Before Accessing the Cisco ISE CLI
Before logging in to the Cisco ISE CLI, ensure that you have completed the installation tasks as specified in the
Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4
Running Setup to Configure the Cisco ISE
When you power up the Cisco ISE appliances for the first time, you are prompted to run the setup utility to configure the Cisco ISE appliances. Before you run the utility using the
command, ensure that you have values for the following network configuration prompts:
IP address—Ethernet interface address
DNS domain name
Primary NTP server (optional)
System time zone
Username (user name for CLI-admin user)
Password (password for CLI-admin user)
Database administrator password and database user password (one-time entry only)
This example shows sample output of the
********************************************** Please type 'setup' to configure the appliance ********************************************** Press 'Ctrl-C' to abort setup Enter hostname: ise-server-1 Enter IP address: 10.0.0.0 Enter Netmask: 10.255.10.255 Enter default gateway: 126.96.36.199 Enter default DNS domain: cisco.com Enter Primary nameserver: 188.8.131.52 Add/Edit another nameserver? Y/N: n Enter primary NTP domain: clock.cisco.com Add/Edit another NTP domain? Y/N: n Enter system time zone: UTC Enter username [admin]: admin Bringing up the network interface... Pinging the primary nameserver... Do not use `Ctrl-C' from this point on...
After the Cisco ISE software has been configured, the Cisco ISE system reboots automatically. To log back into the Cisco ISE CLI, you must enter the CLI-admin user credentials that you configured during Setup.
Once Cisco ISE reboots, you are prompted to enter and confirm the new database administrator and database user passwords.
Welcome to the ISE initial setup. The purpose of this setup is to
provision the internal database. This setup requires you to create
a database administrator password and also create a database user password.
Please follow the prompts below to create the database administrator password. Enter new database admin password: Confirm new database admin password: Successfully created database administrator password. Please follow the prompts below to create the database user password. Enter new database user password: Confirm new database user password: Successfully created database user password. Running database cloning script... Running database network config assistant tool... Extracting ISE database contents... Starting ISE database processes...
identifies the hostname that you specified when you ran the
In this example, this prompt appears:
To log in, use the administrator user account (and the corresponding password) that you created during the setup process. You must also use this Admin account to log into the Cisco ISE CLI for the first time. After accessing the CLI as an administrator, you can create more users (with admin and operator privileges) with SSH access to the CLI by running the username command in the Configuration mode.
Note The administrator user account and the corresponding password (a CLI user account) that you created during the initial setup wizard can be used to manage the Cisco ISE application using the CLI. The CLI user has privileges to start and stop the Cisco ISE application software, backup and restore the Cisco ISE application data, apply software patches and upgrades to the Cisco ISE application software, view all the system and the application logs, and reload or shutdown the Cisco ISE appliance. To protect the CLI user credentials, explicitly create users with access to the CLI.
See the “Accessing the Cisco ISE CLI” section.
Note Any users that you create from the Cisco ISE web interface cannot automatically log into the Cisco ISE CLI. You must explicitly create users with access to the CLI. To create these users, you must log in to the CLI using the Admin account that you created during setup; then, enter the Configuration mode, and run the username command.
Accessing the Cisco ISE CLI
Before logging in to the Cisco ISE CLI, ensure that you have completed the hardware installation and configuration process outlined in “Before Accessing the Cisco ISE CLI” section.
To log into the Cisco ISE server and access the CLI, use an SSH Secure Shell client or the console port.
Note To access the Cisco ISE CLI environment, use any SSH client that supports SSH v2.
You can log in from:
A PC running Windows XP/Vista.
A PC running Linux.
An Apple computer running Mac OS X 10.4 or later.
Any terminal device compatible with VT100 or ANSI characteristics. On the VT100-type and ANSI devices, you can use cursor-control and cursor-movement key. Keys include left arrow, up arrow, down arrow, right arrow, Delete, and Backspace. The CLI senses the use of the cursor-control keys and automatically uses the optimal device characteristics (see the “Supported Hardware and Software Platforms” section).
