Installation Guide for Cisco Secure ACS Solution Engine 4.1
Command Reference

Table Of Contents

Command Reference

CLI Conventions

Command Privileges

Checking Command Syntax

System Help

Command Description Conventions

Commands

add guiadmin

backup

download

exit

exportgroups

exportlogs

exportusers

help

ntpsync

lock guiadmin

ping

reboot

restart

restore

rollback

set admin

set dbpassword

set domain

set hostname

set ip

set password

set time

set timeout

show

shutdown

start

stop

support

tracert

unlock guiadmin

upgrade


Command Reference


This appendix summarizes the command line interface (CLI) commands of the Cisco Secure ACS Solution Engine (ACS SE).

This appendix contains:

CLI Conventions

Command Privileges

Checking Command Syntax

System Help

Command Description Conventions

Command Description Conventions

Commands

CLI Conventions

The CLI uses the following conventions:

The key combination ^c, or Ctrl-c, means hold down the Ctrl key while you press the c key.

A string is defined as a nonquoted set of characters.

Do not confuse the ACS SE CLI with the IOS CLI. Though they are similar, they are not identical.

Command Privileges

Access to CLI commands on the ACS SE is limited to those who physically connect via the console port and who possess the proper administrative credentials.


Note The CLI administrator does not have access to the ACS web GUI. To create an initial GUI administrator account that allows web access to the ACS SE GUI, use the add-guiadmin command to create a GUI account.


For more information about establishing the console connection, see Establishing a Serial Console Connection, page 3-10.

Checking Command Syntax

The serial console interface provides several types of responses to incorrect command entries. If you enter a:

Command line that does not contain any valid commands, the system displays Command not found.

Valid command but omit required options, the system displays Incomplete command.

Valid command but provide invalid options or parameters, the system displays Invalid input.

In addition, some commands have command-specific error messages that notify you that a command is valid, but that it cannot run correctly.

System Help

You can obtain help by using the following methods:

For a list of all commands and their syntax, enter help, and then press Enter.

For help on a specific command, type the command name, a space, and a question mark (?), and then press Enter, for example, show?. The help contains command usage information and syntax.

Command Description Conventions

Command descriptions in this document and in the CLI help system use the following conventions:

Vertical bars (|) separate alternative, mutually exclusive elements.

Square brackets ([ ]) indicate optional elements.

Braces ({ }) indicate a required choice. Braces within square brackets ([{ }]) indicate a required choice within an optional element.

Bold indicates commands and keywords that are entered literally as shown.

Italics indicate arguments for which you supply values.

Commands

This section describes the ACS SE commands. Command names are case insensitive.

add guiadmin

To add a GUI account that a remote user can use to access the ACS web GUI, use the add guiadmin command:

add guiadmin [admin] [password]

Syntax Description

admin User name for the GUI account.

password Password for the GUI account.

Usage Guidelines

During initial installation, you are prompted to set up a GUI administration account that remote users can use to access and configure the ACS solution engine. The add guiadmin command is provided to set up additional web GUI accounts, and also to set up a new web GUI account if the initial web GUI account that you set up, does not work.

Example

The following command adds a GUI account joeadmin with the password joltinjoe:

add guiadmin joeadmin joltinjoe

backup

To back up ACS data to an FTP server, use the backup command:

backup [server] [username] [filepath}

Syntax Description

server Hostname for the FTP server to which the file will be sent.

username User account name used to authenticate the FTP session.

filepath Location under the FTP root for the server into which the backup will be sent.

Usage Guidelines

If you do not enter the parameters, the system prompts you for the information. Also you are prompted to encrypt the backup. If you indicate that you want to encrypt the data, you are prompted for an encryption password. For more information, see Backing Up ACS Data From the Serial Console, page 4-12.

