The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides helpful tips for understanding and configuring the Cisco Identity Services Engine (Cisco ISE) using the command-line interface (CLI). Cisco ISE can be deployed in small, medium, and large deployments and is available on different platforms and also as a software that can run on VMware. This chapter contains the following sections:
Before logging in to the Cisco ISE CLI, ensure that you have completed the installation tasks as specified in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4 .
When you power up the Cisco ISE appliances for the first time, you are prompted to run the setup utility to configure the Cisco ISE appliances. Before you run the utility using the setup command, ensure that you have values for the following network configuration prompts:
This example shows sample output of the setup command.
After the Cisco ISE software has been configured, the Cisco ISE system reboots automatically. To log back into the Cisco ISE CLI, you must enter the CLI-admin user credentials that you configured during Setup.
Once Cisco ISE reboots, you are prompted to enter and confirm the new database administrator and database user passwords.
where machine_name identifies the hostname that you specified when you ran the setup command.
In this example, this prompt appears:
To log in, use the administrator user account (and the corresponding password) that you created during the setup process. You must also use this Admin account to log into the Cisco ISE CLI for the first time. After accessing the CLI as an administrator, you can create more users (with admin and operator privileges) with SSH access to the CLI by running the username command in the Configuration mode.
Note The administrator user account and the corresponding password (a CLI user account) that you created during the initial setup wizard can be used to manage the Cisco ISE application using the CLI. The CLI user has privileges to start and stop the Cisco ISE application software, backup and restore the Cisco ISE application data, apply software patches and upgrades to the Cisco ISE application software, view all the system and the application logs, and reload or shutdown the Cisco ISE appliance. To protect the CLI user credentials, explicitly create users with access to the CLI.
See the “Accessing the Cisco ISE CLI” section.
Note Any users that you create from the Cisco ISE web interface cannot automatically log into the Cisco ISE CLI. You must explicitly create users with access to the CLI. To create these users, you must log in to the CLI using the Admin account that you created during setup; then, enter the Configuration mode, and run the username command.
Before logging in to the Cisco ISE CLI, ensure that you have completed the hardware installation and configuration process outlined in “Before Accessing the Cisco ISE CLI” section.
To log into the Cisco ISE server and access the CLI, use an SSH Secure Shell client or the console port.
Note To access the Cisco ISE CLI environment, use any SSH client that supports SSH v2.
To exit the CLI, use the exit command from the EXEC mode. You are currently in one of the configuration modes and you want to exit the CLI, enter the end, exit, or Ctrl-z command to return to the EXEC mode, and then enter the exit command (see EXEC Mode).
The following valid terminal types can access the Cisco ISE:
You can also access the Cisco ISE through an SSH client or the console port.
Note To access the Cisco ISE CLI environment, use any SSH client that supports SSH v2.
The following example shows you how to log in with a Secure Shell (SSH) client (connecting to a wired WAN) via a PC by using Windows XP. Assuming that Cisco ISE is preconfigured through the setup utility to accept an Admin (administrator) user, log in as Admin.
Step 1 Use any SSH client and start an SSH session.
Step 2 Press Enter or Spacebar to connect.
The Connect to Remote Host window appears.
Step 3 Enter a hostname, username, port number, and authentication method.
In this example, you enter ise for the hostname, admin for the username, and 22 for the port number; and, for the authentication method, choose Password from the drop-down list.
Step 4 Click Connect , or press Enter .
The Enter Password window appears.
Step 5 Enter your assigned password for the administrator.
The SSH with the Add Profile window appears.
Step 6 (Optional) Enter a profile name in the text box and click Add to Profile .
Step 7 Click Close on the Add Profile window.
The Cisco ISE prompt ise/admin# appears. You can now enter Cisco ISE CLI commands.
If you need to configure Cisco ISE locally (without connecting to a wired LAN), you can connect a PC to the console port on the Cisco ISE appliance by using a null-modem cable.
The serial console connector (port) provides access to the CLI locally by connecting a terminal to the console port. The terminal is a PC running terminal-emulation software or an ASCII terminal. The console port (EIA/TIA-232 asynchronous) requires only a null-modem cable.
To connect a PC running terminal-emulation software to the console port, use a DB-9 female to DB-9 female null-modem cable.
To connect an ASCII terminal to the console port, use a DB-9 female to DB-25 male straight-through cable with a DB-25 female to DB-25 female gender changer.
The default parameters for the console port are 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.
Note If you are using a Cisco switch on the other side of the connection, set the switchport to duplex auto, speed auto (the default).
To connect to the console port and open the CLI, complete the following steps:
Step 1 Connect a null-modem cable to the console port on the Cisco ISE appliance and to the COM port on your PC.
Step 2 Set up a terminal emulator to communicate with the Cisco ISE. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.
Step 3 When the terminal emulator activates, press Enter.
Step 4 At the window, enter your username, then press Enter.
Step 5 Enter the password, then press Enter.
When the CLI activates, you can enter CLI commands to configure the Cisco ISE.
This section describes the Cisco ISE command modes in detail. The primary modes of operation are:
When you start a session on the Cisco ISE, you begin in the Admin or EXEC mode. From the EXEC mode, you can enter the Configuration mode. Most of the EXEC commands (one-time commands), such as show commands, display the current configuration status. The Admin or EXEC mode prompt consists of the device name or hostname before a pound sign (#), as shown:
Note Throughout this guide, the Cisco ISE server uses the name ise in place of the hostname and admin of the Cisco ISE server for the user account.
