Feedback
Table Of Contents
Cisco ISE Command Reference
This appendix contains an alphabetical listing of the commands specific to the Cisco Identity Services Engine (Cisco ISE).
The commands comprise these modes:
•
EXEC
–
–
•
–
Note
Each of the commands in this appendix is followed by a brief description of its use, command syntax, usage guidelines, and one or more examples. Throughout this appendix, the Cisco ISE server uses the name ise in place of the Cisco ISE server's hostname.
Note
This appendix describes:
EXEC Commands
This section lists each EXEC command and includes a brief description of its use, command syntax, usage guidelines, and sample output.
Table A-1 lists the EXEC commands that this section describes.
Table A-1 List of EXEC Commands
•
•
•
•
•
•
•
•
•
•
application configure
To configure Microsoft Windows Active Directory settings in the Cisco ISE, use the application configure command in the EXEC mode.
application configure application-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
You can configure to use only a specific name-server that has the required Active Directory configuration when there are multiple IP name-servers that are configured in a Cisco ISE node.
Cisco ISE allows you to configure Active Directory settings by using the application configure command. It prompts you the following warning message for confirmation:
Active Directory internal setting modification should only be performed if approved by ISE support. Please confirm this change has been approved y/n [n]:Examples
ise/admin# application configure iseSelection ISE configuration option[1]Reset Active Directory settings to defaults[2]Display Active Directory settings[3]Configure Active Directory settings[4]Restart/Apply Active Directory settings[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings[6]Exit3 (option 3 from the menu)You are about to configure Active Directory settings.Are you sure you want to proceed? y/n [n]: yParameter Name: dns.serversParameter Value: 10.77.122.135Active Directory internal setting modification should only be performed if approved by ISE support. Please confirm this change has been approved y/n [n]: yActive Directory settings were modified.Settings will take effect after choosing apply option from menu.Selection ISE configuration option[1]Reset Active Directory settings to defaults[2]Display Active Directory settings[3]Configure Active Directory settings[4]Restart/Apply Active Directory settings[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings[6]Exit4 (option 4 from the menu)You are about to Reset/Apply Active Directory settings.Are you sure you want to proceed? y/n [n]: yYou are about to apply recent settings changes. This will require AD client to be restarted which may take several minutes. Continue y/n [n]: yActive Directory settings were appliedSelection ISE configuration option[1]Reset Active Directory settings to defaults[2]Display Active Directory settings[3]Configure Active Directory settings[4]Restart/Apply Active Directory settings[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings[6]Exit2 (option 2 from the menu)Parameter Name: dns.serversdns.servers: 10.77.122.135Selection ISE configuration option[1]Reset Active Directory settings to defaults[2]Display Active Directory settings[3]Configure Active Directory settings[4]Restart/Apply Active Directory settings[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings[6]Exit5 (option from the menu)You are about to clear the Active Directory Trusts Cache and reset/apply Active Directory settings.Are you sure you want to proceed? y/n [n]: ylog4j:WARN No appenders could be found for logger (com.cisco.cpm.acs.nsf.config.handlers.ad.cli.ADAgentRestart).log4j:WARN Please initialize the log4j system properly.You are about to apply recent settings changes. This will require AD client to be restarted which may take several minutes. Continue y/n [n]: yActive Directory settings were appliedSelection ISE configuration option[1]Reset Active Directory settings to defaults[2]Display Active Directory settings[3]Configure Active Directory settings[4]Restart/Apply Active Directory settings[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings[6]Exit6 (option from the menu)ise/admin#Related Commands
application install
Note
To install a specific application other than the Cisco ISE, use the application install command in the EXEC mode. To remove this function, use the application remove command.
application install application-bundle remote-repository-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Installs the specified application bundle on the appliance. The application bundle file is pulled from the specified repository.
If you issue the application install or application remove command when another installation or removal operation of an application is in progress, you will see the following warning message:
An existing application install, remove, or upgrade is in progress. Try again shortly.Examples
Example 1
ise/admin# application install ise-appbundle-1.1.0.362.i386.tar.gz myrepositoryDo you want to save the current configuration? (yes/no) [yes]? yPlease enter yes or noDo you want to save the current configuration? (yes/no) [yes]? yesGenerating configuration...Saved the running configuration to startup successfullyInitiating Application installation...Extracting ISE database content...Starting ISE database processes...Restarting ISE database processes...Creating ISE M&T session directory...Performing ISE database priming...Application successfully installed
ise/admin#
Example 2
ise/admin# application install ise-appbundle-1.1.0.362.i386.tar.gz myrepositoryDo you want to save the current configuration? (yes/no) [yes]? noInitiating Application installation...Extracting ISE database content...Starting ISE database processes...Restarting ISE database processes...Creating ISE M&T session directory...Performing ISE database priming...Application successfully installedise/admin#Related Commands
application remove
Note
To remove a specific application other than the Cisco ISE, use the application remove command in the EXEC mode. To remove this function, use the no form of this command.
application remove application-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Removes or uninstalls an application.
Examples
ise/admin# application remove iseContinue with application removal? [y/n] yApplication successfully uninstalledise/admin#Related Commands
application reset-config
To reset the Cisco ISE application configuration and clear the Cisco ISE database, use the application reset-config command in the EXEC mode. (This command does not reset your initial chassis configuration settings like the IP address, netmask, administrator user interface password, and so on.) Part of this reset function requires you to enter new Cisco ISE database administrator and user passwords.
application reset-config application-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
You can use the application reset-config command to reset the Cisco ISE configuration and clear the Cisco ISE database without reimaging the Cisco ISE appliance or VMware, and reset the Cisco ISE database administrator and user passwords.
Note
Examples
Example 1
ise/admin# application reset-config iseInitialize your identity policy database to factory defaults? (y/n): yReinitializing local policy database to factory default state...Stopping ISE Monitoring & Troubleshooting Log Processor...Stopping ISE Monitoring & Troubleshooting Log Collector...Stopping ISE Monitoring & Troubleshooting Alert Process...Stopping ISE Application Server...Stopping ISE Monitoring & Troubleshooting Session Database...Stopping ISE Database processes...Please follow the prompts below to create the database administrator password.Enter new database admin password:Confirm new database admin password:Successfully created database administrator password.Please follow the prompts below to create the database user password.Enter new database user password:Confirm new database user password:Successfully created database user password.Extracting ISE database content...Starting ISE database processes...Restarting ISE database processes...Creating ISE M&T session directory...Performing ISE database priming...Application successfully reset configurationise/admin#Example 2
ise/admin# application reset-config iseInitialize your identity policy database to factory defaults? (y/n): nExisting policy database will be retained.Application successfully reset configurationise/admin#Related Commands
application reset-passwd
Note
To reset the administrator user interface login password for a specified user account (usually an existing administrator account) in Cisco ISE after the administrator account has been disabled due to incorrect password entries, use the application reset-passwd command in the EXEC mode. You can also use this command to reset the Cisco ISE database administrator and user passwords.
application reset-passwd application-name administrator-ID | internal-database-admin | internal-database-user
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
The following special characters are allowed when resetting Cisco ISE administrator user interface password:
If you enter an incorrect password for your administrator user ID more than the specified number of times necessary to disable the administrator account in Cisco ISE, then the user interface "locks you out" of the system. Cisco ISE suspends the credentials for that administrator ID until you have an opportunity to reset the password associated with that administrator ID. It is the Administration ISE node on which the password is being reset only from the CLI.
Typically, you need to specify the Cisco ISE database administrator and user passwords only once, and only during initial configuration or upgrade. If it is necessary to change either of these passwords later, you can use the application reset-passwd command line function for this purpose.
UTF-8 admin users can change passwords only through the Cisco ISE administrator user interface.
Examples
Example 1
ise/admin# application reset-passwd ise adminEnter new password: ******Confirm new password: ******Password reset successfully.ise/admin#Example 2
ise/admin# application reset-passwd ise internal-database-adminEnter new database admin password: ***********Confirm new database admin password: ***********Password reset successfully.ise/admin#Related Commands
application start
To enable a specific application, use the application start command in the EXEC mode. To remove this function, use the no form of this command.
application start application-name
application start application-name safe
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Enables an application.
You cannot use this command to start the Cisco ISE application. If you use this command to start the application, you can see that the Cisco ISE is already running.
You can use the application start ise safe command to start the Cisco ISE in a safe mode that allows you to disable access control temporarily to the admin user interface, and then restart the application after making necessary changes. The safe option provides a means of recovery in the event that you as an administrator inadvertently lock out all users from accessing the Cisco ISE admin user interface. This event can happen if you configure an incorrect "IP Access" list in the Administration > Admin Access > Settings > Access page. The safe option also bypasses certificate-based authentication and reverts to the default username and password authentication for logging in to the Cisco ISE admin user interface.
Examples
ise/admin# application start iseISE Database processes is already running, PID: 7585ISE M&T Session Database is already running, PID: 7851ISE Application Server process is already running, PID: 7935ISE M&T Log Collector is already running, PID: 7955ISE M&T Log Processor is already running, PID: 8005ISE M&T Alert Processor is already running, PID: 8046ise/admin#ise/admin# application start ise safeStarting ISE Database processes...Starting ISE Monitoring & Troubleshooting Session Database...Starting ISE Application Server...Starting ISE Monitoring & Troubleshooting Alert Process...Starting ISE Monitoring & Troubleshooting Log Collector...Starting ISE Monitoring & Troubleshooting Log Processor...Note: ISE Processes are initializing. Use 'show application status ise'CLI to verify all processes are in running state.ise/admin#Related Commands
application stop
To disable a specific application, use the application stop command in the EXEC mode. To remove this function, use the no form of this command.
application stop application-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Disables an application.
Examples
ise/admin# application stop iseStopping ISE Monitoring & Troubleshooting Log Processor...Stopping ISE Monitoring & Troubleshooting Log Collector...Stopping ISE Monitoring & Troubleshooting Alert Process...Stopping ISE Application Server...Stopping ISE Monitoring & Troubleshooting Session Database...Stopping ISE Database processes...ise/admin#Related Commands
application upgrade
To upgrade a specific application bundle, use the application upgrade command in the EXEC mode.
application upgrade application-bundle remote-repository-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Upgrades an application bundle, and preserves any application configuration data.
If you issue the application upgrade command when another application upgrade operation is in progress, you will see the following warning message:
An existing application install, remove, or upgrade is in progress. Try again shortly.
Caution
Note
Examples
Example 1
ise/admin# application upgrade ise-appbundle-1.1.0.362.i386.tar.gz httpSave the current ADE-OS running configuration? (yes/no) [yes]? yesGenerating configuration...Saved the ADE-OS running configuration to startup successfullyInitiating Application Upgrade...Stopping ISE application before upgrade...Running ISE Database upgrade...Upgrading ISE Database schema...ISE Database schema upgrade completed.Running ISE Global data upgrade as this node is a STANDALONE...Running ISE data upgrade for node specific data...Application upgrade successfulise/admin#Example 2
ise/admin# application upgrade ise-appbundle-1.1.0.362.i386.tar.gz httpSave the current ADE-OS running configuration? (yes/no) [yes]? noInitiating Application Upgrade...Stopping ISE application before upgrade...Running ISE Database upgrade...Upgrading ISE Database schema...ISE Database schema upgrade completed.Running ISE Global data upgrade as this node is a STANDALONE...Running ISE data upgrade for node specific data...Application upgrade successfulise/admin#Related Commands
backup
To perform a backup (including the Cisco ISE and Cisco ADE OS data) and place the backup in a repository, use the backup command in the EXEC mode. To perform a backup of only the Cisco ISE application data without the Cisco ADE OS data, use the application command.
Note
backup backup-name repository repository-name application application-name encryption-key hash |plain encryption-key name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Performs a backup of the Cisco ISE and Cisco ADE OS data and places the backup in a repository with an encrypted (hashed) or unencrypted plaintext password.
To perform a backup of only the Cisco ISE application data without the Cisco ADE OS data, use the application command.
You can encrypt and decrypt backups now by using user-defined encryption keys.
Examples
Example 1
ise/admin# backup mybackup repository myrepository encryption-key plain Lab12345% Creating backup with timestamped filename: backup-111125-1252.tar.gpgise/admin#Example 2
ise/admin# backup mybackup repository myrepository application ise encryption-key plain Lab12345% Creating backup with timestamped filename: backup-111125-1235.tar.gpgise/admin#Related Commands
backup-logs
To back up system logs, use the backup-logs command in the EXEC mode. To remove this function, use the no form of this command.
Note
backup-logs backup-name repository repository-name encryption-key hash | plain encryption-key name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Backs up system logs with an encrypted (hashed) or unencrypted plaintext password.
Examples
ise/admin# backup-logs mybackup repository myrepository encryption-key plain Lab12345% Creating log backup with timestamped filename: mybackup-111125-1117.tar.gpgise/admin#Related Commands
clock
To set the system clock, use the clock command in the EXEC mode. To remove this function, use the no form of this command.
clock set [month day hh:min:ss yyyy]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Sets the system clock. You must restart the Cisco ISE server after you reset the clock for the change to take effect.
WarningFor more information on how changing system time impacts different Cisco ISE nodes types of your deployment and the steps to recover from the impact, see the "Standalone or Primary ISE Node" section and "Secondary ISE Node" section.
Standalone or Primary ISE Node
Changing the system time after installation is not supported on a Standalone or Primary ISE node.
If you inadvertently change the system time, do the following:
•
•
•
Secondary ISE Node
Changing the system time on a secondary node renders it unusable on your deployment.
To synchronize the system time of the secondary node with the primary node, do the following:
•
•
•
•
Note
Examples
ise/admin# clock set May 5 18:07:20 2010ise/admin# show clockThu May 5 18:07:26 UTC 2010ise/admin#Related Commands
configure
To enter the Configuration mode, use the configure command in the EXEC mode. If the replace option is used with this command, copies a remote configuration to the system which overwrites the existing configuration.
configure terminal
Syntax Description
configure
The command that allows you to enter the Configuration mode.
terminal
Executes configuration commands from the terminal.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Use this command to enter the Configuration mode. Note that commands in this mode write to the running configuration file as soon as you enter them (press Enter).
To exit the Configuration mode and return to the EXEC mode, enter end, exit, or Ctrl-z.
To view the changes that you have made to the configuration, use the show running-config command in the EXEC mode.
Examples
Example 1
ise/admin# configureEnter configuration commands, one per line. End with CNTL/Z.ise/admin(config)#Example 2
ise/admin# configure terminalEnter configuration commands, one per lineAug.nd with CNTL/Z.ise/admin(config)#Related Commands
Displays the contents of the currently running configuration file or the configuration.
Displays the contents of the startup configuration file or the configuration.
copy
To copy any file from a source to a destination, use the copy command in the EXEC mode. The copy command in the Cisco ISE copies a configuration (running or startup).
Running Configuration
The Cisco ISE active configuration stores itself in the Cisco ISE RAM. Every configuration command you enter resides in the running configuration. If you reboot your Cisco ISE server, you lose the running configuration. If you make changes that you want to save, you must copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISE server startup configuration.
Startup Configuration
You cannot edit a startup configuration directly. All commands that you enter store themselves in the running configuration, which you can copy into the startup configuration.
In other words, when you boot a Cisco ISE server, the startup configuration becomes the initial running configuration. As you modify the configuration, the two diverge: the startup configuration remains the same; the running configuration reflects the changes that you have made. If you want to make your changes permanent, you must copy the running configuration to the startup configuration.
The following command lines show some of the copy command scenarios available:
copy running-config startup-config—Copies the running configuration to the startup configuration.
copy run start—Replaces the startup configuration with the running configuration.
Note
copy startup-config running-config—Copies the startup configuration to the running configuration.
copy start run—Merges the startup configuration on top of the running configuration.
copy [protocol://hostname/location] startup-config—Copies but does not merge a remote file to the startup configuration.
copy [protocol://hostname/location] running-config—Copies and merges a remote file to the running configuration.
copy startup-config [protocol://hostname/location]—Copies the startup configuration to a remote system.
copy running-config [protocol://hostname/location]—Copies the running configuration to a remote system.
copy logs [protocol://hostname/location]—Copies log files from the system to another location.