Example

The following command employs the user account joeadmin to back up the ACS data to the backupdata folder on the onyx FTP server:

Recommended Action    backup onyx joeadmin backupdata

download

To download an upgrade image to the ACS SE use the download command. Executing the download command establishes contact with the system specified, retrieves the manifest file from that system, and automatically downloads the upgrade image to the ACS SE. The syntax is:

download [hostAddress]

Syntax Description

hostAddress The IP address from which the image will be sent

Usage Guidelines

This command is generally executed from within the web interface. After loading an upgrade image by executing the download command, install the image by using the upgrade command.

Example

The following command syntax downloads an upgrade image from the system with the address 10.51.256.256:

download 10.51.256.256

exit

To log out of the system, use the exit command:

exit

Syntax Description

This command has no arguments or keywords.

Example

The following command logs you out of the system:

exit

exportgroups

To export a list of user groups, use the exportgroups command:

exportgroups [server] [username] [filepath]

Note The CSAuth service is temporarily halted while this command executes. This process interrupts any user authentication.


Syntax Description

server Hostname for the FTP server to which the file will be sent.

username User account name used to authenticate the FTP session.

filepath Location under the FTP root for the server into which the group list will be sent.

Usage Guidelines

If you do not enter the parameters, the system prompts you for the information.

Example

The following command employs the user account joeadmin to send a list of user groups to the groupdata folder on the diamond FTP server:

exportgroups diamond joeadmin groupdata

exportlogs

To list and send selected logs to an FTP server, use the exportlog command:

exportlogs [filename] [filename]

Syntax Description

filename Name of the file to be exported.

Usage Guidelines

This command lists all the log files that you can download to an FTP server if no filenames are supplied. Otherwise, you can enter each filename with a space separating each filename. You are then prompted for the FTP server address, user login name, password, and the filepath for the file or files to be uploaded.

Example

The following command exports the log files mylog2002-01-31.csv and mylog2002-02-01.csv:

exportlog mylog2002-01-31.csv mylog2002-02-01.csv

exportusers

To export a list of users, use the exportusers command:

exportusers [server] [username] [filepath]

Note The CSAuth service is temporarily halted while this command executes. This interrupts any user authentication.


Syntax Description

server Hostname for the FTP server to which the file will be sent.

username User account name used to authenticate the FTP session.

filepath Location under the FTP root for the server into which the users list will be sent.

Usage Guidelines

If you do not enter the parameters, the system prompts you for the information.

Example

The following command employs the user account joeadmin to send a list of users to the userdata folder on the emerald FTP server:

exportusers emerald joeadmin userdata

help

To list descriptions of commands, use the help command:

help

Syntax Description

This command has no arguments or keywords.

Example

The following command lists descriptions of commands:

help

ntpsync

To perform Network Time Protocol (NTP) synchronization with a predefined NTP server, use the ntpsync command. For information on setting the NTP server see set time.

ntpsync

Syntax Description

This command has no arguments or keywords.

Example

The following command uses the predefined NTP synchronization server to synchronize ACS SE time to the NTP server time:

ntpsync

lock guiadmin

To lock a GUI administrator account so that it cannot be used, use the lock guiadmin command:

lock guiadmin [admin] [password]

Syntax Description

admin Username for the GUI account.

password Password for the GUI account.

Usage Guidelines

During initial installation, the setup script prompts the installer to set up a GUI administration account that remote users can use to access and configure the ACS solution engine. A GUI administrator account can also be added by using the add guiadmin command.

GUI administrator accounts are not usable until they have been unlocked using the unlock guiadmin command. The lock guiadmin command is provided to lock web GUI accounts that have been unlocked.

Example

The following command locks a GUI administrator account joeadmin with the password joltinjoe:

lock guiadmin joeadmin joltinjoe

ping

To send ICMP echo_request packets for diagnosing basic network connectivity, use the ping command:

ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [{-j 
host-list}|{-k host-list}] [-w timeout] destination-list

Syntax Description

Table C-1 Syntax for the Ping Command

Argument
Description

-t

Ping the specified host until stopped.To see statistics and continue, type Ctl-Break. To stop, type Ctl-C.

