Installation and Setup Guide for Cisco Secure ACS Appliance
Command Reference

Table Of Contents

Command Reference

CLI Conventions

Command Privileges

Checking Command Syntax

System Help

Command Description Conventions

Commands

backup

dbcompact

download

exit

exportgroups

exportlogs

exportusers

help

ping

reboot

restart

restore

rollback

set admin

set domain

set hostname

set ip

set password

set time

set timeout

show

shutdown

start

stop

support

tracert

upgrade

Command Reference


This appendix summarizes the command line interface (CLI) commands of the Cisco Secure ACS Appliance 3.2.

This appendix contains the following sections:

CLI Conventions

Command Privileges

Checking Command Syntax

System Help

Command Description Conventions

Command Description Conventions

Commands

CLI Conventions

The command-line interface (CLI) uses the following conventions:

The key combination ^c, or Ctrl-c, means hold down the Ctrl key while you press the c key.

A string is defined as a nonquoted set of characters.

Do not confuse the Cisco Secure ACS Appliance CLI with the IOS CLI. Though they are similar, they are not identical.

Command Privileges

Access to CLI commands on the Cisco Secure ACS Appliance is limited to those who physically connect via the console port and who possess the proper administrative credentials.

For more information about establishing the console connection, see Establishing a Serial Console Connection.

Checking Command Syntax

The serial console interface provides several types of responses to incorrect command entries:

If you enter a command line that does not contain any valid commands, the system displays Command not found.

If you enter a valid command but omit required options, the system displays Incomplete command.

If you enter a valid command but provide invalid options or parameters, the system displays Invalid input.

In addition, some commands have command-specific error messages that notify you that a command is valid, but that it cannot run correctly.

System Help

You can obtain help using the following methods:

For a list of all commands and their syntax, enter help, and then press Enter.

For help on a specific command, type the command name, a space, and a question mark, and then press Enter, for example, show?. The help contains command usage information and syntax.

Command Description Conventions

Command descriptions in this document and in the CLI help system use the following conventions:

Vertical bars (|) separate alternative, mutually exclusive elements.

Square brackets ([ ]) indicate optional elements.

Braces ({ }) indicate a required choice. Braces within square brackets ([{ }]) indicate a required choice within an optional element.

Bold indicates commands and keywords that are entered literally as shown.

Italics indicate arguments for which you supply values.

Commands

This section describes the Cisco Secure ACS Appliance commands. Command names are case insensitive.

backup

To backup ACS data to an FTP server, use the backup command.

backup [server] [username] [filepath]

Syntax Description

server Hostname for the FTP server to which the file will be sent.

username User account name used to authenticate the FTP session.

filepath Location under the FTP root for the server into which the backup will be sent.

Usage Guidelines

If you do not enter the parameters, the system prompts you for the information. Also you are prompted to encrypt the backup. If you indicate you want to encrypt the data, you are prompted for an encryption password. For more information, see Backing Up ACS Data via the Serial Console, page 4-18.

Example

The following command employs the user account joeadmin to backup the ACS data to the backupdata folder on the onyx FTP server:

backup onyx joeadmin backupdata

dbcompact

To compact the database by dumping, initializing the database, and loading the database from the dump file, use the dbcompact command.


Note The CSAuth service is temporarily halted while this command executes. This interrupts any user authentication.


dbcompact

Syntax Description

This command has no arguments or keywords.

Example

The following command compacts the database by dumping, initializing the database, and loading the database from the dump:

dbcompact

download

To download an upgrade image to the Cisco Secure ACS Appliance use the download command. Executing the download command establishes contact with the system specified, retrieves the manifest file from that system, and automatically downloads the upgrade image to the Cisco Secure ACS Appliance.

download [hostAddress]

Syntax Description

hostAddress The IP address from which the image will be sent

Usage Guidelines

This command is generally executed from within the HTML interface. After loading an upgrade image by executing the download command, you need to install the image by using the upgrade command. For more information see Upgrading the Appliance, page 4-32.

Example

The following command downloads an upgrade image from the system with the address 10.51.256.256

dbcompact 10.51.256.256

exit

To log out of the system, use the exit command.

exit

Syntax Description

This command has no arguments or keywords.