Note
Syntax Description
copy
The command that copies items.
running-config
Represents the current running configuration file.
startup-config
Represents the configuration file used during initialization (startup).
protocol
See Table A-2 for protocol keyword options.
hostname
Hostname of destination.
location
Location of destination.
logs
The system log files.
all
Copies all Cisco ISE log files from the system to another location. All logs are packaged as iselogs.tar.gz and transferred to the specified directory on the remote host.
filename
Allows you to copy a single Cisco ISE log file and transfer it to the specified directory on the remote host, with its original name.
log_filename
Name of the Cisco ISE log file, as displayed by the show logs command (up to 255 characters).
mgmt
Copies the Cisco ISE management debug logs and Tomcat logs from the system, bundles them as mgmtlogs.tar.gz, and transfers them to the specified directory on the remote host.
runtime
Copies the Cisco ISE runtime debug logs from the system, bundles them as runtimelogs.tar.gz, and transfers them to the specified directory on the remote host.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
The fundamental function of the copy command allows you to copy a file (such as a system image or configuration file) from one location to another location. The source and destination for the file specified uses the Cisco ISE file system, through which you can specify any supported local or remote file location. The file system being used (a local memory source or a remote system) dictates the syntax used in the command.
You can enter on the command line all the necessary source and destination information and the username and password to use; or, you can enter the copy command and have the server prompt you for any missing information.
Timesaver
The entire copying process might take several minutes and differs from protocol to protocol and from network to network.
Use the filename relative to the directory for file transfers.
Possible errors are standard FTP error messages.
Examples
Example 1
ise/admin# copy run startGenerating configuration...ise/admin#Example 2
ise/admin# copy running-config startup-configGenerating configuration...ise/admin#Example 3
ise/admin# copy start runise/admin#Example 4
ise/admin# copy startup-config running-configise/admin#Example 5
ise/admin# copy logs disk:/Collecting logs...ise/admin#Example 6
ise/admin# copy disk://mybackup-100805-1910.tar.gz ftp://myftpserver/mydirUsername:Password:ise/admin#
Related Commands
debug
To display errors or events for command situations, use the debug command in the EXEC mode.
debug {all | application | backup-restore | cdp | config | icmp | copy | locks | logging | snmp | system | transfer | user | utils}
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Use the debug command to identify various failures within the Cisco ISE server; for example, setup failures or configuration failures.
Examples
ise/admin# debug allise/admin# mkdir disk:/1ise/admin# 6 [15347]: utils: vsh_root_stubs.c[2742] [admin]: mkdir operation successise/admin# rmdir disk:/16 [15351]: utils: vsh_root_stubs.c[2601] [admin]: Invoked Remove Directory disk:/1 command6 [15351]: utils: vsh_root_stubs.c[2663] [admin]: Remove Directory operation successise/admin#ise/admin# undebug allise/admin#Related Commands
Disables the output (display of errors or events) of the debug command for various command situations.
delete
To delete a file from the Cisco ISE server, use the delete command in the EXEC mode. To remove this function, use the no form of this command.
delete filename [disk:/path]
Syntax Description
delete
The command to delete a file from the Cisco ISE server.
filename
Filename. Supports up to 80 alphanumeric characters.
disk:/path
Location.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
If you attempt to delete the configuration file or image, the system prompts you to confirm the deletion. Also, if you attempt to delete the last valid system image, the system prompts you to confirm the deletion.
Examples
ise/admin# delete disk:/hs_err_pid19962.logise/admin#Related Commands
dir
To list a file from the Cisco ISE server, use the dir command in the EXEC mode. To remove this function, use the no form of this command.
dir [word] [recursive]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# dirDirectory of disk:/2034113 Aug 05 2010 19:58:39 ADElogs.tar.gz4096 Jun 10 2010 02:34:03 activemq-data/4096 Aug 04 2010 23:14:53 logs/16384 Jun 09 2010 02:59:34 lost+found/2996022 Aug 05 2010 19:11:16 mybackup-100805-1910.tar.gz4096 Aug 04 2010 23:15:20 target/4096 Aug 05 2010 12:25:55 temp/Usage for disk: filesystem8076189696 bytes total used6371618816 bytes free15234142208 bytes availableise/admin#Example 2
ise/admin# dir disk:/logs0 Aug 05 2010 11:53:52 usermgmt.logUsage for disk: filesystem8076189696 bytes total used6371618816 bytes free15234142208 bytes availableise/admin#Example 3
ise/admin# dir recursiveDirectory of disk:/2034113 Aug 05 2010 19:58:39 ADElogs.tar.gz2996022 Aug 05 2010 19:11:16 mybackup-100805-1910.tar.gz4096 Aug 04 2010 23:14:53 logs/4096 Aug 05 2010 12:25:55 temp/4096 Jun 10 2010 02:34:03 activemq-data/4096 Aug 04 2010 23:15:20 target/16384 Jun 09 2010 02:59:34 lost+found/Directory of disk:/logs0 Aug 05 2010 11:53:52 usermgmt.logDirectory of disk:/temp281 Aug 05 2010 19:12:45 RoleBundles.xml6631 Aug 05 2010 19:12:34 PipDetails.xml69 Aug 05 2010 19:12:45 GroupRoles.xml231 Aug 05 2010 19:12:34 ApplicationGroupTypes.xml544145 Aug 05 2010 19:12:35 ResourceTypes.xml45231 Aug 05 2010 19:12:45 UserTypes.xml715 Aug 05 2010 19:12:34 ApplicationGroups.xml261 Aug 05 2010 19:12:34 ApplicationTypes.xml1010 Aug 05 2010 19:12:34 Pdps.xml1043657 Aug 05 2010 19:12:44 Groups.xml281003 Aug 05 2010 19:12:38 Resources.xml69 Aug 05 2010 19:12:45 GroupUsers.xml2662 Aug 05 2010 19:12:44 RoleTypes.xml79 Aug 05 2010 19:12:34 UserStores.xml4032 Aug 05 2010 19:12:38 GroupTypes.xml1043 Aug 05 2010 19:12:34 Organization.xml58377 Aug 05 2010 19:12:46 UserRoles.xml300 Aug 05 2010 19:12:45 Contexts.xml958 Aug 05 2010 19:12:34 Applications.xml28010 Aug 05 2010 19:12:45 Roles.xml122761 Aug 05 2010 19:12:45 Users.xmlDirectory of disk:/activemq-data4096 Jun 10 2010 02:34:03 localhost/Directory of disk:/activemq-data/localhost0 Jun 10 2010 02:34:03 lock4096 Jun 10 2010 02:34:03 journal/4096 Jun 10 2010 02:34:03 kr-store/4096 Jun 10 2010 02:34:03 tmp_storage/Directory of disk:/activemq-data/localhost/journal33030144 Aug 06 2010 03:40:26 data-12088 Aug 06 2010 03:40:26 data-controlDirectory of disk:/activemq-data/localhost/kr-store4096 Aug 06 2010 03:40:27 data/4096 Aug 06 2010 03:40:26 state/Directory of disk:/activemq-data/localhost/kr-store/data102 Aug 06 2010 03:40:27 index-container-roots0 Aug 06 2010 03:40:27 lockDirectory of disk:/activemq-data/localhost/kr-store/state3073 Aug 06 2010 03:40:26 hash-index-store-state_state51 Jul 20 2010 21:33:33 index-transactions-state204 Aug 06 2010 03:40:26 index-store-state306 Jun 10 2010 02:34:03 index-kaha290 Jun 10 2010 02:34:03 data-kaha-171673 Aug 06 2010 03:40:26 data-store-state-10 Jun 10 2010 02:34:03 lockDirectory of disk:/activemq-data/localhost/tmp_storageNo files in directoryDirectory of disk:/target4096 Aug 04 2010 23:15:20 logs/Directory of disk:/target/logs0 Aug 04 2010 23:15:20 ProfilerPDP.log2208 Aug 05 2010 11:54:26 ProfilerSensor.logDirectory of disk:/lost+foundNo files in directoryUsage for disk: filesystem8076189696 bytes total used6371618816 bytes free15234142208 bytes availableise/admin#Related Commands
exit
To close an active terminal session by logging out of the Cisco ISE server or to move up one mode level from the Configuration mode, use the exit command in the EXEC mode.
exit
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Use the exit command in EXEC mode to exit an active session (log out of the Cisco ISE server) or to move up from the Configuration mode.
Examples
ise/admin# exitise/admin#Related Commands
Exits the Configuration mode.
Exits the Configuration mode or EXEC mode.
Ctrl-z
Exits the Configuration mode.
forceout
To force users out of an active terminal session by logging them out of the Cisco ISE server, use the forceout command in the EXEC mode.
forceout username
Syntax Description
forceout
The command that enforces logout of all the sessions of a specific system user.
username
The name of the user. Supports up to 31 alphanumeric characters.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Use the forceout command in EXEC mode to force a user from an active session.
Examples
ise/admin# forceout user1ise/admin#halt
To shut down and power off the system, use the halt command in EXEC mode.
halt
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Before you issue the halt command, ensure that the Cisco ISE is not performing any backup, restore, installation, upgrade, or remove operation. If you issue the halt command while the Cisco ISE is performing any of these operations, you will get one of the following warning messages:
WARNING: A backup or restore is currently in progress! Continue with halt?WARNING: An install/upgrade/remove is currently in progress! Continue with halt?If you get any of these warnings, enter Yes to halt the operation, or enter No to cancel the halt.
If no processes are running when you use the halt command or if you enter Yes in response to the warning message displayed, the Cisco ISE asks you to respond to the following option:
Do you want to save the current configuration?Enter Yes to save the existing Cisco ISE configuration. The Cisco ISE displays the following message:
Saved the running configuration to startup successfullyExamples
ise/admin# haltise/admin#Related Commands
help
To describe the interactive help system for the Cisco ISE server, use the help command in the EXEC mode.
help
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
All configuration modes.
Usage Guidelines
The help command provides a brief description of the context-sensitive help system.
•
•
•
Examples
ise/admin# helpHelp may be requested at any point in a command by enteringa question mark '?'. If nothing matches, the help list willbe empty and you must backup until entering a '?' shows theavailable options.Two styles of help are provided:1. Full help is available when you are ready to enter acommand argument (e.g. 'show?') and describes each possibleargument.2. Partial help is provided when an abbreviated argument is enteredand you want to know what arguments match the input(e.g. 'show pr?'.)ise/admin#mkdir
To create a new directory on the Cisco ISE server, use the mkdir command in the EXEC mode.
mkdir directory-name [disk:/path]
Syntax Description
mk dir
The command to create directory.
directory-name
The name of the directory to create. Supports up to 80 alphanumeric characters.
disk:/path
Use disk:/path with the directory name.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Use disk:/path with the directory name; otherwise, an error appears that indicates that the disk:/path must be included.
Examples
ise/admin# mkdir disk:/testise/admin# dirDirectory of disk:/4096 May 06 2010 13:34:49 activemq-data/4096 May 06 2010 13:40:59 logs/16384 Mar 01 2010 16:07:27 lost+found/4096 May 06 2010 13:42:53 target/4096 May 07 2010 12:26:04 test/Usage for disk: filesystem181067776 bytes total used19084521472 bytes free20314165248 bytes availableise/admin#Related Commands
nslookup
To look up the hostname of a remote system on the Cisco ISE server, use the nslookup command in the EXEC mode.
nslookup word
Syntax Description
nslookup
The command to search the IP address or hostname of a remote system.
word
IPv4 address or hostname of a remote system. Supports up to 64 alphanumeric characters.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# nslookup 1.2.3.4Trying "4.3.2.1.in-addr.arpa"Received 127 bytes from 171.70.168.183#53 in 1 msTrying "4.3.2.1.in-addr.arpa"Host 4.3.2.1.in-addr.arpa. not found: 3(NXDOMAIN)Received 127 bytes from 171.70.168.183#53 in 1 msise/admin#Example 2
ise/admin# nslookup 209.165.200.225Trying "225.200.165.209.in-addr.arpa";; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65283;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0;; QUESTION SECTION:;225.200.165.209.in-addr.arpa. IN PTR;; ANSWER SECTION:225.200.165.209.in-addr.arpa. 86400 IN PTR 209-165-200-225.got.net.;; AUTHORITY SECTION:200.165.209.in-addr.arpa. 86400 IN NS ns1.got.net.200.165.209.in-addr.arpa. 86400 IN NS ns2.got.net.Received 119 bytes from 171.70.168.183#53 in 28 msise/admin#patch install
The patch install command installs a patch bundle of the application only on a specific node where you run the patch install command from the CLI.
Note
To install a patch bundle of the application, use the patch command in the EXEC mode.
patch install patch-bundle repository
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Installs a specific patch bundle of the application.
If you attempt to install a patch that is an older version of the existing patch, then you receive the following error message:
% Patch to be installed is an older version than currently installed version.
Note
Examples
Example 1
ise/admin# patch install ise-patchbundle-1.1.0.362-3.i386.tar.gz myrepositoryDo you want to save the current configuration? (yes/no) [yes]? yesGenerating configuration...Saved the running configuration to startup successfullyInitiating Application Patch installation...Patch successfully installedise/admin#Example 2
ise/admin# patch install ise-patchbundle-1.1.0.362-3.i386.tar.gz myrepositoryDo you want to save the current configuration? (yes/no) [yes]? noInitiating Application Patch installation...Patch successfully installedise/admin#Example 3
ise/admin# patch install ise-patchbundle-1.1.0.362-2.i386.tar.gz diskDo you want to save the current configuration? (yes/no) [yes]? yesGenerating configuration...Saved the running configuration to startup successfullyInitiating Application Patch installation...% Patch to be installed is an older version than currently installed version.ise/admin#Related Commands
patch remove
Note
To remove a specific patch bundle version of the application, use the patch command in the EXEC mode.
patch remove word word
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Removes a specific patch bundle of the application.
If you attempt to remove a patch that is not installed, then you receive the following error message:
% Patch is not installed
Note
Examples
Example 1
ise/admin# patch remove ise 3Continue with application patch uninstall? [y/n] yApplication patch successfully uninstalledise/admin#Example 2
ise/admin# patch remove ise 3Continue with application patch uninstall? [y/n] y% Patch is not installedise/admin#Related Commands
The command that installs a specific patch bundle of the application.
Displays information about the currently loaded software version, along with hardware and device information.
pep
You can use the pep command along with certificate, set, and switch command options in the EXEC mode to perform the following:
•
•
•
•
The following command lines show the pep command scenarios available:
pep certificate {certauthority|server}—manipulates CA and server certificates for an Inline Posture node.
pep set loglevel {0|1|2|3}—sets the Inline Posture node log information.
pep switch {into-pep| outof-pep}—configures the Cisco ISE node into Inline Posture node or Inline Posture role to a Cisco ISE standalone node.
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
You cannot use this pep command in a VMware setup.
Use the pep certificate command options to manipulate CA and server certificates for an Inline Posture node. Any certificate change in the trust store results in an Inline Posture application restart. To view the certificates list in the trust store, use the show pep certificate certauthority command.
Use the pep set command options to log Inline Posture node information.
Use the pep switch command options to configure an ISE secondary node into an ISE Inline Posture node, or configure an ISE Inline Posture node into an ISE standalone node that will be enabled with the administration, monitoring, and policy services role. But, Cisco ISE recommends not to use the pep switch into-pep command to change a registered ISE policy service node into an ISE Inline Posture node. Registering the secondary node as an Inline Posture node from the Cisco ISE Administration node user interface is always recommended, and the conversion takes place automatically. Cisco ISE also recommends not to use the pep switch outof-pep command to change an ISE Inline Posture node back to an ISE standalone node. Deregistering the Inline Posture node from the ISE Administration node user interface is always recommended.
Examples
Example 1
The following command adds a CA certificate to the trust store of an Inline Posture node. The certificate file needs to be present in the local disk repository of the Inline Posture node. Create a local disk repository for copying certificate and server private key files into the Inline Posture node, so that the add command can use those files. Use the copy command to download certificate and key files into the local disk repository.
Use the show pep certificate certauthority command to view the certificates list in the trust store. You can see the CA certificate added to the trust store with its alias name.
