |
|
Displays all the processes listening on the active ports. |
|
Displays information about the active processes of the Cisco ISE server. |
repository
(requires keyword)
|
Displays the file contents of a specific repository. |
restore
(requires keyword)
|
Displays the restore history in the Cisco ISE. |
|
Displays the contents of the configuration file that currently runs in the Cisco ISE. |
|
Displays the contents of the startup configuration in the Cisco ISE. |
|
Displays system and configuration information that you can provide to the TAC when you report a problem. |
|
Displays information about the terminal configuration parameter settings for the current terminal line. |
|
Displays the current time zone in the Cisco ISE. |
|
Displays all the time zones available for use in the Cisco ISE. |
|
Displays information about the unique device identifier (UDI) of the Cisco ISE. |
|
Displays how long the system you are logged in to has been up and running. |
|
Displays information about the system users. |
|
Displays information about the currently loaded software version, along with hardware and device information. |
Configuration Commands
Configuration commands include interface and repository. To access the Configuration mode, run the configure command in the EXEC mode.
Some of the configuration commands require that you enter the configuration submode to complete the configuration.
Table 1-4 describes the configuration commands.
Table 1-4 Summary of Configuration Commands
|
|
|
Specifies a Network File System (NFS) temporary space or staging area for the remote directory for backup and restore operations. |
|
Specifies the amount of time the receiving device should hold a Cisco Discovery Protocol packet from the Cisco ISE server before discarding it. |
|
Enables Cisco Discovery Protocol. |
|
Specifies how often the Cisco ISE server sends Cisco Discovery Protocol updates. |
|
Sets the time zone for display purposes. |
|
Executes an EXEC-level command from the configuration mode or any configuration submode. Note To initiate, the do command precedes the EXEC command. |
|
Returns to the EXEC mode. |
|
Exits the Configuration mode. |
|
Sets the hostname of the system. |
|
Configures the ICMP echo requests. |
|
Configures an interface type and enters the interface configuration mode. |
|
Enables IPv6 stateless autoconfiguration in the interface configuration mode. |
|
Enables IPv6 address DHCP in the interface configuration mode. |
|
Sets the IP address and netmask for the Ethernet interface. Note This is an interface configuration command. |
|
Defines or sets a default gateway with an IP address. |
|
Defines a default domain name that a Cisco ISE server uses to complete hostnames. |
|
Sets the Domain Name System (DNS) servers for use during a DNS query. |
|
Schedule one or more Command Scheduler commands to run at a specific date and time or a recurring level. |
|
Specifies a name for a Command Scheduler policy. |
|
Enables the system to forward logs to a remote system. |
|
Configures the log level for the logging command. |
|
Disables or removes the function associated with the command. |
|
Synchronizes the software clock through the NTP server for the system. |
|
Enables and configures the password policy. |
|
Enters the repository submode. |
|
Specifies the type of service to manage. |
|
Sets up the community access string to permit access to the Simple Network Management Protocol (SNMP). |
|
Configures the SNMP contact the Management Information Base (MIB) value on the system. |
|
Sends SNMP traps to a remote system. |
|
Configures the SNMP location MIB value on the system. |
|
Adds a user to the system with a password and a privilege level. |
For detailed information on Configuration mode and submode commands, see Understanding Command Modes.
CLI Audit
You must have administrator access to execute the Cisco ISE configuration commands. Whenever an administrator logs in to the configuration mode and executes a command that causes configurational changes in the Cisco ISE server, the information related to those changes is logged in the Cisco ISE operational logs.
Table 1-5 describes the Configuration mode commands that generate operational logs.
Table 1-5 Configuration Mode Commands for the Operation Log
|
|
|
Sets the system clock on the Cisco ISE server. |
|
Sets the DNS servers for use during a DNS query. |
|
Sets the hostname of the system. |
|
Sets the IP address and netmask for the Ethernet interface. |
|
Allows synchronization of the software clock by the NTP server for the system. |
In addition to the configuration mode commands, some commands in the EXEC generate operational logs.
Table 1-6 describes the EXEC mode commands that generate operational logs.
Table 1-6 EXEC Mode Commands for the Operation Log
|
|
|
Performs a backup (Cisco ISE and Cisco ADE OS) and places the backup in a repository. |
|
Restores from backup the file contents of a specific repository. |
|
Backs up system logs. |