Example

The following command logs you out of the system:

exit

exportgroups

To export a list of user groups, use the exportgroups command.

exportgroups [server] [username] [filepath]

Note The CSAuth service is temporarily halted while this command executes. This interrupts any user authentication.


Syntax Description

server Hostname for the FTP server to which the file will be sent.

username User account name used to authenticate the FTP session.

filepath Location under the FTP root for the server into which the group list will be sent.

Usage Guidelines

If you do not enter the parameters, the system prompts you for the information.

Example

The following command employs the user account joeadmin to send a list of user groups to the groupdata folder on the diamond FTP server:

exportgroups diamond joeadmin groupdata

exportlogs

To list and send selected logs to an FTP server, use the exportlog command.

exportlogs [filename] [filename]

Syntax Description

filename Name of the file to be exported.

Usage Guidelines

This command lists all the log files that can be downloaded to an FTP server if no filenames are supplied. Otherwise, you can enter each filename with a space separating each filename. You are then prompted for the FTP server address, user login name, password, and the filepath for the file or files to be uploaded.

Example

The following command exports the log files mylog2002-01-31.csv and mylog2002-02-01.csv:

exportlog mylog2002-01-31.csv mylog2002-02-01.csv

exportusers

To export a list of users, use the exportusers command.

exportusers [server] [username] [filepath]

Note The CSAuth service is temporarily halted while this command executes. This interrupts any user authentication.


Syntax Description

server Hostname for the FTP server to which the file will be sent.

username User account name used to authenticate the FTP session.

filepath Location under the FTP root for the server into which the users list will be sent.

Usage Guidelines

If you do not enter the parameters, the system prompts you for the information.

Example

The following command employs the user account joeadmin to send a list of users to the userdata folder on the emerald FTP server:

exportusers emerald joeadmin userdata

help

To list descriptions of commands, use the help command.

help

Syntax Description

This command has no arguments or keywords.

Example

The following command lists descriptions of commands:

help

ping

To send ICMP echo_request packets for diagnosing basic network connectivity, use the ping command.

ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] 
[{-j host-list}|{-k host-list}] [-w timeout] destination-list

Syntax Description

-t Ping the specified host until stopped.

To see statistics and continue - type Control-Break.

To stop - type Control-C.

-a Resolve addresses to hostnames.

-n count Number of echo requests to send.

-l size Send buffer size.

-f Set Don't Fragment flag in packet.

-i TTL Time To Live.

-v TOS Type Of Service.

-r count Record route for count hops.

-s count Timestamp for count hops.

-j host-list Loose source route along host-list.

-k host-list Strict source route along host-list.

-w timeout Timeout in milliseconds to wait for each reply.

Examples

acsappl1> ping 10.19.253.228                                             

Pinging 10.19.253.228 with 32 bytes of data:         

Reply from 10.19.253.228: bytes=32 time=140ms TTL=120
Reply from 10.19.253.228: bytes=32 time=160ms TTL=120                
Reply from 10.19.253.228: bytes=32 time=150ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120 

Ping statistics for 10.19.253.228:          
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:       
    Minimum = 140ms, Maximum =  160ms, Average =  147ms

acsappl1> ping -n 6 10.19.253.228                    

Pinging 10.19.253.228 with 32 bytes of data:                             

Reply from 10.19.253.228: bytes=32 time=130ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120   
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120
Reply from 10.19.253.228: bytes=32 time=140ms TTL=120                
Reply from 10.19.253.228: bytes=32 time=130ms TTL=120
Reply from 10.19.253.228: bytes=32 time=130ms TTL=120  

Ping statistics for 10.19.253.228:                   
    Packets: Sent = 6, Received = 6, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:       
    Minimum = 130ms, Maximum =  140ms, Average =  135ms

reboot

To restart the Cisco Secure ACS Appliance, use the reboot command.

reboot

Note AAA services are temporarily halted while this command executes.


Syntax Description

This command has no arguments or keywords.

Example

The following command causes a soft reboot of the Cisco Secure ACS Appliance:

reboot

restart

To restart one or more of the ACS services, use the restart command.

restart [service name(s)]

Note AAA services are temporarily halted while this command executes.