Note
ise/admin# pep certificate certauthority addCA Certificate change will result in application restart. Proceed? (y/n):yEnter the name of the certificate to be added (.pem/.crt):ise70ciscocom4f061e00d0afb.pemEnter an alias name for the certificate to be added:ca-1IPEP Application Restartingise/admin#The following command deletes a CA certificate from the trust store of an Inline Posture node. Use the show pep certificate certauthority command to view the certificates list in the trust store. You can see the CA certificate deleted from the trust store.
ise/admin# pep certificate certauthority deleteCA Certificate change will result in application restart. Proceed? (y/n):yEnter the alias name of the certificate to be removed:ca-1IPEP Application Restartingise/admin#Example 2
The following command adds server private key and server certificate (for example, tomcat) to the key store of an Inline Posture node. Use the show pep certificate certauthority command to view the certificates list in the trust store. You can see tomcat added to the trust store. The server certificate details can be seen by using the show pep certificate server command.
ise/admin# pep certificate server addServer Certificate change will result in application restart. Proceed? (y/n):yEnter the server key file name:mykey.pemEnter the server certificate file name:mycert.pemEnter server key pass phrase:IPEP Application Restartingise/admin#The following command deletes a server certificate (tomcat) from the key store of an Inline Posture node. Use the show pep certificate certauthority command to view the certificates list. You can see tomcat deleted from the trust store.ise/admin# pep certificate server deleteServer Certificate change will result in application restart. Proceed? (y/n):yIPEP Application Restartingise/admin#Example 3
ise/admin# pep set loglevel 0ise/admin#The show pep loglevel command displays the loglevel.
ise/admin# show pep loglevelINFOise/admin#Example 4
ise/admin# pep switch into-pepDo you really want to switch into Inline PEP persona? (y/n): ySwitch into IPEP needs restart. Proceed? (y/n): yBroadcast message from root (pts/2) (Thu Jan 19 09:20:57 2012):ise/admin#To check the configuration of the secondary node after reboot, run the show application status ise command and the secondary node now runs the Inline Posture services after reboot.
ise/admin# show application status iseInline PEP click kernel module is loaded.Inline PEP runtime java application is running,PID=25364.ise/admin#Example 5
ise/admin# pep switch outof-pepBroadcast message from root (pts/0) (Wed Oct 13 09:03:10 2010):The system is going down for reboot NOW!ise/admin#To check the configuration of the Inline Posture node after reboot, run the show application status ise command and the node now runs the administration, monitoring and policy service roles as a Standalone node after reboot.
ise/admin# show application status iseISE Database listener is running, PID: 3057ISE Database is running, number of processes: 27ISE Application Server is running, PID: 3357ISE M&T Session Database is running, PID: 2858ISE M&T Log Collector is running, PID: 3378ISE M&T Log Processor is running, PID: 3422ISE M&T Alert Process is running, PID: 3467ise/admin#Related Commands
ping
To diagnose the basic IPv4 network connectivity to a remote system, use the ping command in the EXEC mode.
ping {ip-address | hostname} [df df] [packetsize packetsize] [pingcount pingcount]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
The ping command sends an echo request packet to an address, then awaits a reply. The ping output can help you evaluate path-to-host reliability, delays over the path, and whether you can reach a host.
Examples
ise/admin# ping 172.16.0.1 df 2 packetsize 10 pingcount 2PING 172.16.0.1 (172.16.0.1) 10(38) bytes of data.18 bytes from 172.16.0.1: icmp_seq=0 ttl=40 time=306 ms18 bytes from 172.16.0.1: icmp_seq=1 ttl=40 time=300 ms--- 172.16.0.1 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev = 300.302/303.557/306.812/3.255 ms, pipe 2ise/admin#Related Commands
ping6
Similar to the IPv4 ping, use the IPv6 ping6 command in the EXEC mode.
ping6 {ip-address | hostname} [GigabitEthernet 0-3][packetsize packetsize] [pingcount pingcount]
Syntax Description
Command Default
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
The IPv6 ping6 command sends an echo request packet to an address, then awaits a reply. The ping output can help you evaluate path-to-host reliability, delays over the path, and whether you can reach a host.
The IPv6 ping6 command is similar to the existing IPv4 ping command. The ping 6 command does not support the IPv4 ping fragmentation (df in IPv4) options, but it allows an optional specification of an interface. The interface option is primarily useful for pinning with link-local addresses that are interface-specific. The packetsize and pingcount options work the same as they do with the IPv4 command.
Examples
Example 1
ise/admin# ping6 3ffe:302:11:2:20c:29ff:feaf:da05PING 3ffe:302:11:2:20c:29ff:feaf:da05(3ffe:302:11:2:20c:29ff:feaf:da05) from 3ffe:302:11:2:20c:29ff:feaf:da05 eth0: 56 data bytes64 bytes from 3ffe:302:11:2:20c:29ff:feaf:da05: icmp_seq=0 ttl=64 time=0.599 ms64 bytes from 3ffe:302:11:2:20c:29ff:feaf:da05: icmp_seq=1 ttl=64 time=0.150 ms64 bytes from 3ffe:302:11:2:20c:29ff:feaf:da05: icmp_seq=2 ttl=64 time=0.070 ms64 bytes from 3ffe:302:11:2:20c:29ff:feaf:da05: icmp_seq=3 ttl=64 time=0.065 ms--- 3ffe:302:11:2:20c:29ff:feaf:da05 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3118msrtt min/avg/max/mdev = 0.065/0.221/0.599/0.220 ms, pipe 2ise/admin#Example 2
ise/admin# ping6 3ffe:302:11:2:20c:29ff:feaf:da05 GigabitEthernet 0 packetsize 10 pingcount 2PING 3ffe:302:11:2:20c:29ff:feaf:da05(3ffe:302:11:2:20c:29ff:feaf:da05) from 3ffe:302:11:2:20c:29ff:feaf:da05 eth0: 10 data bytes18 bytes from 3ffe:302:11:2:20c:29ff:feaf:da05: icmp_seq=0 ttl=64 time=0.073 ms18 bytes from 3ffe:302:11:2:20c:29ff:feaf:da05: icmp_seq=1 ttl=64 time=0.073 ms--- 3ffe:302:11:2:20c:29ff:feaf:da05 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1040msrtt min/avg/max/mdev = 0.073/0.073/0.073/0.000 ms, pipe 2ise/admin#Related Commands
reload
To reload the Cisco ISE operating system, use the reload command in the EXEC mode.
reload
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
The reload command reboots the system. Use the reload command after you enter configuration information into a file and save the running-configuration to the persistent startup-configuration on the CLI and save any settings in the web Administration user interface session.
Before you issue the reload command, ensure that the Cisco ISE is not performing any backup, restore, installation, upgrade, or remove operation. If the Cisco ISE performs any of these operations and you issue the reload command, you will notice any of the following warning messages:
WARNING: A backup or restore is currently in progress! Continue with reload?WARNING: An install/upgrade/remove is currently in progress! Continue with reload?If you get any of these warnings, enter Yes to halt the operation, or enter No to cancel the halt.
If no processes are running when you use the reload command or you enter Yes in response to the warning message displayed, the Cisco ISE asks you to respond to the following option:
Do you want to save the current configuration?Enter Yes to save the existing Cisco ISE configuration. The Cisco ISE displays the following message:
Saved the running configuration to startup successfullyExamples
ise/admin# reloadDo you want to save the current configuration? (yes/no) [yes]? yesGenerating configuration...Saved the running configuration to startup successfullyContinue with reboot? [y/n] yBroadcast message from root (pts/0) (Fri Aug 7 13:26:46 2010):The system is going down for reboot NOW!ise/admin#Related Commands
restore
To perform a restore of a previous backup, use the restore command in the EXEC mode. A restore operation restores data related to the Cisco ISE as well as the Cisco ADE OS. To perform a restore of a previous backup of the application data of the Cisco ISE only, add the application command to the restore command in the EXEC mode. To remove this function, use the no form of this command.
Use the following command to restore data related to the Cisco ISE application and Cisco ADE OS:
restore filename repository repository-name encryption-key hash | plain encryption-key name
Use the following command to restore data related only to the Cisco ISE application:
restore filename repository repository-name application application-name encryption-key hash | plain encryption-key name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
When you use restore commands in Cisco ISE, the Cisco ISE server restarts automatically.
The encryption key is optional while restoring data. To support restoring earlier backups where you have not provided encryption keys, you can use the restore command without the encryption key.
Examples
ise/admin# restore mybackup-100818-1502.tar.gpg repository myrepository application ise encryption-key plain Lab12345Restore may require a restart of application services. Continue? (yes/no) [yes] ? yesInitiating restore. Please wait...ISE application restore is in progress.This process could take several minutes. Please wait...Stopping ISE Application Server...Stopping ISE Monitoring & Troubleshooting Log Processor...Stopping ISE Monitoring & Troubleshooting Log Collector...Stopping ISE Monitoring & Troubleshooting Alert Process...Stopping ISE Monitoring & Troubleshooting Session Database...Stopping ISE Database processes...Starting ISE Database processes...Starting ISE Monitoring & Troubleshooting Session Database...Starting ISE Application Server...Starting ISE Monitoring & Troubleshooting Alert Process...Starting ISE Monitoring & Troubleshooting Log Collector...Starting ISE Monitoring & Troubleshooting Log Processor...Note: ISE Processes are initializing. Use 'show application status ise'CLI to verify all processes are in running state.ise/admin#Related Commands
rmdir
To remove an existing directory, use the rmdir command in the EXEC mode.
rmdir word
Syntax Description
rmdir
The command to remove an existing directory.
word
Directory name. Supports up to 80 alphanumeric characters.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# mkdir disk:/testise/admin# dirDirectory of disk:/4096 May 06 2010 13:34:49 activemq-data/4096 May 06 2010 13:40:59 logs/16384 Mar 01 2010 16:07:27 lost+found/4096 May 06 2010 13:42:53 target/4096 May 07 2010 12:26:04 test/Usage for disk: filesystem181067776 bytes total used19084521472 bytes free20314165248 bytes availableise/admin#ise/admin# rmdir disk:/testise/admin# dirDirectory of disk:/4096 May 06 2010 13:34:49 activemq-data/4096 May 06 2010 13:40:59 logs/16384 Mar 01 2010 16:07:27 lost+found/4096 May 06 2010 13:42:53 target/Usage for disk: filesystem181063680 bytes total used19084525568 bytes free20314165248 bytes availableise/admin#Related Commands
show
To show the running system information, use the show command in the EXEC mode. The show commands are used to display the Cisco ISE settings and are among the most useful commands.
The commands in Table A-3 require the show command to be followed by a keyword; for example, show application status. Some show commands require an argument or variable after the keyword to function; for example, show application version.
For detailed information on all the Cisco ISE show commands, see Show Commands.
show keyword
Syntax Description
Table A-3 provides a summary of the show commands.
Table A-3 Summary of show Commands
(requires keyword)2
Displays information about the installed application; for example, status or version.
(requires keyword)
Displays information about the backup.
(requires keyword)
Displays information about the enabled Cisco Discovery Protocol interfaces.
Displays the day, date, time, time zone, and year of the system clock.
Displays CPU information.
Displays file-system information of the disks.
Displays statistics for all the interfaces configured on the Cisco ADE OS.
(requires keyword)
Displays system logging information.
(requires keyword)
Displays login history.
Displays memory usage by all running processes.
Displays the status of the Network Time Protocol (NTP).
Displays all the processes listening on the active ports.
Displays information about the active processes of the Cisco ISE server.
(requires keyword)
Displays the file contents of a specific repository.
(requires keyword)
Displays restore history on the Cisco ISE server.
Displays the contents of the currently running configuration file on the Cisco ISE server.
Displays the contents of the startup configuration on the Cisco ISE server.
Displays system and configuration information that you can provide to the TAC when you report a problem.
Displays information about the terminal configuration parameter settings for the current terminal line.
Displays the time zone of the Cisco ISE server.
Displays all the time zones available for use on the Cisco ISE server.
Displays information about the unique device identifier (UDI) of the Cisco ISE.
Displays how long the system you are logged in to has been up and running.
Displays information for currently logged in users.
Displays information about the installed application version.
1 The commands in this table require that the show command precedes a keyword; for example, show application.
2 Some show commands require an argument or variable after the keyword to function; for example, show application version. This show command displays the version of the application installed on the system (see show application).
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
All show commands require at least one keyword to function.
Examples
ise/admin# show application<name> <Description>ise Cisco Identity Services Engineise/admin#ssh
To start an encrypted session with a remote system, use the ssh command in the EXEC mode.
Note
ssh [ip-address | hostname] username port [number] version [1 | 2] delete hostkey word
Syntax Description
Defaults
Disabled.
Command Modes
EXEC (Admin or Operator)
Usage Guidelines
The ssh command enables a system to make a secure, encrypted connection to another remote system or server. This connection provides functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for secure communication over an insecure network.
Examples
Example 1
ise/admin# ssh ise1 adminadmin@ise1's password:Last login: Wed Jul 11 05:53:20 2008 from ise.cisco.comise1/admin#Example 2
ise/admin# ssh delete host iseise/admin#tech
To dump traffic on a selected network interface, use the tech command in the EXEC mode.
tech dumptcp <0-3> count <package count>
Syntax Description
Defaults
Disabled.
Command Modes
EXEC
Usage Guidelines
If you see bad udp cksum warnings in the tech dumptcp output, it may not be a cause for concern. The tech dumptcp command examines outgoing packets before they exit through the Ethernet microprocessor. Most modern Ethernet chips calculate checksums on outgoing packets, and so the operating system software stack does not. Hence, it is normal to see outgoing packets declared as bad udp cksum.
Examples
ise-201/admin# tech dumptcp 0 count 30Invoking tcpdump. Press Control-C to interrupt.tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes10:27:32.923319 IP (tos 0x10, ttl 64, id 1377, offset 0, flags [DF], proto: TCP (6), length: 92) 10.77.122.201.22 > 10.77.204.132.3142: P 1659025089:1659025141(52) ack 793752673 win 1214410:27:32.923613 IP (tos 0x10, ttl 64, id 1378, offset 0, flags [DF], proto: TCP (6), length: 156) 10.77.122.201.22 > 10.77.204.132.3142: P 52:168(116) ack 1 win 1214410:27:32.940203 IP (tos 0x0, ttl 55, id 12075, offset 0, flags [none], proto: UDP (17), length: 123) 72.163.128.140.53 > 10.77.122.201.43876:13150 NXDomain* q: AAAA? ise-201.cisco.com. 0/1/0 ns: cisco.com. SOA[|domain]10:27:32.952693 IP (tos 0x0, ttl 119, id 52324, offset 0, flags [DF], proto: TCP (6), length: 40) 10.77.204.132.3142 > 10.77.122.201.22: ., cksum 0x4ed3 (correct), 1:1(0) ack 168 win 6419210:27:33.201646 IP (tos 0x0, ttl 64, id 39209, offset 0, flags [DF], proto: UDP (17), length: 63) 10.77.122.201.50340 > 72.163.128.140.53: [bad udp cksum b8a2!] 49140+ AAAA? ise-201.cisco.com. (35)10:27:33.226571 IP (tos 0x0, ttl 55, id 26568, offset 0, flags [none], proto: UDP (17), length: 123) 72.163.128.140.53 > 10.77.122.201.50340:49140 NXDomain* q: AAAA? ise-201.cisco.com. 0/1/0 ns: cisco.com. SOA[|domain]10:27:33.415173 IP (tos 0x0, ttl 64, id 39423, offset 0, flags [DF], proto: UDP (17), length: 63) 10.77.122.201.56578 > 72.163.128.140.53: [bad udp cksum 8854!] 62918+ AAAA? ise-201.cisco.com. (35)10:27:33.453429 IP (tos 0x0, ttl 55, id 12076, offset 0, flags [none], proto: UDP (17), length: 123) 72.163.128.140.53 > 10.77.122.201.56578:62918 NXDomain* q: AAAA? ise-201.cisco.com. 0/1/0 ns: cisco.com. SOA[|domain]10:27:33.579551 arp who-has 10.77.122.120 tell 10.77.122.25010:27:33.741303 IP (tos 0x0, ttl 128, id 21433, offset 0, flags [DF], proto: UDP (17), length: 306) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:1f:13:77:13:34, length: 278, xid:0x1377f72b, flags: [Broadcast] (0x8000)Client Ethernet Address: e4:1f:13:77:13:34 [|bootp]10:27:33.788119 IP (tos 0x0, ttl 64, id 39796, offset 0, flags [DF], proto: UDP (17), length: 63) 10.77.122.201.43779 > 72.163.128.140.53: [bad udp cksum 2ffc!] 32798+ AAAA? ise-201.cisco.com. (35)10:27:33.812961 IP (tos 0x0, ttl 55, id 26569, offset 0, flags [none], proto: UDP (17), length: 123) 72.163.128.140.53 > 10.77.122.201.43779:32798 NXDomain* q: AAAA? ise-201.cisco.com. 0/1/0 ns: cisco.com. SOA[|domain]10:27:34.003769 IP (tos 0x0, ttl 64, id 40011, offset 0, flags [DF], proto: UDP (17), length: 63) 10.77.122.201.23267 > 72.163.128.140.53: [bad udp cksum 2e85!] 18240+ AAAA? ise-201.cisco.com. (35)10:27:34.038636 IP (tos 0x0, ttl 55, id 26570, offset 0, flags [none], proto: UDP (17), length: 123) 72.163.128.140.53 > 10.77.122.201.23267:18240 NXDomain* q: AAAA? ise-201.cisco.com. 0/1/0 ns: cisco.com. SOA[|domain]10:27:34.579054 arp who-has 10.77.122.120 tell 10.77.122.25010:27:34.927369 arp who-has 10.77.122.42 tell 10.77.122.4010:27:35.727151 IP (tos 0x0, ttl 255, id 64860, offset 0, flags [none], proto: UDP (17), length: 317) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 3c:df:1e:58:0f:c0, length: 289, xid:0x161504, flags: [Broadcast] (0x8000)Client Ethernet Address: 3c:df:1e:58:0f:c0 [|bootp]10:27:36.190658 CDPv2, ttl: 180s, checksum: 692 (unverified), length 384Device-ID (0x01), length: 12 bytes: 'hyd04-lab-SW'[|cdp]30 packets captured30 packets received by filter0 packets dropped by kernelise-201/admin#telnet
To log in to a host that supports Telnet, use the telnet command in Operator (user) or EXEC mode.
