Table Of Contents
Overview of the Cisco ISE CLI
User Accounts in the Cisco ISE CLI
Command Modes in the Cisco ISE CLI
Understanding Command Modes
EXEC Mode
Configuration Mode
Configuration Submodes
EXEC Commands
Show Commands
Configuration Commands
CLI Audit
Overview of the Cisco ISE CLI
This chapter contains the following sections:
•
User Accounts in the Cisco ISE CLI
•Command Modes in the Cisco ISE CLI
•CLI Audit
User Accounts in the Cisco ISE CLI
Here are two types of Cisco ISE CLI user accounts:
•admin (administrator)—an administrator user account that creates and manages other user accounts as well as configures functions in the Cisco ISE CLI.
•operator (user)—a user account with limited privileges and access to the Cisco ISE server.
When you power up Cisco ISE appliances for the first time, you are prompted to run the setup utility to configure them. During this setup process, an admin account is created. After you enter the initial configuration information, the appliances automatically reboot and prompt you to enter the username and the password that you specified for the admin account. You must use this admin account to log in to the Cisco ISE CLI for the first time.
To create additional admin and operator user accounts and access the Cisco ISE CLI using SSH, you enter the username command in configuration mode (see the username).
You can tell which mode you are in by looking at the prompt. Logging in to the Cisco ISE node places you in the admin (EXEC) mode or the Operator (user) mode, which always requires a username and password for authentication. A pound sign (#) appears at the end of the prompt for an admin account and a right angle bracket (>) appears at the end of the prompt for an Operator account, regardless of the submode.
Table 1-1 Cisco ISE CLI User Account Command Privileges
Command
|
Command Mode
|
User Account
|
Admin
|
Operator
|
application
|
EXEC
|
*
|
—
|
backup
|
EXEC
|
*
|
—
|
backup-logs
|
EXEC
|
*
|
—
|
cdp run
|
Configuration,
|
*
|
—
|
clock
|
EXEC, Configuration
|
*
|
—
|
conn-limit
|
Configuration
|
*
|
—
|
configure terminal
|
EXEC
|
*
|
—
|
copy
|
EXEC
|
*
|
—
|
crypto
|
EXEC
|
*
|
—
|
debug
|
EXEC
|
*
|
—
|
delete
|
EXEC
|
*
|
—
|
dir
|
EXEC
|
*
|
—
|
end
|
Configuration
|
*
|
—
|
exit
|
EXEC
|
*
|
*
|
forceout
|
EXEC
|
*
|
—
|
halt
|
EXEC
|
*
|
—
|
hostname
|
Configuration
|
*
|
—
|
icmp
|
Configuration
|
*
|
—
|
interface
|
Configuration
|
*
|
—
|
ip default-gateway
|
Configuration
|
*
|
—
|
ip domain-name
|
Configuration
|
*
|
—
|
ip host
|
Configuration
|
*
|
—
|
ip name-server
|
Configuration
|
*
|
—
|
ip route
|
Configuration
|
*
|
—
|
kron
|
Configuration
|
*
|
—
|
logging
|
Configuration
|
*
|
—
|
max-ssh-sessions
|
Configuration
|
*
|
—
|
mkdir
|
EXEC
|
*
|
—
|
nslookup
|
EXEC
|
*
|
*
|
ntp
|
Configuration
|
*
|
—
|
ntp server
|
Configuration
|
*
|
—
|
password
|
EXEC
|
*
|
—
|
password policy
|
Configuration
|
*
|
—
|
patch
|
EXEC
|
*
|
—
|
patch install
|
EXEC
|
*
|
—
|
patch remove
|
EXEC
|
*
|
—
|
pep (Inline Posture node)
|
EXEC
|
*
|
—
|
ping
|
EXEC
|
*
|
—
|
ping6
|
EXEC
|
*
|
*
|
reload
|
EXEC
|
*
|
—
|
rate-limit
|
Configuration
|
*
|
—
|
repository
|
Configuration
|
*
|
—
|
restore
|
EXEC
|
*
|
—
|
rmdir
|
EXEC
|
*
|
—
|
service
|
Configuration
|
*
|
—
|
show application
|
EXEC
|
*
|
—
|
show backup
|
EXEC
|
*
|
—
|
show cdp
|
EXEC
|
*
|
*
|
show clock
|
EXEC
|
*
|
*
|
show cpu
|
EXEC
|
*
|
*
|
show disks
|
EXEC
|
*
|
*
|
show icmp_status
|
EXEC
|
*
|
*
|
show interface
|
EXEC
|
*
|
*
|
show inventory
|
EXEC
|
*
|
*
|
show ip route
|
EXEC
|
*
|
—
|
show logging
|
EXEC
|
*
|
—
|
show logins
|
EXEC
|
*
|
*
|
show memory
|
EXEC
|
*
|
*
|
show ntp
|
EXEC
|
*
|
*
|
show pep
|
EXEC
|
*
|
*
|
show ports
|
EXEC
|
*
|
*
|
show process
|
EXEC
|
*
|
*
|
show repository
|
EXEC
|
*
|
—
|
show restore
|
EXEC
|
*
|
—
|
show running-config
|
EXEC
|
*
|
—
|
show startup-config
|
EXEC
|
*
|
—
|
show tech-support
|
EXEC
|
*
|
—
|
show terminal
|
EXEC
|
*
|
*
|
show timezone
|
EXEC
|
*
|
*
|
