Cisco ISE Command-Line Interface


Note

The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.


This chapter provides information on the Cisco Identity Services Engine (Cisco ISE) command-line interface (CLI) that you can use to configure and maintain Cisco ISE.

Cisco ISE Administration and Configuration Using CLI

The Cisco ISE command-line interface (CLI) allows you to perform system-level configuration in EXEC mode and other configuration tasks in configuration mode (some of which cannot be performed from the Cisco ISE Admin portal), and generate operational logs for troubleshooting.

You can use either the Cisco ISE Admin portal or the CLI to apply Cisco ISE application software patches, generate operational logs for troubleshooting, and backup the Cisco ISE application data. Additionally, you can use the Cisco ISE CLI to start and stop the Cisco ISE application software, restore the application data from a backup, upgrade the application software, view all system and application logs for troubleshooting, and reload or shutdown the Cisco ISE device.

Refer to Cisco ISE CLI Commands in EXEC Mode, Cisco ISE CLI Commands in EXEC Show Mode, or Cisco ISE CLI Commands in Configuration Mode for command syntax, usage guidelines, and examples.

Accessing the Cisco ISE CLI Using a Local System

If you need to configure Cisco ISE locally without connecting to a wired Local Area Network (LAN), you can connect a system to the console port in the Cisco ISE device by using a null-modem cable. The serial console connector (port) provides access to the Cisco ISE CLI locally by connecting a terminal to the console port. The terminal is a system running terminal-emulation software or an ASCII terminal. The console port (EIA/TIA-232 asynchronous) requires only a null-modem cable.

  • To connect a system running terminal-emulation software to the console port, use a DB-9 female to DB-9 female null-modem cable.

  • To connect an ASCII terminal to the console port, use a DB-9 female to DB-25 male straight-through cable with a DB-25 female to DB-25 female gender changer.

The default parameters for the console port are 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.


Note

If you are using a Cisco switch on the other side of the connection, set the switchport to duplex auto, speed auto (the default).


Procedure


Step 1

Connect a null-modem cable to the console port in the Cisco ISE device and to the COM port on your system.

Step 2

Set up a terminal emulator to communicate with Cisco ISE. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.

Step 3

When the terminal emulator activates, press Enter.

Step 4

Enter your username and press Enter.

Step 5

Enter the password and press Enter.


Accessing the Cisco ISE CLI with Secure Shell

Cisco ISE is pre-configured through the setup utility to accept a CLI administrator. To log in with a SSH client (connecting to a wired Wide Area Network (WAN) via a system by using Windows XP or later versions), log in as an administrator.

Before you begin

To access the Cisco ISE CLI, use any Secure Shell (SSH) client that supports SSH v2.

Procedure


Step 1

Use any SSH client and start an SSH session.

Step 2

Press Enter or Spacebar to connect.

Step 3

Enter a hostname, username, port number, and authentication method. For example, you enter ise for the hostname or the IPv4/IPv6 IP address of the remote host, admin for the username, and 22 for the port number; and, for the authentication method, choose Password from the drop-down list.

Step 4

Click Connect, or press Enter.

Step 5

Enter your assigned password for the administrator.

Step 6

(Optional) Enter a profile name in the Add Profile window and click Add to Profile.

Step 7

Click Close on the Add Profile window.


Cisco ISE CLI Administrator Account

During setup, you are prompted to enter a username and password that creates the CLI administrator account. Log into the Cisco ISE server using this account when restarting after the initial configuration for the first time.

You must always protect the CLI administrator account credentials, and use this account to explicitly create and manage additional administrator and user accounts with access to the Cisco ISE server.

CLI administrators can execute all commands to perform system-level configuration in EXEC mode (root access) and other configuration tasks in configuration mode in the Cisco ISE server. You can start and stop the Cisco ISE application software, backup and restore the Cisco ISE application data, apply software patches and upgrades to the Cisco ISE application software, view all system and application logs, and reload or shutdown the Cisco ISE devices.

A pound sign (#) appears at the end of the prompt for an administrator account, regardless of the submode.

Cisco ISE CLI User Accounts

Any user whose account you create from the Cisco ISE Admin portal cannot automatically log into the Cisco ISE CLI. You must explicitly create user accounts with access to the CLI using the CLI administrator account.

Creating a Cisco ISE CLI User Account

You must run the username command in configuration mode to create CLI user accounts.

Procedure


Step 1

Log into the Cisco ISE CLI using the CLI administrator account.

Step 2

Enter into configuration mode and run the username command.


ise/admin# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ise/admin(config)# username duke password plain Plain@123 role user email duke@cisco.com
ise/admin(config)# exit
ise/admin#
Step 3

Log into the Cisco ISE CLI using the CLI user account.


Cisco ISE CLI User Account Privileges

User accounts have access to a restricted number of commands, including the following commands:

  • crypto

  • exit

  • nslookup

  • ping

  • ping6

  • show cdp

  • show clock

  • show container

  • show cpu

  • show disks

  • show icmp_status

  • show interface

  • show inventory

  • show logins

  • show memory

  • show ntp

  • show ports

  • show process

  • show terminal

  • show timezone

  • show udi

  • show uptime

  • show version

  • ssh

  • terminal

  • traceroute

Supported Hardware and Software Platforms for Cisco ISE CLI

You can connect to the Cisco ISE server and access the CLI using the following:

  • A system running Microsoft Windows XP/Vista.

  • A system running Linux, such as Red Hat or Fedora.

  • An Apple computer running Mac OS X 10.4 or later.

  • Any terminal device compatible with VT100 or ANSI characteristics. On VT100-type and ANSI devices, you can use cursor-control and cursor-movement keys including the left arrow, right arrow, up arrow, down arrow, Delete, and Backspace keys. The Cisco ISE CLI senses the use of the cursor-control keys and automatically uses the optimal device characteristics.

    See the terminfo database (terminal capability database) for a complete listing for all terminals here: /usr/share/terminfo/*/*. These are possible locations of the compiled terminfo files: /usr/lib/terminfo/v/vt100, /usr/share/terminfo/v/vt100, /home/.../.terminfo/v/vt100, and/or /etc/terminfo/v/vt100. Terminfo is a database of terminal capabilities available for every model of terminal that communicates with the application programs. It provides what escape sequences (or control characters) to send to the terminal to do things such as move the cursor to a new location, erase part of the screen, scroll the screen, change modes, change appearance (colors, brightness, blinking, underlining, reverse video etc.).

    For example, typing "locate vt100" from the root may show you information about the terminal that you are using.

    The following valid terminal types can access the Cisco ISE CLI:

    • 1178

    • 2621

    • 5051

    • 6053

    • 8510

    • altos5

    • amiga

    • ansi

    • apollo

    • Apple_Terminal

    • att5425

    • ibm327x

    • kaypro

    • vt100