telnet [ip-address | hostname] port number
Syntax Description
Defaults
No default behavior or values.
Command Modes
Operator
EXEC
Usage Guidelines
None.
Examples
ise/admin# telnet 172.16.0.11 port 23ise.cisco.com login: adminpassword:Last login: Mon Jul 2 08:45:24 on ttyS0ise/admin#terminal length
To set the number of lines on the current terminal screen for the current session, use the terminal length command in the EXEC mode.
terminal length integer
Syntax Description
Defaults
24 lines
Command Modes
EXEC
Usage Guidelines
The system uses the length value to determine when to pause during multiple-screen output.
Examples
ise/admin# terminal length 0ise/admin#terminal session-timeout
To set the inactivity timeout for all sessions, use the terminal session-timeout command in the EXEC mode.
terminal session-timeout minutes
Syntax Description
Defaults
30 minutes
Command Modes
EXEC
Usage Guidelines
Setting the terminal session-timeout command to zero (0) results in no timeout being set.
Examples
ise/admin# terminal session-timeout 40ise/admin#Related Commands
terminal session-welcome
To set a welcome message on the system for all users who log in to the system, use the terminal session-welcome command in EXEC mode.
terminal session-welcome string
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Specify a message using up to 2,048 characters.
Examples
ise/admin# terminal session-welcome Welcomeise/admin#Related Commands
terminal terminal-type
To specify the type of terminal connected to the current line for the current session, use the terminal terminal-type command in EXEC mode.
terminal terminal-type type
Syntax Description
Defaults
VT100
Command Modes
EXEC
Usage Guidelines
Indicate the terminal type if it is different from the default of VT100.
Examples
ise/admin# terminal terminal-type vt220ise/admin#traceroute
To discover the routes that packets take when traveling to their destination address, use the traceroute command in EXEC mode.
traceroute [ip-address | hostname]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# traceroute 172.16.0.11traceroute to 172.16.0.11 (172.16.0.11), 30 hops max, 38 byte packets1 172.16.0.11 0.067 ms 0.036 ms 0.032 msise/admin#undebug
To disable debugging functions, use the undebug command in EXEC mode.
undebug {all | application | backup-restore | cdp | config | copy | icmp | locks | logging | snmp | system | transfer | user | utils}
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# undebug allise/admin#Related Commands
write
To copy, display, or erase Cisco ISE server configurations, use the write command with the appropriate argument in the EXEC mode.
write {erase | memory | terminal}
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Using this write command with the erase option is disabled in Cisco ISE.
If you use the write command with the erase option, Cisco ISE displays the following error message:
% Warning: 'write erase' functionality has been disabled by application: iseExamples
Example 1
ise/admin# write memoryGenerating configuration...ise/admin#Example 2
ise/admin# write terminalGenerating configuration...!hostname ise!ip domain-name cisco.com!interface GigabitEthernet 0ip address 10.201.2.121 255.255.255.0ipv6 address autoconfig!interface GigabitEthernet 1shutdown!interface GigabitEthernet 2shutdown!interface GigabitEthernet 3shutdown!ip name-server 171.68.226.120!ip default-gateway 10.201.2.1!clock timezone UTC!ntp server clock.cisco.com!username admin password hash $1$6yQQaFXM$UBgbp7ggD1bG3kpExywwZ0 role admin!service sshd!repository myrepositoryurl disk:user admin password hash 2b50ca94445f240f491e077b5f49fa0375942f38!password-policylower-case-requiredupper-case-requireddigit-requiredno-usernamedisable-cisco-passwordsmin-password-length 6!logging localhostlogging loglevel 6!cdp timer 60cdp holdtime 180cdp run GigabitEthernet 0!icmp echo on!ise/admin#Show Commands
This section lists each show command and includes a brief description of its use, command syntax, usage guidelines, and sample output.
Table A-4 lists the show commands in the EXEC mode that this section describes.
show application
To show application information of the installed application packages on the system, use the show application command in the EXEC mode.
show application [status | version [app_name]]
Syntax Description
show application
The command to display the Cisco ISE application information.
status
Displays the status of the installed application.
version
Displays the application version for an installed application—the Cisco ISE.
app_name
Name of the installed application.
|
Output modifier variables:
•
•
|—Output modifier variables (see Table A-5).
•
•
•
•
|—Output modifier variables (see Table A-5).
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# show application<name> <Description>ise Cisco Identity Services EngineRootPatch Cisco ADE Root Patchise/admin#Example 2
ise/admin# show application version iseCisco Identity Services Engine---------------------------------------------Version : 1.0.2.051Build Date : Mon Aug 2 00:34:25 2010Install Date : Thu Aug 5 17:48:49 2010ise/admin#Example 3
ise/admin# show application status iseISE Database listener is running, PID: 21096ISE Database is running, number of processes: 27ISE Application Server is running, PID: 21432ISE M&T Session Database is running, PID: 21365ISE M&T Log Collector is running, PID: 21468ISE M&T Log Processor is running, PID: 21494ISE M&T Alert Process is running, PID: 21524ise/admin#Related Commands
show backup history
To display the backup history of the system, use the show backup history command in the EXEC mode.
show backup history
Syntax Description
show backup
The command to display the Cisco ISE backup information.
history
Displays history information about any backups on the system.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# show backup historyWed Aug 18 12:55:21 UTC 2010: backup logs logs-0718.tar.gz to repository fileserver007: successWed Aug 18 12:55:53 UTC 2010: backup full-0718.tar.gpg to repository fileserver007: successise/admin#Example 2
ise/admin# show backup historybackup history is emptyise/admin#Related Commands
show cdp
To display information about the enabled Cisco Discovery Protocol interfaces, use the show cdp command in the EXEC mode.
show cdp {all | neighbors}
Syntax Description
show cdp
The command to display Cisco Discovery Protocol show commands.
all
Shows all the enabled Cisco Discovery Protocol interfaces.
neighbors
Shows the Cisco Discovery Protocol neighbors.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# show cdp allCDP protocol is enabled...broadcasting interval is every 60 seconds.time-to-live of cdp packets is 180 seconds.CDP is enabled on port GigabitEthernet0.ise/admin#Example 2
ise/admin# show cdp neighborsCDP Neighbor: 000c297840e5Local Interface : GigabitEthernet0Device Type : ISE-1141VM-K9Port : eth0Address : 172.23.90.114CDP Neighbor: isexp-esw5Local Interface : GigabitEthernet0Device Type : cisco WS-C3560E-24TDPort : GigabitEthernet0/5Address : 172.23.90.45CDP Neighbor: 000c29e29926Local Interface : GigabitEthernet0Device Type : ISE-1141VM-K9Port : eth0Address : 172.23.90.115CDP Neighbor: 000c290fba98Local Interface : GigabitEthernet0Device Type : ISE-1141VM-K9Port : eth0Address : 172.23.90.111ise/admin#Related Commands
show clock
To display the day, month, date, time, time zone, and year of the system software clock, use the show clock command in the EXEC mode.
show clock
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show clockFri Aug 6 10:46:39 UTC 2010ise/admin#
Note
Related Commands
show cpu
To display CPU information, use the show cpu command in the EXEC mode.
show cpu [statistics] [|] [|]
Syntax Description
show cpu
The command to display CPU information.
statistics
Displays CPU statistics.
|
Output modifier variables:
•
•
|—Output modifier variables (see Table A-6).
•
•
•
•
|—Output modifier variables (see Table A-6).
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# show cpuprocessor: 0model : Intel(R) Xeon(R) CPU E5320 @ 1.86GHzspeed(MHz): 1861.914cache size: 4096 KBise/admin#Example 2
ise/admin# show cpu statisticsuser time: 265175kernel time: 166835idle time: 5356204i/o wait time: 162676irq time: 4055ise/admin#Related Commands
Displays the system information of all disks.
Displays the amount of system memory that each system process uses.
show disks
To display the disks file-system information, use the show disks command in the EXEC mode.
show disks [|] [|]
Syntax Description
show disks
The command to display the disks and the file-system information
|
Output modifier variables:
•
•
|—Output modifier variables (see Table A-7).
•
•
•
•
|—Output modifier variables (see Table A-7).
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Only platforms that have a disk file system support the show disks command.
Examples
ise/admin# show diskstemp. space 2% used (17828 of 988116)disk: 3% used (143280 of 5944440)Internal filesystems:all internal filesystems have sufficient free spaceise/admin#Related Commands
Displays CPU information.
Displays the amount of system memory that each system process uses.
show icmp-status
To display the Internet Control Message Protocol echo response configuration information, use the show icmp_status command in EXEC mode.
show icmp_status {> file | |}
Syntax Description
show icmp_status
The command to display the Internet Control Message Protocol echo response configuration information.
>
Output direction.
file
Name of file to redirect standard output (stdout).
|
Output modifier commands:
•
•
–
•
•
•
•
–
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# show icmp_statusicmp echo response is turned onise/admin#Example 2
ise/admin# show icmp_statusicmp echo response is turned offise/admin#Related Commands
show interface
To display the usability status of interfaces configured for IP, use the show interface command in the EXEC mode.
show interface [GigabitEthernet] |
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
In the show interface GigabitEthernet 0 output, you can find that the interface has three IPv6 addresses. The first internet address (starting with 3ffe) is the result of using stateless autoconfiguration. For this to work, you need to have IPv6 route advertisement enabled on that subnet. The next address (starting with fe80) is a link local address that does not have any scope outside the host. You always see a link local address regardless of the IPv6 autoconfiguration or DHCPv6 configuration. The last address (starting with 2001) is the result obtained from a IPv6 DHCP server.
Examples
Example 1
ise/admin# show interfaceeth0 Link encap:Ethernet HWaddr 00:0C:29:6A:88:C4inet addr:172.23.90.113 Bcast:172.23.90.255 Mask:255.255.255.0inet6 addr: fe80::20c:29ff:fe6a:88c4/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:48536 errors:0 dropped:0 overruns:0 frame:0TX packets:14152 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:6507290 (6.2 MiB) TX bytes:12443568 (11.8 MiB)Interrupt:59 Base address:0x2000lo Link encap:Local Loopbackinet addr:127.0.0.1 Mask:255.0.0.0inet6 addr: ::1/128 Scope:HostUP LOOPBACK RUNNING MTU:16436 Metric:1RX packets:1195025 errors:0 dropped:0 overruns:0 frame:0TX packets:1195025 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:649425800 (619.3 MiB) TX bytes:649425800 (619.3 MiB)sit0 Link encap:IPv6-in-IPv4NOARP MTU:1480 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)ise/admin#Example 2
ise/admin# show interface GigabitEthernet 0eth0 Link encap:Ethernet HWaddr 00:0C:29:AF:DA:05inet addr:172.23.90.116 Bcast:172.23.90.255 Mask:255.255.255.0inet6 addr: 3ffe:302:11:2:20c:29ff:feaf:da05/64 Scope:Globalinet6 addr: fe80::20c:29ff:feaf:da05/64 Scope:Linkinet6 addr: 2001:558:ff10:870:8000:29ff:fe36:200/64 Scope:GlobalUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:77848 errors:0 dropped:0 overruns:0 frame:0TX packets:23131 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:10699801 (10.2 MiB) TX bytes:3448374 (3.2 MiB)Interrupt:59 Base address:0x2000ise/admin#Related Commands
Configures an interface type and enters the interface configuration submode.
Enables IPv6 stateless autoconfiguration on an interface.
Enables IPv6 address DHCP on an interface.
show inventory
To display information about the hardware inventory, including the Cisco ISE appliance model and serial number, use the show inventory command in the EXEC mode.
show inventory |
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show inventoryNAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis"PID: ISE-VM-K9 , VID: V01 , SN: H8JESGOFHGGTotal RAM Memory: 1035164 kBCPU Core Count: 1CPU 0: Model Info: Intel(R) Xeon(R) CPU E5320 @ 1.86GHzHard Disk Count(*): 1Disk 0: Device Name: /dev/sdaDisk 0: Capacity: 64.40 GBDisk 0: Geometry: 255 heads 63 sectors/track 7832 cylindersNIC Count: 1NIC 0: Device Name: eth0NIC 0: HW Address: 00:0C:29:6A:88:C4NIC 0: Driver Descr: eth0: registered as PCnet/PCI II 79C970A(*) Hard Disk Count may be Logical.ise/admin#show logging
To display the state of system logging (syslog) and the contents of the standard system logging buffer, use the show logging command in the EXEC mode.
show logging {application [application-name]} {internal} {system} |
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
This command displays the state of syslog error and event logging, including host addresses, and for which, logging destinations (console, monitor, buffer, or host) logging is enabled.