Syntax Description

This command uses as an argument the name of the service or services to be restarted.

Usage Guidelines

Use the restart command to stop and restart any of the ACS services. You can determine the status of each service by using the show command. For more information, see Restarting Appliance Services via Serial Console, page 4-9.

Example

The following command restarts the CSAuth and CSAdmin services:

restart csauth csadmin

restore

To restore ACS data from an FTP server, use the restore command.

restore [server] [username] [filepath] [filename]

Syntax Description

server Hostname for the FTP server from which the file will be sent.

username User account name used to authenticate the FTP session.

filepath Location under the FTP server root in which the restore file is located.

filename Name of the restore file to be used.

Usage Guidelines

If you do not enter the parameters, the system prompts you for the information. Also, you will be prompted to enter a decrypt password; and you will be prompted to restore the user/group database and or the Cisco Secure ACS system configuration.

Example

The following command employs the user account joeadmin to retrieve a restore file, allofit, from the restoredata folder on the topaz FTP server:

restore topaz joeadmin restoredata allofit

rollback

To remove any patches and roll back to the originally installed version, use the rollback command.

rollback [appName]

Syntax Description

appName Name of the program (provided as part of patch distribution) to remove a specific patch and roll back to original installed version.

Usage Guidelines

Use this command to return a Cisco Secure ACS to its original condition after having installed a patch program. The rollback command has the effect of stopping all ACS services, copying all files in the backup directory to the originally installed directories, restoring a specified list of Registry entries, and starting all ACS services once again.

Example

The following command executes the program remvptch4 and returns the system to the state that existed before the patch program was applied:

rollback remvptch4

set admin

To set the name of the Cisco Secure ACS Appliance administrator, use the set admin command.

set admin [administratorname]

Syntax Description

administratorname Name of system administrator.

Usage Guidelines

Use the set admin command to reset the name of the Cisco Secure ACS Appliance administrator. For more information, see Resetting the Appliance Administrator Password, page 4-24.

Example

This command sets the administrator name to john:

set admin john

set domain

To set the DNS domain of the Cisco Secure ACS Appliance, use the set domain command.

set domain [domain-name]

Syntax Description

domain-name Name of DNS domain.

Example

This command sets the domain name to xyz.com:

set domain xyz.com

set hostname

To set the hostname of the Cisco Secure ACS Appliance, use the set hostname command.

set hostname [hostname]

Syntax Description

hostname Name of the Cisco Secure ACS Appliance.

Example

This command sets the Cisco Secure ACS Appliance name to acs1:

set hostname acs1

set ip

To set the Cisco Secure ACS Appliance IP configuration, use the set ip command.

set ip

Syntax Description

This command has no arguments or keywords.

Usage Guidelines

Use the set ip command to reset the system IP address in response to subsequent prompts. For more information, see Reconfiguring the Appliance IP Address, page 4-26.

Example

The following command begins the system IP address configuration.

set ip

set password

To set the Cisco Secure ACS Appliance administrator's password, use the set password command. Subsequent prompts take you through the process.

set password

Syntax Description

This command has no arguments or keywords.

Usage Guidelines

Use the set password command to begin resetting the administrator's password. Subsequent prompts take you through the process. For more information, see Resetting the Appliance Administrator Password, page 4-24.

Example

The following command initiates the system ip setting procedure:

set password

set time

To set the Cisco Secure ACS Appliance time zone, NTP server, date, or time, use the set time command:

set time

Syntax Description

This command has no arguments or keywords.

Usage Guidelines

Use the set time command to begin the setting of the timezone, current date, and current time. Subsequent prompts take you through the process. For more information, see Setting the System Time and Date Manually, page 4-28.

You can also use the set time command to enable an NTP server to synchronize the Cisco Secure ACS Appliance. For more information, see Setting the System Time and Date with NTP, page 4-29.

Example

The following command initiates the system time setting procedure:

set time

set timeout

To set the period, in minutes, after which the serial console will time out, use the set timeout command.

set timeout [minutes]

Syntax Description

This command has a single argument: the number of minutes before timing out. If you enter the command with no argument, the system prompts you for a value in minutes.