show timezones
|
EXEC
|
*
|
—
|
show udi
|
EXEC
|
*
|
*
|
show uptime
|
EXEC
|
*
|
*
|
show users
|
EXEC
|
*
|
—
|
show version
|
EXEC
|
*
|
*
|
snmp-server
|
Configuration
|
*
|
—
|
ssh
|
EXEC
|
*
|
*
|
tech
|
EXEC
|
*
|
|
telnet
|
EXEC
|
*
|
*
|
terminal
|
EXEC
|
*
|
*
|
traceroute
|
EXEC
|
*
|
*
|
undebug
|
EXEC
|
*
|
—
|
username
|
Configuration
|
*
|
—
|
write
|
EXEC
|
*
|
—
|
Command Modes in the Cisco ISE CLI
The Cisco ISE CLI supports the following command modes:
•EXEC—Use commands in EXEC mode to perform system-level configuration and generate operational logs. See EXEC Commands. and Table 1-7.
•Configuration—Use commands in configuration mode to perform configuration tasks in Cisco ISE and generate operational logs. See Configuration Commands and Table 1-6.
Understanding Command Modes
This section describes the Cisco ISE command modes in detail. The primary modes of operation are:
•EXEC Mode
•Configuration Mode
•Configuration Submodes
EXEC Mode
When you start a session in the Cisco ISE CLI, you begin in EXEC mode. From the EXEC mode, you can enter in to the configuration mode. Most of the EXEC commands (one-time commands), such as show commands, display the current configuration status. The EXEC mode prompt consists of the device name or hostname before a pound sign (#), as shown:
Note Throughout this guide in the examples, we use ise for the hostname and admin for the user account.
You can always tell when you are in EXEC mode or configuration mode by looking at the prompt.
•In EXEC mode, a pound sign (#) appears after the Cisco ISE server hostname and your username.
For example:
•In configuration mode, the `config' keyword and a pound sign (#) appear after the hostname of the Cisco ISE server and your username.
For example:
Enter configuration commands, one per line. End with CNTL/Z.
ise/admin(config)# (configuration mode)
If you are familiar with UNIX, you can equate EXEC mode to root access. It is also similar to the administrator level in Windows NT and the supervisor in NetWare. In EXEC mode, you have permission to access everything in the Cisco ISE server, including configuration commands. However, you cannot enter configuration commands directly. Before you can change the actual configuration of the Cisco ISE server, you must enter configuration mode by running the configure or configure terminal (conf t) command. Enter this command only when in EXEC mode.
For example:
ise/admin# configure terminal
Enter configuration commands, one per line. End with CNTL-Z.
ise(config)# (configuration mode)
The configuration mode has several submodes; each has its own prompt. To enter these submodes, you must first enter configuration mode by entering the configure terminal command.
To exit configuration mode, enter the end, exit, or Ctrl-z command. To exit EXEC mode, enter the exit command. To exit both Configuration and EXEC modes, enter this sequence of commands:
To obtain a listing of commands in EXEC mode, enter a question mark (?):
Configuration Mode
Use configuration mode to make changes to the existing configuration. When you save the configuration, these commands remain across Cisco ISE server reboots, but only if you run either of these commands:
•copy running-config startup-config
•write memory
To enter configuration mode, run the configure or configure terminal (conf t) command in EXEC mode. When in configuration mode, the Cisco ISE expects configuration commands.
For example:
Enter configuration commands, one per line. End with CNTL-Z.
ise/admin(config)# (configuration mode)
From this level, you can enter commands directly into the Cisco ISE configuration. To obtain a listing of commands in this mode, enter a question mark (?):
The configuration mode has several configuration submodes. Each of these submodes places you deeper in the prompt hierarchy. When you enter exit, the Cisco ISE backs you out one level and returns you to the previous level. When you enter exit again, the Cisco ISE backs you out to the EXEC level.