Examples
Example 1
ise/admin# show logging systemADEOS Platform log:-----------------Aug 5 10:44:32 localhost debugd[1943]: [16618]: config:network: main.c[252] [setup]: Setup is completeAug 5 10:45:02 localhost debugd[1943]: [17291]: application:install cars_install.c[242] [setup]: Install initiated with bundle - ise.tar.gz,repo - SystemDefaultPkgReposAug 5 10:45:02 localhost debugd[1943]: [17291]: application:install cars_install.c[256] [setup]: Stage area - /storeddata/Installing/.1281030302Aug 5 10:45:02 localhost debugd[1943]: [17291]: application:install cars_install.c[260] [setup]: Getting bundle to local machineAug 5 10:45:03 localhost debugd[1943]: [17291]: transfer: cars_xfer.c[58] [setup]: local copy in of ise.tar.gz requestedAug 5 10:45:46 localhost debugd[1943]: [17291]: application:install cars_install.c[269] [setup]: Got bundle at - /storeddata/Installing/.1281030302/ise.tar.gzAug 5 10:45:46 localhost debugd[1943]: [17291]: application:install cars_install.c[279] [setup]: Unbundling package ise.tar.gzAug 5 10:47:06 localhost debugd[1943]: [17291]: application:install cars_install.c[291] [setup]: Unbundling done. Verifying input parameters...Aug 5 10:47:06 localhost debugd[1943]: [17291]: application:install cars_install.c[313] [setup]: Manifest file is at - /storeddata/Installing/.1281030302/manifest.xmlAug 5 10:47:07 localhost debugd[1943]: [17291]: application:install cars_install.c[323] [setup]: Manifest file appname - iseAug 5 10:47:09 localhost debugd[1943]: [17291]: application:install cars_install.c[386] [setup]: Manifest file pkgtype - CARSAug 5 10:47:09 localhost debugd[1943]: [17291]: application:install cars_install.c[398] [setup]: Verify dependency list -Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install cars_install.c[410] [setup]: Verify app license -Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install cars_install.c[420] [setup]: Verify app RPM'sAug 5 10:47:09 localhost debugd[1943]: [17291]: application:install cars_install.c[428] [setup]: No of RPM's - 9Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install cars_install.c[439] [setup]: Disk - 50Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install ci_util.c[325] [setup]: Disk requested = 51200 KBAug 5 10:47:09 localhost debugd[1943]: [17291]: application:install ci_util.c[345] [setup]: More disk found Free = 40550400, req_disk = 51200Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install cars_install.c[450] [setup]: Mem requested by app - 100Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install ci_util.c[369] [setup]: Mem requested = 102400Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install ci_util.c[384] [setup]: Found MemFree = MemFree: 13028 kBAug 5 10:47:09 localhost debugd[1943]: [17291]: application:install ci_util.c[390] [setup]: Found MemFree value = 13028Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install ci_util.c[393] [setup]: Found Inactive = Inactive: 948148 kBAug 5 10:47:09 localhost debugd[1943]: [17291]: application:install ci_util.c[399] [setup]: Found Inactive MemFree value = 948148Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install ci_util.c[409] [setup]: Sufficient mem foundAug 5 10:47:09 localhost debugd[1943]: [17291]: application:install ci_util.c[415] [setup]: Done checking memory...Aug 5 10:47:09 localhost debugd[1943]: [17291]: application:install cars_install.c[461] [setup]: Verifying RPM's...--More--(press Spacebar to continue)ise/admin#
Example 2
ise/admin# show logging internallog server: localhostGlobal loglevel: 6Status: Enabledise/admin#Example 3
ise/admin# show logging internallog server: localhostGlobal loglevel: 6Status: Disabledise/admin#show logins
To display the state of system logins, use the show logins command in the EXEC mode.
show logins cli
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
Requires the cli keyword; otherwise, an error occurs.
Examples
ise/admin# show logins cliadmin pts/0 10.77.137.60 Fri Aug 6 09:45 still logged inadmin pts/0 10.77.137.60 Fri Aug 6 08:56 - 09:30 (00:33)admin pts/0 10.77.137.60 Fri Aug 6 07:17 - 08:43 (01:26)reboot system boot 2.6.18-164.el5PA Thu Aug 5 18:17 (17:49)admin tty1 Thu Aug 5 18:15 - down (00:00)reboot system boot 2.6.18-164.el5PA Thu Aug 5 18:09 (00:06)setup tty1 Thu Aug 5 17:43 - 18:07 (00:24)reboot system boot 2.6.18-164.el5PA Thu Aug 5 16:05 (02:02)wtmp begins Thu Aug 5 16:05:36 2010ise/admin#show memory
To display the memory usage of all the running processes, use the show memory command in the EXEC mode.
show memory
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show memorytotal memory: 1035164 kBfree memory: 27128 kBcached: 358888 kBswap-cached: 142164 kBise/admin#show ntp
To show the status of the NTP associations, use the show ntp command in the EXEC mode.
show ntp
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example:1ise/admin# show ntp
Primary NTP : ntp.esl.cisco.com
Secondary NTP : 171.68.10.150
Tertiary NTP : 171.68.10.80
synchronised to local net at stratum 11
time correct to within 11 ms
polling server every 128 s
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 10 l 9 64 377 0.000 0.000 0.001
171.68.10.80 .RMOT. 16 u 11 64 0 0.000 0.000 0.000
171.68.10.150 .INIT. 16 u 11 64 0 0.000 0.000 0.000
Warning: Output results may conflict during periods of changing synchronization.
ise/admin#
Example:2ise/admin# show ntp% no NTP servers configuredise/admin#Related Commands
Allows you to configure NTP configuration up to three NTP servers.
Allows synchronization of the software clock by the NTP server for the system.
show pep
To show the Inline Posture node information, use the show pep command in the EXEC mode.
show pep [certificate {certauthority} {server}] [deploymentmode] [log] [Loglevel] [status] [summary] [table {accesslist(normal | raw)} {arp} {ipfilters} {macfilters} {managedsubnets} {radius} {route} {session} {vlan}]
Syntax Description
show pep
The command to display Inline Posture node information.
certificate
Displays certificate stores.
certauthority
Lists Inline Posture node CA certificates in the trust store.
server
Displays Inline Posture node in its own server certificate.
deploymentmode
Displays Inline Posture node Deployment Mode.
log
Displays Inline Posture node Logfile.
Loglevel
Displays Inline Posture node loglevel.
status
Displays Inline Posture node Status.
highavailability
Displays Inline Posture node High Availability Status.
summary
Displays Inline Posture node Summary.
table
Displays Inline Posture node Tables.
accesslist
Displays Inline Posture node Downloadable Access Control Lists (dACLs).
normal
Displays Inline Posture node Downloadable ACLs in normal format.
raw
Displays Inline Posture node Downloadable ACLs in raw format.
arp
Displays Inline Posture node ARP Table.
ipfilters
Displays Inline Posture node IP Filters.
macfilters
Displays Inline Posture node MAC Filters.
managedsubnets
Displays Inline Posture node Managed Subnets.
radius
Displays Inline Posture node Radius Configuration.
route
Displays Inline Posture node Routing Table.
session
Displays Inline Posture node Session Table.
vlan
Displays Inline Posture node VLANs.
>
Output direction.
file
Name of file to redirect standard output (stdout).
|
Output modifier variables:
•
•
|—Output modifier variables (see Table A-9).
•
•
•
•
|—Output modifier variables (see Table A-9).
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# show pep certificate certauthorityCertificate Nickname Trust AttributesSSL,S/MIME,JAR/XPIcise.cisco.com.pem CT,C,Cca-2 CT,C,Cwww.cisco.com.pem CT,C,Cwww.perfigo.com.pem CT,C,Ctomcat u,u,uise/admin#Example 2
ise/admin# show pep certificate serverCertificate:Data:Version: 3 (0x2)Serial Number:00:8f:fd:cf:8f:fd:b7:55:c7Signature Algorithm: PKCS #1 SHA-1 With RSA EncryptionIssuer: "E=192.30.30.71@email.com,CN=192.30.30.71,OU=snsbu,O=cisco,L=san jose,ST=ca,C=us"Validity:Not Before: Thu Jan 19 01:35:53 2012Not After : Fri Jan 18 01:35:53 2013Subject: "E=192.30.30.71@email.com,CN=192.30.30.71,OU=snsbu,O=cisco,L=san jose,ST=ca,C=us"Subject Public Key Info:Public Key Algorithm: PKCS #1 RSA EncryptionRSA Public Key:Modulus:dd:f1:79:b6:2b:2f:66:92:e9:0d:9a:06:1e:53:a4:19:38:e0:08:4d:28:83:24:a6:98:99:39:cb:28:d8:9c:e1:30:7c:90:a6:ac:e0:e6:d2:75:78:5b:a0:10:a0:fb:dd:68:73:04:1d:a6:9e:31:5c:25:d4:bf:b1:8e:8c:a0:79:b4:1e:8e:67:07:8d:5d:2a:e7:72:4d:08:88:93:6c:a9:35:4f:df:97:6c:8e:f2:2c:d5:a1:84:b5:5b:ca:00:ed:1d:cd:09:8a:18:14:b9:21:df:f6:15:1a:05:77:ea:fc:20:b8:c3:c1:ca:bc:a8:33:b3:2c:55:70:41:28:3d:6dExponent: 65537 (0x10001)Signed Extensions:Name: Certificate Subject Key IDData:50:75:2b:4c:72:54:0c:03:ee:ed:e7:e0:44:f0:71:28:10:ab:3f:efName: Certificate Authority Key IdentifierKey ID:50:75:2b:4c:72:54:0c:03:ee:ed:e7:e0:44:f0:71:28:10:ab:3f:efIssuer:Directory Name: "E=192.30.30.71@email.com,CN=192.30.30.71,OU=snsbu,O=cisco,L=san jose,ST=ca,C=us"Serial Number:00:8f:fd:cf:8f:fd:b7:55:c7Name: Certificate Basic ConstraintsData: Is a CA with no maximum path length.Signature Algorithm: PKCS #1 SHA-1 With RSA EncryptionSignature:2a:c9:c1:50:fb:2a:9a:ff:65:42:1a:bb:9e:f1:6b:6f:92:e4:bb:1f:64:4c:1c:f8:e9:75:3c:de:1e:9b:0a:df:76:96:d2:33:9b:06:cd:88:9b:f7:f3:e7:06:e5:cc:94:21:8e:70:9f:b1:5a:cf:19:35:2d:a0:9b:a7:ba:bc:ee:c0:34:4d:ee:f7:2f:4e:96:d3:39:c9:0d:48:26:ed:1a:63:51:fa:31:1a:c4:12:76:46:2d:57:28:8e:72:ff:e7:c2:7c:85:87:5d:c6:68:e4:d0:e9:b6:ad:e0:d1:0d:a2:23:88:9a:73:39:59:20:ce:7c:fb:61:8d:96:e2:bd:87Fingerprint (MD5):05:19:7D:45:3F:A7:42:9A:69:B5:F0:5A:A6:60:39:6CFingerprint (SHA1):A0:91:6E:57:81:BA:29:AF:55:DE:58:64:A2:BD:6A:00:2A:56:33:D5Certificate Trust Flags:SSL Flags:UserEmail Flags:UserObject Signing Flags:Userise/admin#Example 3
ise/admin# show pep deploymentmodeBridgeise/admin#Example 4
ise/admin# show pep logIPEP Logs:Fri Oct 8 13:24:50 UTC 2010ipep setloglevel 0Mon Oct 11 12:40:00 UTC 2010ipep setloglevel 0Mon Oct 11 12:41:24 UTC 2010ipep switch-into-ipepMon Oct 11 12:44:20 UTC 2010ipep start=======================ipep runtime start: Mon Oct 11 12:44:33 UTC 2010Flushing firewall rules: [ OK ]Setting chains to policy ACCEPT: filter [ OK ]Unloading iptables modules: [ OK ]12:44:39 main INFO Controller - Starting services...12:44:39 main INFO Controller - Starting System Service...=================Mon Oct 11 12:44:40 UTC 2010ipepconfig ha-config standalone=================Mon Oct 11 12:44:40 UTC 2010ipep sysrestart12:44:56 main INFO Controller - System Service started12:44:56 main INFO Controller - Starting Radius Service...rpm: /opt/CSCOcpm/prrt/lib/libnss3.so: version `NSS_3.10' not found (required by /usr/lib/librpmio-4.4.so)Adding URL: file:/opt/CSCOcpm/prrt//lib/rtpolicy.jarAdding URL: file:/opt/CSCOcpm/prrt//lib/prrt-flowapi.jarAdding URL: file:/opt/CSCOcpm/prrt//lib/rteventhandlers.jarAdding URL: file:/opt/CSCOcpm/prrt//lib/rtidstores.jarAdding URL: file:/opt/CSCOcpm/prrt//lib/prrt-interface.jarAdding URL: file:/opt/CSCOcpm/prrt//lib/Loading com.cisco.cpm.prrt.policy.PolicyEngineIllegalAccessException: The class 'com.cisco.cpm.prrt.policy.PolicyEngine' wasn't loaded by the EventHandlerClassLoader but by sun.misc.Launc--More--ise/admin#Example 5
ise/admin# show pep loglevelINFOise/admin#Example 6
ise/admin# show pep statusInline PEP click kernel module is loaded.Inline PEP runtime java application is running,PID=3208.ise/admin#Example 7
ise/admin# show pep status highavailabilityHA Status:System configured for standalone operation.ise/admin#Example 8
ise/admin# show pep table accesslist ?normal Display PEP Downloadable ACL (dACLs) in normal formatraw Display PEP Downloadable ACL (dACLs) in raw formatise/admin# show pep table accesslist normal#ACSACL#-IP-PERMIT_ALL_TRAFFIC-4f0d890d:permit ip any any#ACSACL#-IP-PRE-POSTURE-iPEP-4f0f75e5:deny tcp any any eq 80deny tcp any any eq 443permit ip any host 10.35.48.241permit ip any host 10.35.48.242permit udp any any eq 53ise/admin#Example 9
ise/admin# show pep table accesslist rawCurrent Downloaded ACLs300 all10 tcp and (dst port 80)0 tcp and (dst port 443)1 (dst host 10.35.48.241)1 (dst host 10.35.48.242)1 udp and (dst port 53)0 all21 all0 allACLs in Queue30empty1empty2emptyise/admin#Example 9
ise/admin# show pep table arpUntrusted Side ARP Table:ip ok mac vtag vtci login svtagsvtci subnet mask idle(secs)10.203.108.37 1 00:25:9C:A3:7D:4F 1 32 1 00 0.0.0.0 0.0.0.0 0ise/admin#Related Commands
show ports
To display information about all the processes listening on active ports, use the show ports command in the EXEC mode.
show ports [|] [|]
Syntax Description
show ports
The command to display all the processes listening on open ports in the Cisco ISE.
|
Output modifier variables:
•
•
|—Output modifier variables (see Table A-10).
•
•
•
•
|—Output modifier variables (see Table A-10).
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
When you run the show ports command, the port must have an associated active session.