-a

Resolve addresses to hostnames.

-n count

Number of echo requests to send.

-l size

Send buffer size.

-f

Set Don't Fragment flag in packet.

-i TTL

Time To Live.

-v TOS

Type Of Service.

-r count

Record route for count hops.

-s count

Timestamp for count hops.

-j host-list

Loose source route along host-list.

-k host-list

Strict source route along host-list.

-w timeout

Timeout in milliseconds to wait for each reply.


Examples

acsappl1> ping 10.19.253.228                                             

Pinging 10.19.253.228 with 32 bytes of data:         

Reply from 10.19.253.228: bytes=32 time=140ms TTL=120
Reply from 10.19.253.228: bytes=32 time=160ms TTL=120                
Reply from 10.19.253.228: bytes=32 time=150ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120 

Ping statistics for 10.19.253.228:          
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:       
    Minimum = 140ms, Maximum =  160ms, Average =  147ms

acsappl1> ping -n 6 10.19.253.228                    
Pinging 10.19.253.228 with 32 bytes of data:                             

Reply from 10.19.253.228: bytes=32 time=130ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120   
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120                
Reply from 10.19.253.228: bytes=32 time=130ms TTL=120
Reply from 10.19.253.228: bytes=32 time=130ms TTL=120  

Ping statistics for 10.19.253.228:                   
    Packets: Sent = 6, Received = 6, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:       
    Minimum = 130ms, Maximum =  140ms, Average =  135ms

reboot

To restart the ACS SE, use the reboot command:

reboot

Note AAA services are temporarily halted while this command executes.


Syntax Description

This command has no arguments or keywords.

Example

The following command causes a soft reboot of the ACS SE:

reboot

restart

To restart one or more of the ACS services, use the restart command:

restart [service name(s)]

Note AAA services are temporarily halted while this command executes.


Syntax Description

This command uses as an argument the name of the service or services to be restarted.

Usage Guidelines

Use the restart command to stop and restart any of the ACS services. You can determine the status of each service by using the show command. For more information, see Restarting Solution Engine Services From a Serial Console, page 4-6.

Example

The following command syntax restarts the CSAuth and CSAdmin services:

restart csauth csadmin

restore

To restore ACS data from an FTP server, use the restore command:

restore [server] [username] [filepath] [filename]

Syntax Description

Argument
Description

server

Hostname for the FTP server from which the file will be sent.

username

User account name used to authenticate the FTP session.

filepath

Location under the FTP server root in which the restore file is located.

filename

Name of the restore file to be used.


Usage Guidelines

If you do not enter the parameters, the system prompts you for the information. Also, you will be prompted to enter a decrypt password; and you will be prompted to restore the user or group database, and the ACS system configuration.

Example

The following command employs the user account joeadmin to retrieve a restore file, allofit, from the restoredata folder on the topaz FTP server:

restore topaz joeadmin restoredata allofit

rollback

To remove any patches and roll back to the originally installed version, use the rollback command:

rollback [appName]

Syntax Description

appName Name of the program (provided as part of patch distribution) to remove a specific patch and roll back to original installed version.

Usage Guidelines

Use this command to return ACS to its original condition after installing a patch program. The rollback command has the effect of stopping all ACS services, copying all files in the backup directory to the originally installed directories, restoring a specified list of Registry entries, and starting all ACS services once again.

Example

The following command executes the program remvptch4 and returns the system to the state that existed before the patch program was applied:

rollback remvptch4

set admin

To set the name of the ACS SE administrator, use the set admin command:

set admin [administratorname]

Syntax Description

administratorname Name of system administrator.

Usage Guidelines

Use the set admin command to reset the name of the ACS SE administrator. For more information, see Resetting the Solution Engine Administrator Password, page 4-15.