To exit the CLI, use the
command from the EXEC mode. You are currently in one of the configuration modes and you want to exit the CLI, enter the
command to return to the EXEC mode, and then enter the
command (see EXEC Mode).
Supported Hardware and Software Platforms
The following valid terminal types can access the Cisco ISE:
See the terminfo database for a complete listing.
Opening the CLI with Secure Shell
You can also access the Cisco ISE through an SSH client or the console port.
Note To access the Cisco ISE CLI environment, use any SSH client that supports SSH v2.
The following example shows you how to log in with a Secure Shell (SSH) client (connecting to a wired WAN) via a PC by using Windows XP. Assuming that Cisco ISE is preconfigured through the setup utility to accept an Admin (administrator) user, log in as Admin.
Step 1 Use any SSH client and start an SSH session.
The SSH window appears.
Step 2 Press
The Connect to Remote Host window appears.
Step 3 Enter a hostname, username, port number, and authentication method.
In this example, you enter
for the hostname,
for the username, and
for the port number; and, for the authentication method, choose
from the drop-down list.
Step 4 Click
, or press
The Enter Password window appears.
Step 5 Enter your assigned password for the administrator.
The SSH with the Add Profile window appears.
Step 6 (Optional) Enter a profile name in the text box and click
Add to Profile
Step 7 Click
on the Add Profile window.
The Cisco ISE prompt ise/admin# appears. You can now enter Cisco ISE CLI commands.
Opening the CLI Using a Local PC
If you need to configure Cisco ISE locally (without connecting to a wired LAN), you can connect a PC to the console port on the Cisco ISE appliance by using a null-modem cable.
The serial console connector (port) provides access to the CLI locally by connecting a terminal to the console port. The terminal is a PC running terminal-emulation software or an ASCII terminal. The console port (EIA/TIA-232 asynchronous) requires only a null-modem cable.
To connect a PC running terminal-emulation software to the console port, use a DB-9 female to DB-9 female null-modem cable.
To connect an ASCII terminal to the console port, use a DB-9 female to DB-25 male straight-through cable with a DB-25 female to DB-25 female gender changer.
The default parameters for the console port are 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.
Note If you are using a Cisco switch on the other side of the connection, set the switchport to duplex auto, speed auto (the default).
To connect to the console port and open the CLI, complete the following steps:
Step 1 Connect a null-modem cable to the console port on the Cisco ISE appliance and to the COM port on your PC.
Step 2 Set up a terminal emulator to communicate with the Cisco ISE. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.
Step 3 When the terminal emulator activates, press Enter.
Step 4 At the window, enter your username, then press Enter.
Step 5 Enter the password, then press Enter.
When the CLI activates, you can enter CLI commands to configure the Cisco ISE.
Understanding Command Modes
This section describes the Cisco ISE command modes in detail. The primary modes of operation are:
When you start a session on the Cisco ISE, you begin in the Admin or EXEC mode. From the EXEC mode, you can enter the Configuration mode. Most of the EXEC commands (one-time commands), such as show commands, display the current configuration status. The Admin or EXEC mode prompt consists of the device name or hostname before a pound sign (#), as shown:
ise/admin# (Admin or EXEC mode)
Note Throughout this guide, the Cisco ISE server uses the name ise in place of the hostname and admin of the Cisco ISE server for the user account.
You can always tell when you are in the EXEC mode or the Configuration mode by looking at the prompt. In the:
EXEC mode, a pound sign (#) appears after the Cisco ISE server hostname and your username.
Configuration mode, the ‘config’ keyword and a pound sign (#) appear after the hostname of the Cisco ISE server and your username.
Enter configuration commands, one per line. End with CNTL/Z. ise/admin(config)# (configuration mode)
If you are familiar with UNIX, you can equate the EXEC mode to root access. You could also equate it to the administrator level in Windows NT or the supervisor in NetWare. In this mode, you have permission to access everything in the Cisco ISE server, including the configuration commands. However, you cannot enter configuration commands directly. Before you can change the actual configuration of the Cisco ISE server, you must enter the Configuration mode by running the
configure terminal (conf t)
command. Enter this command only when in the EXEC mode.