You can always tell when you are in the EXEC mode or the Configuration mode by looking at the prompt. In the:
If you are familiar with UNIX, you can equate the EXEC mode to root access. You could also equate it to the administrator level in Windows NT or the supervisor in NetWare. In this mode, you have permission to access everything in the Cisco ISE server, including the configuration commands. However, you cannot enter configuration commands directly. Before you can change the actual configuration of the Cisco ISE server, you must enter the Configuration mode by running the configure or configure terminal (conf t) command. Enter this command only when in the EXEC mode.
The Configuration mode has several submodes; each has its own prompt. To enter these submodes, you must first enter the Configuration mode by entering the configure terminal command.
To exit the Configuration mode, enter the end, exit, or Ctrl-z command. To exit the EXEC mode, enter the exit command. To exit both Configuration and EXEC modes, enter this sequence of commands:
To obtain a listing of commands in the EXEC mode, enter a question mark (?):
Use the Configuration mode to make changes to the existing configuration. When you save the configuration, these commands remain across Cisco ISE server reboots, but only if you run either of these commands:
To enter the Configuration mode, run the configure or configure terminal (conf t) command in the EXEC mode. When in the Configuration mode, the Cisco ISE expects configuration commands.
From this level, you can enter commands directly into the Cisco ISE configuration. To obtain a listing of commands in this mode, enter a question mark (?):
The Configuration mode has several configuration submodes. Each of these submodes places you deeper in the prompt hierarchy. When you enter exit, the Cisco ISE backs you out one level and returns you to the previous level. When you enter exit again, the Cisco ISE backs you out to the EXEC level.
Note In the Configuration mode, you can alternatively enter Ctrl-z instead of the end or exit command.
In the configuration submodes, you can enter commands for specific configurations. For example:
To obtain a list of commands in this mode, enter a question mark (?):
Use the exit or end command to exit this prompt and return to the configuration prompt.
Table 2-1 lists the commands in the interface GigabitEthernet 0 configuration submode. Other configuration submodes exist including those specific to the kron , repository , and password policy commands.
This section describes how to navigate the commands and modes on the Cisco ISE.
Use the question mark (?) and the arrow keys to help you enter commands:
The Cisco ISE displays a list and brief description of available keywords and arguments.
Note The <cr> symbol in command help stands for “carriage return”, which means to press the Return or the Enter key). The <cr> at the end of command help output indicates that you have the option to press Enter to complete the command and that the arguments and keywords in the list preceding the <cr> symbol are optional. The <cr> symbol by itself indicates that no more arguments or keywords are available, and that you must press Enter to complete the command.
Some EXEC or configuration commands have a no form. In general, use the no form to disable a function. Use the command without the no keyword to re-enable a disabled function or to enable a function disabled by default; for example, an IP address enabled by default. To disable the IP address, use the no ip address command; to re-enable the IP address, use the ip address command.
Configuration commands can also have a default form, which returns the command settings to the default values. Most commands disable by default, so in such cases using the default form has the same result as using the no form of the command. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default form of the command enables the command and sets the variables to their default values.
See Appendix A, “Cisco ISE Command Reference,” for a description of the complete syntax of the configuration commands, and the no and default forms of a command.
While reading this document, you might not understand some of the information if you do not know certain basic conventions of CLI usage.
Cisco ISE provides a number of keyboard shortcuts that you can use to edit an entered line.
Press Tab to try to finish the current command.
Press Ctrl-c to abort the sequence. Breaks out of any executing command and returns to the previous mode.
Press Ctrl-z to exit the Configuration mode and return to the previous configuration mode.
Enter a question mark (?) at the prompt to list the available commands (see Getting Help).
Command-line completion makes the Cisco ISE CLI more user-friendly. It saves you extra key strokes and helps out when you cannot remember the syntax of a command.
For example, in the show running-config command:
The Cisco ISE expands the command sh run to show running-config.
Another shortcut is to press the Tab key after you type sh; the Cisco ISE CLI fills in the rest of the command completion, in this case show.
If the Cisco ISE CLI does not understand a command, it repeats the entire command line and places a caret symbol (^) under the point at which it could not parse the command.
The caret symbol (^) points to the first letter in the command line that the Cisco ISE does not understand. Usually, this means that you need to provide additional arguments to complete the command or you mispelled the command. In this case, you omitted the “r” in the “unning” command. To fix the error, retype the command.
In another form of command-line completion, you can start a command by entering the first few characters, then pressing the Tab key. As long as you can match one command, the Cisco ISE CLI will complete the command. For example, if you type sh and press Tab , the Cisco ISE completes the sh with show. If the Cisco ISE does not complete the command, you can enter a few more letters and press Tab again. For more information, see Tab.
When working with the Cisco ISE CLI, output often extends beyond the visible screen length. For cases where output continues beyond the bottom of the screen, such as with the output of many ? or show commands, the output pauses and a --More-- prompt appears at the bottom of the screen. To resume output, press Return to scroll down one line, or press the spacebar to display the next full screen of output.
Tip If output pauses on your screen but you do not see the --More-- prompt, try entering a smaller value for the screen length by using the terminal length EXEC command. Command output will not pause if you set the length value to zero (0).
Now that you are familiar with some of the Cisco ISE CLI basics, you can begin to configure the Cisco ISE by using the CLI.
Proceed to Appendix A, “Cisco ISE Command Reference,” for command listings, descriptions, syntax, usage guidelines, and sample output.