Examples
ise/admin# show portsProcess : timestensubd (21372)tcp: 127.0.0.1:11298Process : timestenorad (21609)tcp: 127.0.0.1:51715udp: ::1:28314, ::1:59055, ::1:45113, ::1:49082, ::1:64737, ::1:62570, ::1:19577, ::1:29821Process : ttcserver (21382)tcp: 127.0.0.1:16612, 0.0.0.0:53385Process : timestenrepd (21579)tcp: 127.0.0.1:62504, 0.0.0.0:18047udp: ::1:51436Process : timestend (21365)tcp: 0.0.0.0:53384Process : rpc.statd (2387)tcp: 0.0.0.0:873udp: 0.0.0.0:867, 0.0.0.0:870Process : timestensubd (21373)tcp: 127.0.0.1:43407Process : portmap (2350)tcp: 0.0.0.0:111udp: 0.0.0.0:111Process : Decap_main (21468)tcp: 0.0.0.0:2000udp: 0.0.0.0:9993Process : timestensubd (21369)tcp: 127.0.0.1:37648Process : timestensubd (21374)tcp: 127.0.0.1:64211Process : sshd (2734)tcp: 172.23.90.113:22Process : java (21432)tcp: 127.0.0.1:8888, :::2080, :::2020, ::ffff:127.0.0.1:8005, :::8009, :::8905, :::8010, :::2090, :::1099, :::9999, :::61616, :::8080, :::80, :::60628, :::8443, :::443udp: 0.0.0.0:1812, 0.0.0.0:1813, 0.0.0.0:1700, 0.0.0.0:10414, 0.0.0.0:3799, 0.0.0.0:1645, 0.0.0.0:1646, :::8905, :::8906Process : monit (21531)tcp: 127.0.0.1:2812Process : java (21524)tcp: :::62627Process : java (21494)tcp: ::ffff:127.0.0.1:20515udp: 0.0.0.0:20514Process : tnslsnr (21096)tcp: :::1521Process : ora_d000_ise1 (21222)tcp: :::26456udp: ::1:63198Process : ntpd (2715)udp: 172.23.90.113:123, 127.0.0.1:123, 0.0.0.0:123, ::1:123, fe80::20c:29ff:fe6a:123, :::123Process : ora_pmon_ise1 (21190)udp: ::1:51994Process : ora_mmon_ise1 (21218)udp: :::38941Process : ora_s000_ise1 (21224)udp: ::1:49864ise/admin#show process
To display information about active processes, use the show process command in the EXEC mode.
show process |
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
See Table A-11 for process field descriptions.
ise/admin# show processUSER PID TIME TT COMMAND
root 1 00:00:02 ? init
root 2 00:00:00 ? migration/0
root 3 00:00:00 ? ksoftirqd/0
root 4 00:00:00 ? watchdog/0
root 5 00:00:00 ? events/0
root 6 00:00:00 ? khelper
root 7 00:00:00 ? kthread
root 10 00:00:01 ? kblockd/0
root 11 00:00:00 ? kacpid
root 170 00:00:00 ? cqueue/0
root 173 00:00:00 ? khubd
root 175 00:00:00 ? kseriod
root 239 00:00:32 ? kswapd0
root 240 00:00:00 ? aio/0
root 458 00:00:00 ? kpsmoused
root 488 00:00:00 ? mpt_poll_0
root 489 00:00:00 ? scsi_eh_0
root 492 00:00:00 ? ata/0
root 493 00:00:00 ? ata_aux
root 500 00:00:00 ? kstriped
root 509 00:00:07 ? kjournald
root 536 00:00:00 ? kauditd
root 569 00:00:00 ? udevd
root 1663 00:00:00 ? kmpathd/0
root 1664 00:00:00 ? kmpath_handlerd
root 1691 00:00:00 ? kjournald
root 1693 00:00:00 ? kjournald
root 1695 00:00:00 ? kjournald
root 1697 00:00:00 ? kjournald
root 2284 00:00:00 ? auditd
root 2286 00:00:00 ? audispd
root 2318 00:00:10 ? debugd
rpc 2350 00:00:00 ? portmap
root 2381 00:00:00 ? rpciod/0
--More--
ise/admin#
show repository
To display the file contents of the repository, use the show repository command in the EXEC mode.
show repository repository-name
Syntax Description
show repository
The command to display the repository contents.
repository-name
Name of the repository whose contents you want to view. Supports up to 30 alphanumeric characters.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show repository myrepositoryback1.tar.gpgback2.tar.gpgise/admin#Related Commands
show restore
To display the restore history, use the show restore command in the EXEC mode.
show restore {history}
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# show restore historyise/admin#Example 2
ise/admin# show restore historyrestore history is emptyise/admin#Related Commands
show running-config
To display the contents of the currently running configuration file or the configuration, use the show running-config command in the EXEC mode.
show running-config
Syntax Description
No arguments or keywords.
Defaults
The show running-config command displays all of the configuration information.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show running-configGenerating configuration...!hostname ise!ip domain-name cisco.com!interface GigabitEthernet 0ip address 172.23.90.113 255.255.255.0ipv6 address autoconfig!ip name-server 171.70.168.183!ip default-gateway 172.23.90.1!clock timezone UTC!ntp server time.nist.gov!username admin password hash $1$JbbHvKVG$xMZ/XL4tH15Knf.FfcZZr. role admin!service sshd!password-policylower-case-requiredupper-case-requireddigit-requiredno-usernamedisable-cisco-passwordsmin-password-length 6!logging localhostlogging loglevel 6!cdp timer 60cdp holdtime 180cdp run GigabitEthernet 0!icmp echo on!ise/admin#Related Commands
Enters the Configuration mode.
Displays the contents of the startup configuration file or the configuration.
show startup-config
To display the contents of the startup configuration file or the configuration, use the show startup-config command in the EXEC mode.
show startup-config
Syntax Description
No arguments or keywords.
Defaults
The show startup-config command displays all of the startup configuration information.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show startup-config!hostname ise!ip domain-name cisco.com!interface GigabitEthernet 0ip address 172.23.90.113 255.255.255.0ipv6 address autoconfig!ip name-server 171.70.168.183!ip default-gateway 172.23.90.1!clock timezone UTC!ntp server time.nist.gov!username admin password hash $1$JbbHvKVG$xMZ/XL4tH15Knf.FfcZZr. role admin!service sshd!password-policylower-case-requiredupper-case-requireddigit-requiredno-usernamedisable-cisco-passwordsmin-password-length 6!logging localhostlogging loglevel 6!cdp timer 60cdp holdtime 180cdp run GigabitEthernet 0!icmp echo on!ise/admin#Related Commands
Enters the Configuration mode.
Displays the contents of the currently running configuration file or the configuration.
show tech-support
To display technical support information, including email, use the show tech-support command in the EXEC mode.
show tech-support file [word]
Syntax Description
Defaults
Passwords and other security information do not appear in the output.
Command Modes
EXEC
Usage Guidelines
The show tech-support command is useful for collecting a large amount of information about your Cisco ISE server for troubleshooting purposes. You can then provide output to technical support representatives when reporting a problem.
Examples
ise/admin# show tech-support###################################################Application Deployment Engine(ADE) - 2.0.0.568Technical Support Debug Info follows...###################################################*****************************************Checking dmidecode Serial Number(s)*****************************************NoneVMware-56 4d 14 cb 54 3d 44 5d-49 ee c4 ad a5 6a 88 c4*****************************************Displaying System Uptime...*****************************************12:54:34 up 18:37, 1 user, load average: 0.14, 0.13, 0.12*****************************************Display Memory Usage(KB)*****************************************total used free shared buffers cachedMem: 1035164 1006180 28984 0 10784 345464-/+ buffers/cache: 649932 385232Swap: 2040244 572700 1467544*****************************************Displaying Processes(ax --forest)...*****************************************PID TTY STAT TIME COMMAND1 ? Ss 0:02 init [3]2 ? S< 0:00 [migration/0]3 ? SN 0:00 [ksoftirqd/0]4 ? S< 0:00 [watchdog/0]5 ? S< 0:00 [events/0]--More--(press Spacebar to continue)ise/admin#Related Commands
Displays the usability status of the interfaces.
Displays information about active processes.
Displays the contents of the current running configuration.
show terminal
To obtain information about the terminal configuration parameter settings, use the show terminal command in the EXEC mode.
show terminal
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show terminalTTY: /dev/pts/0 Type: "vt100"Length: 27 lines, Width: 80 columnsSession Timeout: 30 minutesise/admin#Table A-12 describes the fields of the show terminal output.
show timezone
To display the time zone as set on the system, use the show timezone command in the EXEC mode.
show timezone
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show timezoneUTCise/admin#Related Commands
Sets the time zone on the system.
Displays the time zones available on the system.
show timezones
To obtain a list of time zones from which you can select, use the show timezones command in the EXEC mode.
show timezones
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
See the "clock timezone" section, for examples of the time zones available for the ISE server.
Examples
ise/admin# show timezonesAfrica/BlantyreAfrica/Dar_es_SalaamAfrica/DakarAfrica/AsmaraAfrica/TimbuktuAfrica/MaputoAfrica/AccraAfrica/KigaliAfrica/TunisAfrica/NouakchottAfrica/OuagadougouAfrica/WindhoekAfrica/DoualaAfrica/JohannesburgAfrica/LuandaAfrica/LagosAfrica/DjiboutiAfrica/KhartoumAfrica/MonroviaAfrica/BujumburaAfrica/Porto-NovoAfrica/MalaboAfrica/CeutaAfrica/BanjulAfrica/CairoAfrica/MogadishuAfrica/BrazzavilleAfrica/KampalaAfrica/Sao_TomeAfrica/AlgiersAfrica/Addis_AbabaAfrica/NdjamenaAfrica/GaboroneAfrica/BamakoAfrica/Freetown--More--(press Spacebar to continue)ise/admin#Related Commands
show udi
To display information about the UDI of the Cisco ISE appliance, use the show udi command in the EXEC mode.
show udi
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
ise/admin# show udiSPID: ISE-3315-K9VPID: V01Serial: LAB12345678ise/admin#The following output appears when you run the show udi command on VMware servers.
Example 2
ise/admin# show udiSPID: ISE-VM-K9VPID: V01Serial: 5C79C84ML9Hise/admin#show uptime
To display the length of time that you have been logged in to the Cisco ISE server, use the show uptime command in the EXEC mode.
show uptime
|Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show uptime3 day(s), 18:55:02ise/admin#show users
To display the list of users logged in to the Cisco ISE server, use the show users command in the EXEC mode.
show users
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
None.
Examples
ise/admin# show usersUSERNAME ROLE HOST TTY LOGIN DATETIMEadmin Admin 10.77.137.60 pts/0 Fri Aug 6 09:45:47 2010ise/admin#show version
To display information about the software version of the system, use the show version command in the EXEC mode.
show version
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
EXEC
Usage Guidelines
This command displays version information about the Cisco ADE-OS software running on the Cisco ISE server, and displays the Cisco ISE version.
Examples
ise/admin# show versionCisco Application Deployment Engine OS Release: 2.0ADE-OS Build Version: 2.0.0.568ADE-OS System Architecture: i386Copyright (c) 2005-2010 by Cisco Systems, Inc.All rights reserved.Hostname: pmbudev-vm3Version information of installed applications---------------------------------------------Cisco Identity Services Engine---------------------------------------------Version : 1.0.2.051Build Date : Mon Aug 2 00:34:25 2010Install Date : Thu Aug 5 17:48:49 2010ise/admin#Configuration Commands
This section list each Configuration command and includes a brief description of its use, command syntax, usage guidelines, and sample output.
Configuration commands include interface and repository.
Note
To access the Configuration mode, you must use the configure command in the EXEC mode.
Table A-13 lists the Configuration commands that this section describes.
backup-staging-url
To allow you to configure a Network File System (NFS) location that the backup and restore operations will use as a staging area to package and unpackage backup files, use the backup-staging-url command in Configuration mode.
backup-staging-url word
Syntax Description
backup-staging-url
The command to configure a Network File System (NFS) location as a staging area that the backup and restore operations use.
word
NFS URL for staging area. Supports up to 2048 alphanumeric characters. Use nfs://server:path1 .
1 Server is the server name and path refers to /subdir/subsubdir. Remember that a colon (:) is required after the server.
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
The URL is NFS only. The format of the command is backup-staging-url nfs://server:path.
WarningExamples
ise/admin(config)# backup-staging-url nfs://loc-filer02a:/vol/local1/private1/jdoeise/admin(config)#cdp holdtime
To specify the amount of time for which the receiving device should hold a Cisco Discovery Protocol packet from the Cisco ISE server before discarding it, use the cdp holdtime command in the Configuration mode. To revert to the default setting, use the no form of this command.
cdp holdtime seconds
Syntax Description
Defaults
180 seconds
Command Modes
Configuration
Usage Guidelines
Cisco Discovery Protocol packets transmit with a time to live, or hold time, value. The receiving device will discard the Cisco Discovery Protocol information in the Cisco Discovery Protocol packet after the hold time has elapsed.
The cdp holdtime command takes only one argument; otherwise, an error occurs.
Examples
ise/admin(config)# cdp holdtime 60ise/admin(config)#Related Commands
Specifies how often the Cisco ISE server sends Cisco Discovery Protocol updates.
Enables the Cisco Discovery Protocol.
cdp run
To enable the Cisco Discovery Protocol, use the cdp run command in Configuration mode. To disable the Cisco Discovery Protocol, use the no form of this command.
cdp run [GigabitEthernet]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
The command has one optional argument, which is an interface name. Without an optional interface name, the command enables the Cisco Discovery Protocol on all interfaces.
Note
Examples
ise/admin(config)# cdp run GigabitEthernet 0ise/admin(config)#Related Commands
cdp timer
To specify how often the Cisco ISE server sends Cisco Discovery Protocol updates, use the cdp timer command in Configuration mode. To revert to the default setting, use the no form of this command.
cdp timer seconds
Syntax Description
Defaults
60 seconds
Command Modes
Configuration
Usage Guidelines
Cisco Discovery Protocol packets transmit with a time to live, or hold time, value. The receiving device will discard the Cisco Discovery Protocol information in the Cisco Discovery Protocol packet after the hold time has elapsed.
The cdp timer command takes only one argument; otherwise, an error occurs.
Examples
ise/admin(config)# cdp timer 60ise/admin(config)#Related Commands
clock timezone
To set the time zone, use the clock timezone command in Configuration mode. To disable this function, use the no form of this command.
clock timezone timezone
Syntax Description
clock
The command to configure time zone.
timezone
The command to configure system timezone.
timezone
Name of the time zone visible when in standard time. Supports up to 64 alphanumeric characters.
Defaults
UTC
Command Modes
Configuration
Usage Guidelines
The system internally keeps time in UTC. If you do not know your specific time zone, you can enter the region, country, and city (see Tables A-14, A-15, and A-16 for sample time zones to enter on your system).
Table A-15 Australia Time Zones
ACT2
Adelaide
Brisbane
Broken_Hill
Canberra
Currie
Darwin
Hobart
Lord_Howe
Lindeman
LHI3
Melbourne
North
NSW4
Perth
Queensland
South
Sydney
Tasmania
Victoria
West
Yancowinna
1 Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie.
2 ACT = Australian Capital Territory
3 LHI = Lord Howe Island
4 NSW = New South Wales
Table A-16 Asia Time Zones
Aden2
Almaty
Amman
Anadyr
Aqtau
Aqtobe
Ashgabat
Ashkhabad
Baghdad
Bahrain
Baku
Bangkok
Beirut
Bishkek
Brunei
Calcutta
Choibalsan
Chongqing
Columbo
Damascus
Dhakar
Dili
Dubai
Dushanbe
Gaza
Harbin
Hong_Kong
Hovd
Irkutsk
Istanbul
Jakarta
Jayapura
Jerusalem
Kabul
Kamchatka
Karachi
Kashgar
Katmandu
Kuala_Lumpur
Kuching
Kuwait
Krasnoyarsk
1 The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia.
2 Enter the region and city or country together separated by a forward slash (/); for example, Asia/Aden.
Note
For more information on how changing time zone impacts different Cisco ISE nodes types of your deployment and the steps to recover from the impact, see the "Standalone or Primary ISE Node" section and "Secondary ISE Node" section.
Standalone or Primary ISE Node
Changing the time zone after installation is not supported on a Standalone or Primary ISE node.
If you inadvertently change the time zone, do the following:
•
•
•
Secondary ISE Node
Changing the time zone on a secondary node renders it unusable on your deployment.
If you want to change the time zone on the secondary node to keep it to be the same as the primary node, do the following:
•
•
•
•
Examples
ise/admin(config)# clock timezone ESTise/admin(config)# exitise/admin# show timezoneESTise/admin#Related Commands
Displays a list of available time zones on the system.
Displays the current time zone set on the system.
do
To execute an EXEC-level command from Configuration mode or any configuration submode, use the do command in any configuration mode.
do arguments
Syntax Description
do
The EXEC command to execute an EXEC-level command from Configuration mode or any configuration submode
arguments
The EXEC command to execute an EXEC-level command (see Table A-17).
Command Default
No default behavior or values.
Command Modes
Configuration or any configuration submode
Usage Guidelines
Use this command to execute EXEC commands (such as show, clear, and debug commands) while configuring your server. After the EXEC command executes, the system will return to the configuration mode you were using.
Examples
ise/admin(config)# do show runGenerating configuration...!hostname ise!ip domain-name cisco.com!interface GigabitEthernet 0ip address 172.23.90.113 255.255.255.0ipv6 address autoconfig!ip name-server 171.70.168.183!ip default-gateway 172.23.90.1!clock timezone EST!ntp server time.nist.gov!username admin password hash $1$JbbHvKVG$xMZ/XL4tH15Knf.FfcZZr. role admin!service sshd!backup-staging-url nfs://loc-filer02a:/vol/local1/private1/jdoe!password-policylower-case-requiredupper-case-requireddigit-requiredno-usernamedisable-cisco-passwordsmin-password-length 6!logging localhostlogging loglevel 6!--More--ise/admin(config)#end
To end the current configuration session and return to the EXEC mode, use the end command in Configuration mode.
end
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
This command brings you back to EXEC mode regardless of what configuration mode or submode you are in.
Use this command when you finish configuring the system and you want to return to EXEC mode to perform verification steps.