Enter configuration commands, one per line. End with CNTL-Z. ise(config)# (configuration mode)
The Configuration mode has several submodes; each has its own prompt. To enter these submodes, you must first enter the Configuration mode by entering the configure terminal command.
To exit the Configuration mode, enter the end, exit, or Ctrl-z command. To exit the EXEC mode, enter the exit command. To exit both Configuration and EXEC modes, enter this sequence of commands:
To obtain a listing of commands in the EXEC mode, enter a question mark (?):
Use the Configuration mode to make changes to the existing configuration. When you save the configuration, these commands remain across Cisco ISE server reboots, but only if you run either of these commands:
copy running-config startup-config
To enter the Configuration mode, run the
configure terminal (conf t)
command in the EXEC mode. When in the Configuration mode, the Cisco ISE expects configuration commands.
Enter configuration commands, one per line. End with CNTL-Z. ise/admin(config)# (configuration mode)
From this level, you can enter commands directly into the Cisco ISE configuration. To obtain a listing of commands in this mode, enter a question mark (?):
The Configuration mode has several configuration submodes. Each of these submodes places you deeper in the prompt hierarchy. When you enter exit, the Cisco ISE backs you out one level and returns you to the previous level. When you enter exit again, the Cisco ISE backs you out to the EXEC level.
Note In the Configuration mode, you can alternatively enter Ctrl-z instead of the end or exit command.
In the configuration submodes, you can enter commands for specific configurations. For example:
ise/admin(config)# interface GigabitEthernet 0 ise/admin(config-GigabitEthernet)#
To obtain a list of commands in this mode, enter a question mark (?):
Use the exit or end command to exit this prompt and return to the configuration prompt.
lists the commands in the interface GigabitEthernet 0 configuration submode. Other configuration submodes exist including those specific to the
Table 2-1 Command Options in the Interface GigabitEthernet 0 Configuration Submode
interface GigabitEthernet 0
Configure ethernet interface:
end Exit from configure mode
exit Exit from this submode
ipv6 Configure IPv6 features
no Negate a command or set its defaults
shutdown Shutdown the interface
Enter the command that you want to configure for the interface. This example uses the interface GigabitEthernet command.
Enter ? to display what you must enter next on the command line. This example shows the available interface GigabitEthernet configuration submode commands.
address Configure IP address
Enter the command that you want to configure for the interface. This example uses the ip command.
Enter ? to display what you must enter next on the command line. This example shows the available ip configuration submode commands.
ip address ?
Enter the command that you want to configure for the interface. This example uses the ip addresss command.
Enter ? to display what you must enter next on the command line. In this example, you must enter an IPv4 address.
A carriage return <cr> does not appear; therefore, you must enter additional arguments to complete the command.
ip address 172.16.0.1 ?
ip address 172.16.0.1
Enter the keyword or argument that you want to use. This example uses the 172.16.0.1 IP address.
Enter ? to display what you must enter next on the command line. In this example, you must enter a network mask.
A carriage return <cr> does not display; therefore, you must enter additional arguments to complete the command.
ip address 172.16.0.1 255.255.255.224 ?
ip address 172.16.0.1 255.255.255.224
Enter the network mask. This example uses the 255.255.255.224 IP address.
Enter ? to display what you must enter next on the command line. In this example, you can press Enter.
A carriage return <cr> displays; you can press Enter to complete the command.
Navigating the CLI Commands
This section describes how to navigate the commands and modes on the Cisco ISE.
Use the question mark (?) and the arrow keys to help you enter commands:
For a list of available commands, enter a question mark (
To complete a command, enter a few known characters before
(with no space):
To display keywords and arguments for a command, enter
at the prompt or after entering part of a command followed by a space:
The Cisco ISE displays a list and brief description of available keywords and arguments.