Note In configuration mode, you can alternatively enter Ctrl-z instead of the end or exit command.
Configuration Submodes
In the configuration submodes, you can enter commands for specific configurations. For example:
ise/admin# configure terminal
ise/admin(config)# interface GigabitEthernet 0
ise/admin(config-GigabitEthernet)#
To obtain a list of commands in this mode, enter a question mark (?):
ise/admin(config-GigabitEthernet)# ?
Use the exit or end command to exit this prompt and return to the configuration prompt.
Table 1-2 lists the commands in the interface GigabitEthernet 0 configuration submode. Other configuration submodes exist including those specific to the kron, repository, and password policy commands.
Table 1-2 Command Options in the Interface GigabitEthernet 0 Configuration Submode
Command
|
Comment
|
ise/admin(config)# interface
GigabitEthernet 0
ise/admin(config-GigabitEthernet)# ?
Configure ethernet interface:
end Exit from configure mode
exit Exit from this submode
ipv6 Configure IPv6 features
no Negate a command or set its
defaults
shutdown Shutdown the interface
ise/admin(config-GigabitEthernet)#
|
Enter the command that you want to configure for the interface. This example uses the interface GigabitEthernet command.
Enter ? to display what you must enter next on the command line. This example shows the available interface GigabitEthernet configuration submode commands.
|
ise/admin(config-GigabitEthernet)# ip ?
address Configure IP address
ise/admin(config-GigabitEthernet)# ip
|
Enter the command that you want to configure for the interface. This example uses the ip command.
Enter ? to display what you must enter next on the command line. This example shows the available ip configuration submode commands.
|
ise/admin(config-GigabitEthernet)# ip
address ?
ise/admin(config-GigabitEthernet) ip
address
|
Enter the command that you want to configure for the interface. This example uses the ip addresss command.
Enter ? to display what you must enter next on the command line. In this example, you must enter an IPv4 address.
A carriage return <cr> does not appear; therefore, you must enter additional arguments to complete the command.
|
ise/admin(config-GigabitEthernet)# ip
address 172.16.0.1 ?
ise/admin(config-GigabitEthernet)# ip
address 172.16.0.1
|
Enter the keyword or argument that you want to use. This example uses the 172.16.0.1 IP address.
Enter ? to display what you must enter next on the command line. In this example, you must enter a network mask.
A carriage return <cr> does not display; therefore, you must enter additional arguments to complete the command.
|
ise/admin(config-GigabitEthernet)# ip
address 172.16.0.1 255.255.255.224 ?
ise/admin(config-GigabitEthernet)# ip
address 172.16.0.1 255.255.255.224
|
Enter the network mask. This example uses the 255.255.255.224 IP address.
Enter ? to display what you must enter next on the command line. In this example, you can press Enter.
A carriage return <cr> displays; you can press Enter to complete the command.
|
EXEC Commands
EXEC commands are primarily system-level configuration commands.
•Table 1-3 describes the EXEC commands
•Table 1-4 describes the show commands in EXEC mode
For detailed information on EXEC and configuration command modes, see Navigating CLI Commands.
Table 1-3 EXEC Commands
Command
|
Description
|
application configure
|
Configures a specific application.
|
application install
|
Installs a specific application bundle.
|
application remove
|
Removes a specific application.
|
application reset-config
|
Resets the Cisco ISE configuration to factory defaults.
|
application reset-passwd
|
Resets the application password for a specific user (admin) in the application.
|
application start
|
Starts or enables a specific application.
|
application stop
|
Stops or disables a specific application.
|
application upgrade
|
Upgrades a specific application bundle.
|
backup
|
Performs a backup and places the backup in a repository.
|
backup-logs
|
Performs a backup of all logs in the Cisco ISE server to a remote location.
|
clock
|
Sets the system clock in the Cisco ISE server.
|
configure
|
Enters configuration mode.
|
copy
|
Copies any file from a source to a destination.
|
crypto key
|
performs crypto key operations.
|
debug
|
Displays any errors or events for various commands executed. For example, displays backup and restore, configuration, copy, resource locking, file transfer, and user management debugging information.
|
delete
|
Deletes a file in the Cisco ISE server.
|
dir
|
Lists the files in the Cisco ISE server.
|
exit
|
Disconnects the encrypted session with a remote system. Exits from the current command mode to the previous command mode.
|
forceout
|
Forces the logout of all sessions of a specific Cisco ISE server system user.
|
halt
|
Disables or shuts down the Cisco ISE server.
|
help
|
Describes the help utility and how to use it in the Cisco ISE server.
|
mkdir
|
Creates a new directory.