Examples
ise/admin(config)# endise/admin#Related Commands
Exits Configuration mode.
exit (EXEC)
Closes the active terminal session by logging out of the Cisco ISE server.
exit
To exit any configuration mode to the next-highest mode in the CLI mode hierarchy, use the exit command in Configuration mode.
exit
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
The exit command is used in the Cisco ISE server to exit the current command mode to the next highest command mode in the CLI mode hierarchy.
For example, use the exit command in Configuration mode to return to the EXEC mode. Use the exit command in the configuration submodes to return to Configuration mode. At the highest level, EXEC mode, the exit command exits the EXEC mode and disconnects from the Cisco ISE server (see the "exit" section, for a description of the exit (EXEC) command).
Examples
ise/admin(config)# exitise/admin#Related Commands
Exits Configuration mode.
exit (EXEC)
Closes the active terminal session by logging out of the Cisco ISE server.
hostname
To set the hostname of the system, use the hostname command in Configuration mode. To delete the hostname from the system, use the no form of this command, which resets the system to localhost.
hostname word
Syntax Description
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
A single instance type of command, hostname only occurs once in the configuration of the system. The hostname must contain one argument; otherwise, an error occurs.
Examples
ise/admin(config)# hostname ise-1Changing the hostname or IP may result in undesired side effects,such as installed application(s) being restarted.Are you sure you want to proceed? [y/n] yStopping ISE Monitoring & Troubleshooting Log Processor...Stopping ISE Monitoring & Troubleshooting Log Collector...Stopping ISE Monitoring & Troubleshooting Alert Process...Stopping ISE Application Server...Stopping ISE Monitoring & Troubleshooting Session Database...Stopping ISE Database processes...Starting ISE Database processes...Starting ISE Monitoring & Troubleshooting Session Database...Starting ISE Application Server...Starting ISE Monitoring & Troubleshooting Log Collector...Starting ISE Monitoring & Troubleshooting Log Processor...Starting ISE Monitoring & Troubleshooting Alert Process...Note: ISE Processes are initializing. Use 'show application status ise'CLI to verify all processes are in running state.ise-1/admin(config)#ise-1/admin# show application status iseISE Database listener is running, PID: 11142ISE Database is running, number of processes: 29ISE Application Server is still initializing.ISE M&T Session Database is running, PID: 11410ISE M&T Log Collector is running, PID: 11532ISE M&T Log Processor is running, PID: 11555ISE M&T Alert Process is running, PID: 11623ise-1/admin#icmp echo
To configure the Internet Control Message Protocol (ICMP) echo responses, use the icmp echo command in Configuration mode.
icmp echo {off | on}
Syntax Description
icmp
The command to configure Internet Control Message Protocol echo requests.
echo
Configures ICMP echo response.
off
Disables ICMP echo response
on
Enables ICMP echo response.
Defaults
The system behaves as if the ICMP echo response is on (enabled).
Command Modes
Configuration
Usage Guidelines
None.
Examples
ise/admin(config)# icmp echo offise/admin(config)#Related Commands
interface
To configure an interface type and enter the interface configuration mode, use the interface command in Configuration mode. This command does not have a no form.
Note
interface GigabitEthernet [0 | 1| 2 | 3]
Syntax Description
interface
The command to configure an interface.
GigabitEthernet
Configures the Gigabit Ethernet interface.
0 - 3
Number of the Gigabit Ethernet port to configure.
Note
do
EXEC command. Allows you to perform any EXEC commands in this mode (see the "do" section).
end
Exits the config-GigabitEthernet submode and returns you to the EXEC mode.
exit
Exits the config-GigabitEthernet configuration submode.
ip
Sets the IP address and netmask for the Ethernet interface (see the "ip address" section).
ipv6
Configures IPv6 autoconfiguration address and IPv6 address from DHCPv6 server. (see the "ipv6 address autoconfig" section and the "ipv6 address dhcp" section)
no
Negates the command in this mode. Two keywords are available:
•
•
shutdown
Shuts down the interface (see the "shutdown" section).
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
You can use the interface command to configure subinterfaces to support various requirements.
Examples
ise/admin(config)# interface GigabitEthernet 0ise/admin(config-GigabitEthernet)#Related Commands
Displays information about the system interfaces.
ip address (interface configuration mode)
Sets the IP address and netmask for the interface.
shutdown (interface configuration mode)
Shuts down the interface (see "shutdown" section).
ipv6 address autoconfig
To enable IPv6 stateless autoconfiguration, use the interface GigabitEthernet 0 command in Configuration mode. This command does not have a no form.
IPv6 address autoconfiguration is enabled by default in Linux. Cisco ADE 2.0 shows the IPv6 address autoconfiguration in the running configuration for any interface that is enabled.
interface GigabitEthernet 0
Syntax Description
interface
The command to configure an interface.
GigabitEthernet
Configures the Gigabit Ethernet interface.
<0 - 3>
Number of the Gigabit Ethernet port to configure.
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
IPv6 stateless autoconfiguration has the security downfall of having predictable IP addresses. This downfall is resolved with privacy extensions. You can verify that the privacy extensions feature is enabled using the show command.
Example 1
ise/admin# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ise/admin(config)# interface GigabitEthernet 0ise/admin(config)# (config-GigabitEthernet)# ipv6 address autoconfigise/admin(config)# (config-GigabitEthernet)# endise/admin#When IPv6 autoconfiguration is enabled, the running configuration shows the interface settings similar to the following:
!interface GigabitEthernet 0ip address 172.23.90.116 255.255.255.0ipv6 address autoconfig!You can use the show interface GigabitEthernet 0 command to display the interface settings. In example 2, you can see that the interface has three IPv6 addresses. The first address (starting with 3ffe) is obtained using the stateless autoconfiguration. For the stateless autoconfiguration to work, you must have IPv6 route advertisement enabled on that subnet. The next address (starting with fe80) is a link-local address that does not have any scope outside the host. You will always see a link local address regardless of the IPv6 autoconfiguration or DHCPv6 configuration. The last address (starting with 2001) is obtained from a IPv6 DHCP server.
Example 2
ise/admin# show interface GigabitEthernet 0eth0 Link encap:Ethernet HWaddr 00:0C:29:AF:DA:05inet addr:172.23.90.116 Bcast:172.23.90.255 Mask:255.255.255.0inet6 addr: 3ffe:302:11:2:20c:29ff:feaf:da05/64 Scope:Globalinet6 addr: fe80::20c:29ff:feaf:da05/64 Scope:Linkinet6 addr: 2001:558:ff10:870:8000:29ff:fe36:200/64 Scope:GlobalUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:77848 errors:0 dropped:0 overruns:0 frame:0TX packets:23131 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:10699801 (10.2 MiB) TX bytes:3448374 (3.2 MiB)Interrupt:59 Base address:0x2000ise/admin#The following RFC provides the IPv6 stateless autoconfiguration privacy extensions:
http://www.ietf.org/rfc/rfc3041.txt
To verify that the privacy extensions feature is enabled, you can use the show interface GigabitEthernet 0 command. You can see two autoconfiguration addresses: one address is without the privacy extensions, and the other is with the privacy extensions.
In the example 3 below, the MAC is 3ffe:302:11:2:20c:29ff:feaf:da05/64 and the non-RFC3041 address contains the MAC, and the privacy-extension address is 302:11:2:9d65:e608:59a9:d4b9/64.
The output appears similar to the following:
Example 3
ise/admin# show interface GigabitEthernet 0eth0 Link encap:Ethernet HWaddr 00:0C:29:AF:DA:05inet addr:172.23.90.116 Bcast:172.23.90.255 Mask:255.255.255.0inet6 addr: 3ffe:302:11:2:9d65:e608:59a9:d4b9/64 Scope:Globalinet6 addr: 3ffe:302:11:2:20c:29ff:feaf:da05/64 Scope:Globalinet6 addr: fe80::20c:29ff:feaf:da05/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:60606 errors:0 dropped:0 overruns:0 frame:0TX packets:2771 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:9430102 (8.9 MiB) TX bytes:466204 (455.2 KiB)Interrupt:59 Base address:0x2000ise/admin#Related Commands
Displays information about the system interfaces.
ip address (interface configuration mode)
Sets the IP address and netmask for the interface.
shutdown (interface configuration mode)
Shuts down the interface (see "shutdown" section).
Enables IPv6 address DHCP on an interface.
Displays the contents of the currently running configuration file or the configuration.
ipv6 address dhcp
To enable IPv6 address DHCP, use the interface GigabitEthernet 0 command in Configuration mode. This command does not have a no form.
interface GigabitEthernet 0
Syntax Description
interface
The command to configure an interface.
GigabitEthernet
Configures the Gigabit Ethernet interface.
0
Gigabit Ethernet port number to be configured.
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
None.
Examples
ise/admin# configure terminalEnter configuration commands, one per line. End with CNTL/Z.ise/admin(config)# interface GigabitEthernet 0ise/admin(config-GigabitEthernet)# ipv6 address dhcpise/admin(config-GigabitEthernet)# endise/admin#When IPv6 DHCPv6 is enabled, the running configuration shows the interface settings similar to the following:
!interface GigabitEthernet 0ip address 172.23.90.116 255.255.255.0ipv6 address dhcp!
Note
When both the IPv6 stateless autoconfiguration and IPv6 address DHCP are enabled, the running configuration shows the interface settings similar to the following:
!interface GigabitEthernet 0ip address 172.23.90.116 255.255.255.0ipv6 address dhcp!Related Commands
Displays information about the system interfaces.
ip address (interface configuration mode)
Sets the IP address and netmask for the interface.
shutdown (interface configuration mode)
Shuts down the interface (see "shutdown" section).
Enables IPv6 stateless autoconfiguration on an interface.
Displays the contents of the currently running configuration file or the configuration.
ip address
To set the IP address and netmask for the Ethernet interface, use the ip address command in interface Configuration mode. To remove an IP address or disable IP processing, use the no form of this command.
ip address ip-address network mask
Note
Syntax Description
ip address
The command to configure IP address and netmask for the GigabitEthernet interface.
ip-address
IPv4 version IP address.
network mask
Mask of the associated IP subnet.
Defaults
Enabled.
Command Modes
Interface configuration
Usage Guidelines
Requires exactly one address and one netmask; otherwise, an error occurs.
Examples
ise/admin(config)# interface GigabitEthernet 1ise/admin(config-GigabitEthernet)# ip address 209.165.200.227 255.255.255.224Changing the hostname or IP may result in undesired side effects,such as installed application(s) being restarted.........To verify that ISE processes are running, use the'show application status ise' command.ise/admin(config-GigabitEthernet)#Related Commands
shutdown (interface configuration mode)
Disables an interface (see "shutdown" section).
Sets the IP address of the default gateway of an interface.
Displays information about the system IP interfaces.
Configures an interface type and enters the interface mode.
ip default-gateway
To define or set a default gateway with an IP address, use the ip default-gateway command in Configuration mode. To disable this function, use the no form of this command.
ip default-gateway ip-address
Syntax Description
ip default-gateway
The command to define a default gateway with an IP address.
ip-address
IP address of the default gateway.
Defaults
Disabled.
Command Modes
Configuration
Usage Guidelines
If you enter more than one argument or no arguments at all, an error occurs.
Examples
ise/admin(config)# ip default-gateway 209.165.202.129ise/admin(config)#Related Commands
ip address (interface configuration mode)
Sets the IP address and netmask for the Ethernet interface.
ip domain-name
To define a default domain name that the Cisco ISE server uses to complete hostnames, use the ip domain-name command in Configuration mode. To disable this function, use the no form of this command.
ip domain-name word
Syntax Description
ip domain-name
The command to define a default domain name.
word
Default domain name used to complete the hostnames. Contains at least 2 to 64 alphanumeric characters.
Defaults
Enabled.
Command Modes
Configuration
Usage Guidelines
If you enter more or fewer arguments, an error occurs.
Examples
ise/admin(config)# ip domain-name cisco.comise/admin(config)#Related Commands
ip name-server
To set the Domain Name Server (DNS) servers for use during a DNS query, use the ip name-server command in Configuration mode. You can configure one to three DNS servers. To disable this function, use the no form of this command.
Note
ip name-server ip-address [ip-address*]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
The first name server that is added with the ip name-server command occupies the first position and the system uses that server first to resolve the IP addresses.
You can add name servers to the system one at a time or all at once, until you reach the maximum (3). If you already configured the system with three name servers, you must remove at least one server to add additional name servers.
To place a name server in the first position so that the subsystem uses it first, you must remove all name servers with the no form of this command before you proceed.
Examples
ise/admin(config)# ip name-server 209.165.201.1To verify that ISE processes are running, use the'show application status ise' command.ise/admin(config)#You can choose not to restart the Cisco ISE server; nevertheless, the changes will take effect.
Related Commands
ip route
To configure the static routes, use the ip route command in Configuration mode. To remove static routes, use the no form of this command.
Static routes are manually configured, which makes them inflexible (they cannot dynamically adapt to network topology changes), but extremely stable. Static routes optimize bandwidth utilization, because no routing updates need to be sent to maintain them. They also make it easy to enforce routing policy.
ip route prefix mask gateway ip-address
no ip route prefix mask
Syntax Description
Defaults
No default behavior or values.
Command Modes
Configuration
Examples
ise/admin(config)# ip route 192.168.0.0 255.255.0.0 gateway 172.23.90.2ise/admin(config)#kron occurrence
To schedule one or more Command Scheduler commands to run at a specific date and time or a recurring level, use the kron occurrence command in Configuration mode. To delete this schedule, use the no form of this command.
kron {occurrence} occurrence-name
Syntax Description
Note
at
Identifies that the occurrence is to run at a specified calendar date and time. Usage: at [hh:mm] [day-of-week | day-of-month | month day-of-month].
do
EXEC command. Allows you to perform any EXEC commands in this mode (see the "do" section).
end
Exits the kron-occurrence configuration submode and returns you to the EXEC mode.
exit
Exits the kron-occurrence configuration mode.
no
Negates the command in this mode.
Three keywords are available:
•
•
•
policy-list
Specifies a Command Scheduler policy list to be run by the occurrence.
recurring
Identifies that the occurrences run on a recurring basis.
Note
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.
Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler policy that contains the EXEC CLI commands to be scheduled to run on the Cisco ISE server at a specified time. See the "kron policy-list" section.
Examples
Note
Example 1: Weekly Backup
ise/admin(config)# kron occurrence WeeklyBackupise/admin(config-Occurrence)# at 14:35 Mondayise/admin(config-Occurrence)# policy-list SchedBackupPolicyise/admin(config-Occurrence)# recurringise/admin(config-Occurrence)# exitise/admin(config)#Example 2: Daily Backup
ise/admin(config)# kron occurrence DailyBackupise/admin(config-Occurrence)# at 02:00ise/admin(config-Occurrence)# exitise/admin(config)#Example 3: Weekly Backup
ise/admin(config)# kron occurrence WeeklyBackupise/admin(config-Occurrence)# at 14:35 Mondayise/admin(config-Occurrence)# policy-list SchedBackupPolicyise/admin(config-Occurrence)# no recurringise/admin(config-Occurrence)# exitise/admin(config)#
Related Commands
kron policy-list
To specify a name for a Command Scheduler policy and enter the kron-Policy List configuration submode, use the kron policy-list command in Configuration mode. To delete a Command Scheduler policy, use the no form of this command.
kron {policy-list} list-name
Syntax Description
kron
The command to schedule the Command Scheduler commands.
policy-list
Specifies a name for Command Scheduler policies.
list-name
Name of the policy list. Supports up to 80 alphanumeric characters.
Note
cli
Command to be executed by the scheduler. Supports up to 80 alphanumeric characters.
do
EXEC command. Allows you to perform any EXEC commands in this mode (see "do" section).
end
Exits from the config-Policy List configuration submode and returns you to the EXEC mode.
exit
Exits this submode.
no
Negates the command in this mode. One keyword is available:
•
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler policy that contains the EXEC CLI commands to be scheduled to run on the ISE server at a specified time. Use the kron occurrence and policy list commands to schedule one or more policy lists to run at the same time or interval. See the "ip route" section.