Example

This command sets the administrator name to john:

set admin john

set dbpassword

To set the ACS SE database password, use the set dbpassword command. Subsequent prompts take you through the process.

set dbpassword

Syntax Description

This command has no arguments or keywords.

Usage Guidelines

Use the set dbpassword command to begin resetting the database password. Subsequent prompts take you through the process. For more information, see Resetting the Solution Engine Database Password, page 4-18.

Example

The following command initiates the database password setting procedure:

set dbpassword

set domain

To set the DNS domain of the ACS SE, use the set domain command:

set domain [domain-name]

Syntax Description

domain-name Name of DNS domain.

Example

This command sets the domain name to xyz.com:

set domain xyz.com

set hostname

To set the hostname of the ACS SE, use the set hostname command:

set hostname [hostname]

Syntax Description

hostname Name of the ACS SE.

Example

This command sets the ACS SE name to acs1:

set hostname acs1

set ip

To set the ACS SE IP configuration, use the set ip command:

set ip

Syntax Description

This command has no arguments or keywords.

Usage Guidelines

Use the set ip command to reset the system IP address in response to subsequent prompts. For more information, see Reconfiguring the Solution Engine IP Address, page 4-18.

Example

The following command begins the system IP address configuration.

set ip

set password

To set the ACS SE administrator's password, use the set password command. Subsequent prompts take you through the process.

set password

Syntax Description

This command has no arguments or keywords.

Usage Guidelines

Use the set password command to begin resetting the administrator's password. Subsequent prompts take you through the process. For more information, see Resetting the Solution Engine Administrator Password, page 4-15.

Example

The following command initiates the password setting procedure:

set password

set time

To set the ACS SE time zone, NTP server, date, or time, use the set time command:

set time

Syntax Description

This command has no arguments or keywords.

Usage Guidelines

Use the set time command to begin the setting of the timezone, current date, and current time. Subsequent prompts take you through the process. For more information, see Setting the System Time and Date Manually, page 4-20.

You can also use the set time command to enable an NTP server to synchronize the ACS SE. You can configure one or more NTP servers by separating each NTP IP address entry with a space. For more information, see Setting the System Time and Date with NTP, page 4-20 and the command reference ntpsync.

Example

The following command initiates the system time setting procedure:

set time

set timeout

To set the period, in minutes, after which the serial console will time out, use the set timeout command:

set timeout [minutes]

Syntax Description

This command has a single argument: the number of minutes before timing out. If you enter the command with no argument, the system prompts you for a value in minutes.

Example

The following command establishes a serial console timeout after10 minutes:

set timeout 10

show

To show the version of the ACS SE, system load status, ACS service status, IP configuration, system time, and NTP settings, ACS SE hostname, DNS domain, and timeout value, use the show command:

show

Syntax Description

This command has no arguments or keywords.

Example

The following command lists ACS SE information:

show

shutdown

To shut down the appliance from the serial console, use the shutdown command:

shutdown

Syntax Description

This command has no arguments or keywords.

Example

The following command shuts down the appliance:

shutdown

start

To start one or more of the ACS services, use the start command:

start [service name(s)]

Syntax Description

This command uses as an argument the name of the service or services to be started.

Usage Guidelines

Use the start command to start any ACS service. You can determine the status of each service by using the show command. For more information, see Starting Solution Engine Services From a Serial Console, page 4-5.

Example

The following command starts the CSAuth and CSAgent services:

restart csauth csagent

stop

To stop one or more of the ACS services, use the stop command:

stop [service name(s)]

Note Services subject to this command are halted until restarted, which may interfere with AAA services.



Note When you stop the CSAgent service, not only does the ACS SE stop CSAgent, but it also changes the startup type to manual. This action has the effect of keeping it stopped; even after reboot. Likewise, starting CSAgent resets the startup type to automatic.


Syntax Description

This command uses as an argument the name of the service or services to be stopped.