|
nslookup
|
Queries the IPv4 address or hostname of a remote system.
|
password
|
Updates the CLI password.
|
patch
|
Installs system or application patch.
|
pep
|
Configures the Inline Posture node.
|
ping
|
Determines the IPv4 network connectivity to a remote system.
|
ping6
|
Determines the IPv6 network connectivity to a remote system.
|
reload
|
Reboots the Cisco ISE server.
|
restore
|
Restores a previous backup.
|
rmdir
|
Removes an existing directory.
|
show
|
Provides information about the Cisco ISE server.
|
ssh
|
Starts an encrypted session with a remote system.
|
tech
|
Lists Cisco Technical Assistance Center (TAC) commands.
|
telnet
|
Establishes a Telnet connection to a remote system.
|
terminal length
|
Sets terminal line parameters.
|
terminal session-timeout
|
Sets the inactivity timeout for all terminal sessions.
|
terminal session-welcome
|
Sets the welcome message on the system for all terminal sessions.
|
terminal terminal-type
|
Specifies the type of terminal connected to the current line of the current session.
|
traceroute
|
Traces the route of a remote IP address.
|
undebug
|
Disables the output of errors or events of the debug command for various command executed. For example, disables the output of backup and restore, configuration, copy, resource locking, file transfer, and user management debugging information.
|
write
|
Erases the startup configuration that forces to run the setup utility and prompt the network configuration, copies the running configuration to the startup configuration, and displays the running configuration on the console.
|
Show Commands
The show commands are used to display the Cisco ISE settings.
The commands in Table 1-4 require the show command to be followed by a keyword. Some show commands require an argument or a variable after the keyword to function.
Table 1-4 Show Commands
Command
|
Description
|
show application
(requires keyword)
|
Displays information about the installed Cisco ISE application. For example, status information or version information of the installed Cisco ISE application.
|
show backup
(requires keyword)
|
Displays information about Cisco ISE backup.
|
show banner
|
Shows login banners.
|
show cdp
(requires keyword)
|
Displays information about the enabled Cisco Discovery Protocol interfaces.
|
show clock
|
Displays the day, date, time, time zone, and year of the system clock.
|
show cpu
|
Displays CPU information.
|
show crypto
|
Displays crypto information.
|
show disks
|
Displays file-system information of the disks.
|
show icmp-status
|
Displays the Internet Control Message Protocol (ICMP) echo response configuration information.
|
show interface
|
Displays statistics for all interfaces configured in the Cisco ISE server.
|
show inventory
|
Displays information about the hardware inventory, including the Cisco ISE appliance model and serial number.
|
show ip route
|
Displays information in the IP routing table for a Cisco ISE server.
|
show logging
(requires keyword)
|
Displays the Cisco ISE server logging information.
|
show logins
(requires keyword)
|
Displays the login history of the Cisco ISE server.
|
show memory
|
Displays memory usage by all running processes.
|
show ntp
|
Displays the status of the Network Time Protocol (NTP) servers.
|
show pep
|
Displays the Inline Posture node information.
|
show ports
|
Displays all processes listening on the active ports.
|
show process
|
Displays information about the active processes of the Cisco ISE server.
|
show repository
(requires keyword)
|
Displays the file contents of a specific repository.
|
show restore
(requires keyword)
|
Displays the restore history in Cisco ISE.
|
show running-config
|
Displays the contents of the configuration file that currently runs in Cisco ISE.
|
show startup-config
|
Displays the contents of the startup configuration in Cisco ISE.
|
show tech-support
|
Displays system and configuration information that you can provide to the TAC when you report a problem.
|
show terminal
|
Displays information about the terminal configuration parameter settings for the current terminal line.
|
show timezone
|
Displays the current time zone in the Cisco ISE.
|
show timezones
|
Displays all time zones available for use in the Cisco ISE.
|
show udi
|
Displays information about the unique device identifier (UDI) of the Cisco ISE.
|
show uptime
|
Displays how long the system you are logged in to has been up and running.
|
show users
|
Displays information about the system users.
|
show version
|
Displays information about the currently loaded software version, along with hardware and device information.
|
Configuration Commands
Configuration commands are used to configure Cisco ISE. To access configuration mode, run the configure command in EXEC mode. Some of the configuration commands require that you enter the applicable configuration submode to complete the configuration.