Examples
ise/admin(config)# kron policy-list SchedBackupMondayise/admin(config-Policy List)# cli backup SchedBackupMonday repository SchedBackupRepoise/admin(config-Policy List)# exitise/admin(config)#Related Commands
Specifies schedule parameters for a Command Scheduler occurrence and enters the config-Occurrence configuration mode.
logging
To enable the system to forward logs to a remote system or to configure the log level, use the logging command in Configuration mode. To disable this function, use the no form of this command.
logging {ip-address | hostname} {loglevel level}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
This command requires an IP address or hostname or the loglevel keyword; an error occurs if you enter two or more of these arguments.
Examples
Example 1
ise/admin(config)# logging 209.165.200.225ise/admin(config)#Example 2
ise/admin(config)# logging loglevel 0ise/admin(config)#Related Commands
ntp
To specify an NTP configuration, use the ntp command in configuration mode with authenticate, authentication-key, server, and trusted-key commands.
ntp authenticate
ntp authentication-key <key id> md5 hash | plain <key value>
ntp server {ip-address | hostname} key <peer key number>
ntp trusted-key <key>
Syntax Description
Defaults
None
Command Modes
Configuration.
Usage Guidelines
Use the ntp command to specify an NTP configuration.
To terminate NTP service on a device, you must enter the no ntp command with keywords or arguments such as authenticate, authentication-key, server, and trusted-key. For example, if you previously issued the ntp server command, use the no ntp command with server.
For more information on how to configure an NTP server, see ntp server.
Examples
ise/admin(config)# ntp ?authenticate Authenticate time sourcesauthentication-key Authentication key for trusted time sourcesserver Specify NTP server to usetrusted-key Key numbers for trusted time sourcesise/admin(config)#ise/admin(config)# no ntp serverise/admin(config)# do show ntp% no NTP servers configuredise/admin(config)#Related Commands
ntp authenticate
To enable authentication of all time sources, use the ntp authenticate command. Time sources without the NTP authentication keys will not be synchronized.
To disable this capability, use the no form of this command.
ntp authenticate
Syntax Description
ntp
The command to specify NTP configuration.
authenticate
Enables authentication of all time sources.
Defaults
None
Command Modes
Configuration.
Usage Guidelines
Use the ntp authenticate command to enable authentication of all time sources. This command is optional and authentication will work even without this command.
If you want to authenticate in a mixed mode where only some servers require authentication, that is, only some servers need to have keys configured for authentication, then this command should not be executed.
Examples
ise/admin(config)# ntp ?authenticate Authenticate time sourcesauthentication-key Authentication key for trusted time sourcesserver Specify NTP server to usetrusted-key Key numbers for trusted time sourcesise/admin(config)#ise/admin(config)# ntp authenticateise/admin(config)#Related Commands
ntp authentication-key
To specify an authentication key for a time source, use the ntp authentication-key command in configuration command with a unique identifier and a key value.
To disable this capability, use the no form of this command.
ntp authentication-key <key id> md5 hash | plain <key value>
Syntax Description
Defaults
None
Command Modes
Configuration.
Usage Guidelines
Use the ntp authentication-key command to set up a time source with an authentication key for NTP authentication and specify its pertinent key identifier, key encryption type, and key value settings. Add this key to the trusted list before you add this key to the ntp server command.
Time sources without the NTP authentication keys that are added to the trusted list will not be synchronized.
Examples
ise/admin# configureise/admin(config)#ise/admin(config)# ntp authentication-key 1 md5 plain SharedWithServeise/admin(config)# ntp authentication-key 2 md5 plain SharedWithServise/admin(config)# ntp authentication-key 3 md5 plain SharedWithSer
Note
ise/admin(config)# no ntp authentication-key 3(Removes authentication key 3.)
ise/admin(config)# no ntp authentication-key(Removes all authentication keys.)
Related Commands
ntp server
To allow for software clock synchronization by the NTP server for the system, use the ntp server command in Configuration mode. Allows up to three servers each with a key in a separate line. The key is an optional parameter but the key is required for NTP authentication. The Cisco ISE always requires a valid and reachable NTP server.
Although key is an optional parameter, it must be configured if you need to authenticate an NTP server.
To disable this capability, use the no form of this command only when you want to remove an NTP server and add another one.
ntp server {ip-address | hostname} key <peer key number>
Syntax Description
Defaults
No servers are configured by default.
Command Modes
Configuration.
Usage Guidelines
Use this ntp server command with a trusted key if you want to allow the system to synchronize with a specified server.
The key is optional, but it is required for NTP authentication. Define this key in the ntp authentication-key command first and add this key to the ntp trusted-key command before you can add it to the ntp server command.
The show ntp command displays the status of synchronization. If none of the configured NTP servers are reachable or not authenticated (if NTP authentication is configured), then this command displays synchronization to local with the least stratum. If an NTP server is not reachable or is not properly authenticated, then its reach as per this command statistics will be 0.
To define an NTP server configuration and authentication in the Cisco ISE admin user interface, see the System Time and NTP Server Settings section in the Cisco Identity Services Engine User Guide, Release 1.1.1.
Note
Examples
Example 1
ise/admin(config)# ntp server ntp.esl.cisco.com key 1% WARNING: Key 1 needs to be defined as a ntp trusted-key.ise/admin(config)#ise/admin(config)# ntp trusted-key 1% WARNING: Key 1 needs to be defined as a ntp authentication-key.ise/admin(config)#ise/admin(config)# ntp authentication-key 1 md5 plain SharedWithServeise/admin(config)#ise/admin(config)# ntp server ntp.esl.cisco.com 1ise/admin(config)# ntp server 171.68.10.80 2ise/admin(config)# ntp server 171.68.10.150 3ise/admin(config)#ise/admin(config)# do show running-configGenerating configuration...!hostname ise!ip domain-name cisco.com!interface GigabitEthernet 0ip address 172.21.79.246 255.255.255.0ipv6 address autoconfig!ip name-server 171.70.168.183!ip default-gateway 172.21.79.1!clock timezone UTC!ntp authentication-key 1 md5 hash ee18afc7608ac7ecdbeefc5351ad118bc9ce1ef3ntp authentication-key 2 md5 hash f1ef7b05c0d1cd4c18c8b70e8c76f37f33c33b59ntp authentication-key 3 md5 hash ee18afc7608ac7ec2d7ac6d09226111dce07da37ntp trusted-key 1ntp trusted-key 2ntp trusted-key 3ntp authenticatentp server ntp.esl.cisco.com key 1ntp server 171.68.10.80 key 2ntp server 171.68.10.150 key 3!--More--ise/admin# show ntpPrimary NTP : ntp.esl.cisco.comSecondary NTP : 171.68.10.80Tertiary NTP : 171.68.10.150synchronised to local net at stratum 11time correct to within 448 mspolling server every 64 sremote refid st t when poll reach delay offset jitter==============================================================================*127.127.1.0 .LOCL. 10 l 46 64 37 0.000 0.000 0.001171.68.10.80 .RMOT. 16 u 46 64 0 0.000 0.000 0.000171.68.10.150 .INIT. 16 u 47 64 0 0.000 0.000 0.000Warning: Output results may conflict during periods of changing synchronization.ise/admin#Example 2
ise/admin# show ntpPrimary NTP : ntp.esl.cisco.comSecondary NTP : 171.68.10.150Tertiary NTP : 171.68.10.80synchronised to NTP server (171.68.10.150) at stratum 3time correct to within 16 mspolling server every 64 sremote refid st t when poll reach delay offset jitter==============================================================================127.127.1.0 .LOCL. 10 l 35 64 377 0.000 0.000 0.001+171.68.10.80 144.254.15.122 2 u 36 64 377 1.474 7.381 2.095*171.68.10.150 144.254.15.122 2 u 33 64 377 0.922 10.485 2.198Warning: Output results may conflict during periods of changing synchronization.ise/admin#Related Commands
ntp trusted-key
To add a time source to the trusted list, use the ntp trusted-key command with a unique identifier. To disable this capability, use the no form of this command.
ntp trusted-key <key>
Syntax Description
Defaults
None
Command Modes
Configuration.
Usage Guidelines
Define this key as an NTP authentication key and then add this key to the trusted list before you add this key to an NTP server. Keys that are added to the trusted list can only be used that allows synchronization by the NTP server with the system.
Examples
ise/admin# configureise/admin(config)#ise/admin(config)# ntp trusted-key 1ise/admin(config)# ntp trusted-key 2ise/admin(config)# ntp trusted-key 3ise/admin(config)# no ntp trusted-key 2(Removes key 2 from the trusted list.)
ise/admin(config)# no ntp trusted-key(Removes all keys from the trusted list.)
Related Commands
password-policy
To enable or configure the passwords on the system, use the password-policy command in Configuration mode. To disable this function, use the no form of this command.
password-policy option
Note
Syntax Description
Note
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
None.
Examples
ise/admin(config)# password-policyise/admin(config-password-policy)# password-expiration-days 30ise/admin(config-password-policy)# exitise/admin(config)#repository
To enter the repository submode for configuration of backups, use the repository command in Configuration mode.
repository repository-name
Syntax Description
repository
The command to configure the repository.
repository-name
Name of repository. Supports up to 80 alphanumeric characters.
Note
do
EXEC command. Allows you to perform any of the EXEC commands in this mode (see the "do" section).
end
Exits the config-Repository submode and returns you to the EXEC mode.
exit
Exits this mode.
no
Negates the command in this mode.
Two keywords are available:
•
•
url
URL of the repository. Supports up to 80 alphanumeric characters (see Table A-18).
user
Configure the username and password for access. Supports up to 30 alphanumeric characters.
Table A-18 URL Keywords
word
Enter the repository URL, including server and path information. Supports up to 80 alphanumeric characters.
cdrom:
Local CD-ROM drive (read only).
disk:
Local storage.
You can run the show repository repository_name to view all the files in the local repository.
Note
ftp:
Source or destination URL for an FTP network server. Use url ftp://server/path1 .
nfs:
Source or destination URL for an NFS network server. Use url nfs://server:path1.
sftp:
Source or destination URL for an SFTP network server. Use url sftp://server/path1.
tftp:
Source or destination URL for a TFTP network server. Use url tftp://server/path1.
Note
1 Server is the server name and path refers to /subdir/subsubdir. Remember that a colon (:) is required after the server for an NFS network server.
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
When configuring url sftp: in the submode, you must provide the host-key under repository configuration through CLI and the RSA fingerprint is added to the list of SSH known hosts.
To disable this function, use the no form of host-key host command in the submode.
Cisco ISE displays the following warning when you configure a secure ftp repository in the administration user interface in Administration > System > Maintenance > Repository > Add Repository.
The host key of the SFTP server must be added through the CLI by using the host-key option before this repository can be used.
A corresponding error is thrown in the Cisco ADE logs when you try to back up into a secure FTP repository without configuring the host-key.
Example 1
ise/admin# configure termainalise/admin(config)# repository myrepositoryise/admin(config-Repository)# url sftp://ise-papise/admin(config-Repository)# host-key host ise-paphost key fingerprint added# Host ise-pap found: line 1 type RSA2048 f2:e0:95:d7:58:f2:02:ba:d0:b8:cf:d5:42:76:1f:c6 ise-pap (RSA)ise/admin(config-Repository)# exitise/admin(config)# exitise/admin#Example 2
ise/admin# configure termainalise/admin(config)# repository myrepositoryise/admin(config-Repository)# url sftp://ise-papise/admin(config-Repository)# no host-key host ise-papise/admin(config-Repository)#exitise/admin(config)#exitise/admin#
Related Commands
service
To specify a service to manage, use the service command in Configuration mode. To disable this function, use the no form of this command.
service sshd
Syntax Description
service
The command to specify a service to be managed.
sshd
Secure Shell Daemon. The daemon program for SSH.
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
None.
Examples
ise/admin(config)# service sshdise/admin(config)#shutdown
To shut down an interface, use the shutdown command in the interface configuration mode. To disable this function, use the no form of this command.
Syntax Description
No arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Interface Configuration
Usage Guidelines
When you shut down an interface using this command, you lose connectivity to the Cisco ISE appliance through that interface (even though the appliance is still powered on). However, if you have configured the second interface on the appliance with a different IP and have not shut down that interface, you can access the appliance through that second interface.
To shut down an interface, you can also modify the ifcfg-eth[0,1] file, which is located at /etc/sysconfig/network-scripts, using the ONBOOT parameter:
•
•
You can also use the no shutdown command to enable an interface.
Examples
ise/admin(config)# interface GigabitEthernet 0ise/admin(config-GigabitEthernet)# shutdownRelated Commands
Configures an interface type and enters the interface mode.
ip address (interface configuration mode)
Sets the IP address and netmask for the Ethernet interface.
Displays information about the system IP interfaces.
Sets the IP address of the default gateway of an interface.
snmp-server community
To set up the community access string to permit access to the Simple Network Management Protocol (SNMP), use the snmp-server community command in Configuration mode. To disable this function, use the no form of this command.
snmp-server community word ro
Syntax Description
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
The snmp-server community command requires a community string and the ro argument; otherwise, an error occurs.
The SNMP Agent on the Cisco ISE provides read-only SNMP v1 and SNMP v2c access to the following MIBs:
•
•
•
•
•
•
•
•
•
–
–
–
•
•
•
Examples
ise/admin(config)# snmp-server community new roise/admin(config)#Related Commands
Sends traps to a remote system.
Configures the SNMP location MIB value on the system.
Configures the SNMP contact MIB value on the system.
snmp-server contact
To configure the SNMP contact Management Information Base (MIB) value on the system, use the snmp-server contact command in Configuration mode. To remove the system contact information, use the no form of this command.
snmp-server contact word
Syntax Description
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
None.
Examples
ise/admin(config)# snmp-server contact Lukeise/admin(config)#Related Commands
Sends traps to a remote system.
Sets up the community access string to permit access to the SNMP.
Configures the SNMP location MIB value on the system.
snmp-server host
To send SNMP traps to a remote user, use the snmp-server host command in Configuration mode. To remove trap forwarding, use the no form of this command.
snmp-server host {ip-address | hostname} version {1 | 2c} community
Syntax Description
Defaults
Disabled.
Command Modes
Configuration
Usage Guidelines
The command takes arguments as listed; otherwise, an error occurs. SNMP traps are not supported.
Examples
ise/admin(config)# snmp-server community new roise/admin(config)# snmp-server host 209.165.202.129 version 1 passwordise/admin(config)#Related Commands
Sets up the community access string to permit access to SNMP.
Configures the SNMP location MIB value on the system.
Configures the SNMP contact MIB value on the system.
snmp-server location
To configure the SNMP location MIB value on the system, use the snmp-server location command in Configuration mode. To remove the system location information, use the no form of this command.
snmp-server location word
Syntax Description
Defaults
No default behavior or values.
Command Modes
Configuration
Usage Guidelines
Cisco recommends that you use underscores (_) or hyphens (-) between the terms within the word string. If you use spaces between terms within the word string, you must enclose the string in quotation marks (").
Examples
Example 1
ise/admin(config)# snmp-server location Building_3/Room_214ise/admin(config)#Example 2
ise/admin(config)# snmp-server location "Building 3/Room 214"ise/admin(config)#Related Commands
Sends traps to a remote system.
Sets up the community access string to permit access to SNMP.
Configures the SNMP location MIB value on the system.
username
To add a user who can access the Cisco ISE appliance using SSH, use the username command in Configuration mode. If the user already exists, the password, the privilege level, or both change with this command. To delete the user from the system, use the no form of this command.
username username password {hash | plain} password role {admin | user] [disabled [email email-address]] [email email-address]
For an existing user, use the following command option:
username username password role {admin | user} password
Syntax Description
Defaults
The initial user during setup.
Command Modes
Configuration
Usage Guidelines
The username command requires that the username and password keywords precede the hash | plain and the admin | user options.
Examples
Example 1
ise/admin(config)# username admin password hash ###### role adminise/admin(config)#Example 2
ise/admin(config)# username admin password plain Secr3tp@swd role adminise/admin(config)#Example 3
ise/admin(config)# username admin password plain Secr3tp@swd role admin email admin123@mydomain.comise/admin(config)#Related Commands
Enables and configures the password policy.
Displays a list of users and their privilege level. It also displays a list of logged-in users.