Example

The following command establishes a serial console timeout after10 minutes:

set timeout 10

show

To show the version of the Cisco Secure ACS Appliance, system load status, ACS service status, IP configuration, system time and NTP settings, Cisco Secure ACS Appliance hostname, DNS domain, and timeout value use the show command.

show

Syntax Description

This command has no arguments or keywords.

Example

The following command lists Cisco Secure ACS Appliance information:

show

shutdown

To shut down the appliance from the serial console, use the shutdown command.

shutdown

Syntax Description

This command has no arguments or keywords.

Example

The following command shuts down the appliance:

shutdown

start

To start one or more of the ACS services, use the start command.

start [service name(s)]

Syntax Description

This command uses as an argument the name of the service or services to be started.

Usage Guidelines

Use the start command to start any ACS service. You can determine the status of each service by using the show command. For more information, see Starting Appliance Services via Serial Console, page 4-7.

Example

The following command starts the CSAuth and CSadmin services:

restart csauth csadmin

stop

To stop one or more of the ACS services, use the stop command.

stop [service name(s)]

Note Services subject to this command are halted until restarted. This may interfere with AAA services.


Syntax Description

This command uses as an argument the name of the service or services to be stopped.

Usage Guidelines

Use the stop command to stop any ACS service. You can determine the status of each service by using the show command. For more information, see Stopping Appliance Services via Serial Console, page 4-6.

Example

The following command stops the CSAuth and CSAdmin services:

stop csauth csadmin

support

The support command collects a set of logs, Registry information, and other useful information that details activity. Executing the command compresses this set of logs into a single cab file, which can then be analyzed by support personnel.

To initiate the support program, use the support command.

support [-d n] server filepath [username]

Syntax Description

-d n Collect the previous n days logs (up to 9999).

-u Collect user database information.

server The hostname for the FTP server to which the file is to be sent.

filepath The location under the FTP root for the server into which the package.cab is to be sent.

username The account used to authenticate the FTP session.


Note Unlike its counterpart in the HTML interface, this command restarts the Cisco Secure ACS services. This means that AAA services are interrupted.


Example

The following command packages logs from the past 3 days, together with user database information, and sends it to the FTP server on the machine host, as diagdir/diag.cab where the user will be prompted for the password to the sammy account on the FTP server:

support -d3 -u ftp://host/diagdir/diag.cab sammy

tracert

To display the network route to a specified host and identify faulty gateways, use the tracert command.

tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name

Syntax Description

-d Do not resolve addresses to hostnames.

-h maximum_hops Maximum number of hops to search for target.

-j host-list Loose source route along host-list.

-w timeout Wait timeout milliseconds for each reply.

Example

acsappl1> tracert 10.19.253.228

Tracing route to 10.19.253.228 over a maximum of 30 hops

  1   <10 ms   <10 ms   <10 ms  champaign-gw1.cisco.com [171.69.180.1]
  2    40 ms    50 ms    60 ms  sjce-wan-gw1.cisco.com [171.69.8.17]
  3    40 ms    70 ms    70 ms  sjce-wbb-gw1.cisco.com [10.18.255.1]
  4    60 ms    70 ms    60 ms  sjce-rbb-gw1.cisco.com [171.69.7.233]
  5    71 ms    70 ms    60 ms  sjce-sbb1-gw1.cisco.com [171.69.14.34]
  6    80 ms    51 ms    70 ms  sjck-as-gw2.cisco.com [171.69.14.246]
  7    60 ms    90 ms    80 ms  sj-frame-1.cisco.com [171.70.192.54]  
  8   150 ms   180 ms   161 ms  10.19.253.225                        
  9   141 ms   160 ms   170 ms  10.19.253.228                         
Trace complete.                                                          

upgrade

To perform the second stage of an upgrade, use the upgrade command.

upgrade

Note This command typically reboots the Cisco Secure ACS services. This means that AAA services are interrupted.


Syntax Description

This command has no arguments or keywords.

Usage Guidelines

Use the upgrade command to install an upgrade package that you have already loaded to the Cisco Secure ACS Appliance. For more information, see Upgrading the Appliance, page 4-32.

Example

The following initiates the second stage of an upgrade:

upgrade