For more information on configuration mode and submode commands, see Navigating CLI Commands
Table 1-5 Configuration Commands
Command
|
Description
|
cdp holdtime
|
Specifies the amount of time the receiving device should hold a Cisco Discovery Protocol packet from the Cisco ISE server before discarding it.
|
cdp run
|
Enables Cisco Discovery Protocol.
|
cdp timer
|
Specifies how often the Cisco ISE server sends Cisco Discovery Protocol updates.
|
clock timezone
|
Sets the time zone for display purposes.
|
conn-limit
|
Configures the TCP connection limit from the source IP.
|
do
|
Executes an EXEC-level command from configuration mode or any configuration submode.
Note To initiate, the do command precedes the EXEC command.
|
end
|
Returns to EXEC mode.
|
exit
|
Exits configuration mode.
|
hostname
|
Sets the hostname of the system.
|
icmp echo
|
Configures the ICMP echo requests.
|
interface
|
Configures an interface type and enters interface configuration mode.
|
ipv6 address autoconfig
|
Enables IPv6 stateless autoconfiguration in the interface configuration mode.
|
ipv6 address dhcp
|
Enables IPv6 address DHCP in the interface configuration mode.
|
ip address
|
Sets the IP address and netmask for the Ethernet interface.
Note This is an interface configuration command.
|
ip default-gateway
|
Defines or sets a default gateway with an IP address.
|
ip domain-name
|
Defines a default domain name that a Cisco ISE server uses to complete hostnames.
|
ip host
|
Configures host aliases and FQDN string to IP address mapping.
|
ip name-server
|
Sets the Domain Name System (DNS) servers for use during a DNS query.
|
ip route
|
Configures an IProute for an IP address.
|
kron occurrence
|
Schedules one or more Command Scheduler commands to run at a specific date and time or at a recurring time.
|
kron policy-list
|
Specifies a name for a Command Scheduler policy.
|
logging loglevel
|
Configures the log level for the logging command.
|
max-ssh-sessions
|
Configures the number of concurrent SSH sessions.
|
no
|
Disables or removes the function associated with a command.
|
ntp
|
Synchronizes the software clock through the NTP server for the system.
|
ntp authenticate
|
Enables authentication of all time sources.
|
ntp authentication-key
|
Adds Message Digest 5 (MD5)-type authentication keys for trusted time sources.
|
ntp server
|
Specifies an NTP server to use.
|
ntp trusted-key
|
Specifies the key numbers for trusted time sources.
|
password-policy
|
Enables and configures the password policy.
|
rate-limit
|
Configures the TCP/UDP/ICMP packet-rate limit from the source IP.
|
repository
|
Enters the repository submode.
|
service
|
Specifies the type of service to manage.
|
snmp-server community
|
Sets up the community access string to permit access to the Simple Network Management Protocol (SNMP).
|
snmp-server contact
|
Configures the SNMP contact the Management Information Base (MIB) value on the system.
|
snmp-server host
|
Sends SNMP traps to a remote system.
|
snmp-server location
|
Configures the SNMP location MIB value on the system.
|
username
|
Adds a user to the system with a password and a privilege level.
|
CLI Audit
You must have administrator access to execute Cisco ISE configuration commands. Whenever an administrator logs in to configuration mode and executes a command that causes configurational changes in the Cisco ISE server, the information related to those changes is logged in the Cisco ISE operational logs.
Table 1-6 Configuration Mode Commands for Operational Logs
Command
|
Description
|
clock
|
Configures timezone.
|
hostname
|
Configures the hostname of the system.
|
interface
|
Configures an interface type and enters the interface configuration mode.
|
ip address
|
Sets the IP address and netmask for the Ethernet interface.
|
ip name-server
|
Sets the DNS servers to be used during a DNS query.
|
ip default -gateway
|
Defines or sets a default gateway with an IP address.
|
kron
|
Configures Command Scheduler.
|
logging
|
Configures system logging.
|
ntp
|
Specifies NTP configuration.
|
ntp server
|
Allows synchronization of the software clock by the NTP server for the system.
|
repository
|
Configures repository
|
service sshd
|
Specifies the service to be managed.
|
snmp-server
|
Configures SNMP server.
|
username
|
User creation
|
In addition to configuration mode commands, some commands in the EXEC generate operational logs.
Table 1-7 EXEC Mode Commands for Operational Logs
Command
|
Description
|
application
|
Application install and administration.
|
backup
|
Performs a backup (Cisco ISE and Cisco ADE OS) and places the backup in a repository.
|
backup-logs
|
Backs up system and application logs.
|
copy
|
Copy commands.
|
delete
|
Deletes a file.
|
forceout
|
Forces the logout of all sessions of a specific Cisco ISE server system user.
|
halt
|
Shuts down the system.
|
mkdir
|
Creates a new directory.
|
patch
|
Installs system or application patch.
|
reload
|
Reboots the system.
|
restore
|
Restores the system.
|
Feedback