Note The <cr> symbol in command help stands for “carriage return”, which means to press the Return or the Enter key). The <cr> at the end of command help output indicates that you have the option to press Enter to complete the command and that the arguments and keywords in the list preceding the <cr> symbol are optional. The <cr> symbol by itself indicates that no more arguments or keywords are available, and that you must press Enter to complete the command.
To redisplay a command that you previously entered, press the
key. Continue to press the
key to see more commands.
Using the No and Default Forms of Commands
Some EXEC or configuration commands have a no form. In general, use the no form to disable a function. Use the command without the no keyword to re-enable a disabled function or to enable a function disabled by default; for example, an IP address enabled by default. To disable the IP address, use the no ip address command; to re-enable the IP address, use the ip address command.
Configuration commands can also have a default form, which returns the command settings to the default values. Most commands disable by default, so in such cases using the default form has the same result as using the no form of the command. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default form of the command enables the command and sets the variables to their default values.
Appendix A, “Cisco ISE Command Reference,”
for a description of the complete syntax of the configuration commands, and the no and default forms of a command.
Command Line Conventions
While reading this document, you might not understand some of the information if you do not know certain basic conventions of CLI usage.
Command Line Editing Key Conventions
Cisco ISE provides a number of keyboard shortcuts that you can use to edit an entered line.
to try to finish the current command.
If you press the
At the beginning of a line, the system lists all the short-form options.
When you enter a partial command, the system lists all the short form options beginning with those characters.
When only one possible option is available, the system fills in the option automatically.
Press Ctrl-c to abort the sequence. Breaks out of any executing command and returns to the previous mode.
Press Ctrl-z to exit the Configuration mode and return to the previous configuration mode.
Enter a question mark (?) at the prompt to list the available commands (see Getting Help).
Command Line Completion
Command-line completion makes the Cisco ISE CLI more user-friendly. It saves you extra key strokes and helps out when you cannot remember the syntax of a command.
For example, in the show running-config command:
ise/admin# show running-config
You could have used:
The Cisco ISE expands the command sh run to show running-config.
Another shortcut is to press the
key after you type sh; the Cisco ISE CLI fills in the rest of the command completion, in this case show.
If the Cisco ISE CLI does not understand a command, it repeats the entire command line and places a caret symbol (^) under the point at which it could not parse the command.
ise/admin# show unning-configuration % Invalid input detected at ‘^’ marker.
The caret symbol (^) points to the first letter in the command line that the Cisco ISE does not understand. Usually, this means that you need to provide additional arguments to complete the command or you mispelled the command. In this case, you omitted the “r” in the “unning” command. To fix the error, retype the command.
In another form of command-line completion, you can start a command by entering the first few characters, then pressing the
key. As long as you can match one command, the Cisco ISE CLI will complete the command. For example, if you type sh and press
, the Cisco ISE completes the sh with show. If the Cisco ISE does not complete the command, you can enter a few more letters and press
again. For more information, see Tab.
Continuing Output at the --More-- Prompt
When working with the Cisco ISE CLI, output often extends beyond the visible screen length. For cases where output continues beyond the bottom of the screen, such as with the output of many ? or show commands, the output pauses and a
prompt appears at the bottom of the screen. To resume output, press
to scroll down one line, or press the
to display the next full screen of output.
Tip If output pauses on your screen but you do not see the --More-- prompt, try entering a smaller value for the screen length by using the terminal length EXEC command. Command output will not pause if you set the length value to zero (0).
Where to Go Next
Now that you are familiar with some of the Cisco ISE CLI basics, you can begin to configure the Cisco ISE by using the CLI.
You can use the question mark (?) and arrow keys to help you enter commands.
Each command mode restricts you to a set of commands. If you have difficulty entering a command, check the prompt and then enter the question mark (?) to see a list of available commands.
To disable a feature, enter the keyword no before the command; for example, no ip address.
You must save your configuration changes so that you preserve them during a system reload or power outage.
Appendix A, “Cisco ISE Command Reference,”
for command listings, descriptions, syntax, usage guidelines, and sample output.