Usage Guidelines

Use the stop command to stop any ACS service. You can determine the status of each service by using the show command. For more information, see Stopping Solution Engine Services From a Serial Console, page 4-4.

Example

The following command stops the CSAuth and CSAdmin services:

stop csauth csadmin

support

The support command collects a set of logs, Registry information, and other useful information that details activity. Executing the command compresses this set of logs into a single cab file, which can then be analyzed by support personnel.

To initiate the support program, use the support command:

support [-d n] server filepath [username]

Syntax Description

Argument
Description

-d n

Collect the previous n days logs (up to 9999).

-u

Collect user database information.

server

The hostname for the FTP server to which the file is to be sent.

filepath

The location under the FTP root for the server into which the package.cab is to be sent.

username

The account used to authenticate the FTP session.



Note Unlike its counterpart in the web interface, this command restarts the ACS services, which means that AAA services are interrupted.


Example

The following command packages logs from the past 3 days, together with user database information, and sends it to the FTP server on the machine host, as diagdir\diag.cab where the user will be prompted for the password to the sammy account on the FTP server:

support -d3 -u ftp://host\diagdir\diag.cab sammy

tracert

To display the network route to a specified host and identify faulty gateways, use the tracert command:

tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name

Syntax Description

Argument
Description

-d

Do not resolve addresses to hostnames.

-h maximum_hops

Maximum number of hops to search for target.

-j host-list

Loose source route along host-list.

-w timeout

Wait timeout milliseconds for each reply.


Example

acsappl1> tracert 10.19.253.228

Tracing route to 10.19.253.228 over a maximum of 30 hops

  1   <10 ms   <10 ms   <10 ms  champaign-gw1.cisco.com [171.69.180.1]
  2    40 ms    50 ms    60 ms  sjce-wan-gw1.cisco.com [171.69.8.17]
  3    40 ms    70 ms    70 ms  sjce-wbb-gw1.cisco.com [10.18.255.1]
  4    60 ms    70 ms    60 ms  sjce-rbb-gw1.cisco.com [171.69.7.233]
  5    71 ms    70 ms    60 ms  sjce-sbb1-gw1.cisco.com [171.69.14.34]
  6    80 ms    51 ms    70 ms  sjck-as-gw2.cisco.com [171.69.14.246]
  7    60 ms    90 ms    80 ms  sj-frame-1.cisco.com [171.70.192.54]  
  8   150 ms   180 ms   161 ms  10.19.253.225                        
  9   141 ms   160 ms   170 ms  10.19.253.228                         
Trace complete.                                                          

unlock guiadmin

To unlock a GUI administrator account that a remote user can use to access the ACS web GUI, use the unlock guiadmin command:

unlock guiadmin [admin] [password]

Syntax Description

admin Username for the GUI account.

password Password for the GUI account.

Usage Guidelines

During initial installation, the setup script prompts the installer to set up a GUI administrator account that remote users can use to access and configure the ACS solution engine. This account cannot be used until you unlock it by issuing the unlock guiadmin command.

In addition, you can add additional GUI administrator accounts by using the add guiadmin command. These accounts are not usable until they are unlocked by using the unlock guidamin command. And, if a GUI administrator account has been locked using the lock guiadmin command, you can use the unlock guiadmin command to unlock the account.

Example

The following command unlocks a GUI administrator account joeadmin with the password joltinjoe:

unlock guiadmin joeadmin joltinjoe

upgrade

To perform the second stage of an upgrade, use the upgrade command:

upgrade

Note This command typically reboots the ACS services, which means that AAA services are interrupted.


Syntax Description

This command has no arguments or keywords.

Usage Guidelines

Use the upgrade command to install an upgrade package that you have already loaded to the ACS SE. Ensure that you have stopped CSAgent prior to employing the upgrade command.

Example

The following initiates the second stage of an upgrade:

upgrade