Cisco ISE Command-Line Interface


Note


The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.


This chapter provides information on the Cisco Identity Services Engine (Cisco ISE) command-line interface (CLI) that you can use to configure and maintain Cisco ISE.

Cisco ISE Administration and Configuration Using CLI

The Cisco ISE command-line interface (CLI) allows you to perform system-level configuration in EXEC mode and other configuration tasks in configuration mode (some of which cannot be performed from the Cisco ISE Admin portal), and generate operational logs for troubleshooting.

You can use either the Cisco ISE Admin portal or the CLI to apply Cisco ISE application software patches, generate operational logs for troubleshooting, and backup the Cisco ISE application data. Additionally, you can use the Cisco ISE CLI to start and stop the Cisco ISE application software, restore the application data from a backup, upgrade the application software, view all system and application logs for troubleshooting, and reload or shutdown the Cisco ISE device.

Refer to the chapters "Cisco ISE CLI Commands in EXEC Mode", "Cisco ISE CLI Commands in EXEC Show Mode", or "Cisco ISE CLI Commands in Configuration Mode" in the Cisco ISE Command Reference Guides for command syntax, usage guidelines, and examples.

Accessing the Cisco ISE CLI Using a Local System

If you need to configure Cisco ISE locally without connecting to a wired Local Area Network (LAN), you can connect a system to the console port in the Cisco ISE device by using a null-modem cable. The serial console connector (port) provides access to the Cisco ISE CLI locally by connecting a terminal to the console port. The terminal is a system running terminal-emulation software or an ASCII terminal. The console port (EIA/TIA-232 asynchronous) requires only a null-modem cable.

  • To connect a system running terminal-emulation software to the console port, use a DB-9 female to DB-9 female null-modem cable.

  • To connect an ASCII terminal to the console port, use a DB-9 female to DB-25 male straight-through cable with a DB-25 female to DB-25 female gender changer.

The default parameters for the console port are 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.


Note


If you are using a Cisco switch on the other side of the connection, set the switchport to duplex auto, speed auto (the default).


Procedure


Step 1

If you use SNS appliances, connect a null-modem cable to the console port in the Cisco ISE device and to the COM port on your system.

In the case of virtual machines or public cloud platforms, carry out the required alternative steps to connect to the console.

Step 2

Set up a terminal emulator to communicate with Cisco ISE. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.

Step 3

When the terminal emulator activates, press Enter.

Step 4

Enter your username and press Enter.

Step 5

Enter the password and press Enter.


Accessing the Cisco ISE CLI with Secure Shell

Cisco ISE is pre-configured through the setup utility to accept a CLI administrator. To log in with a SSH client (connecting to a wired Wide Area Network (WAN) via a system by using Windows XP or later versions), log in as an administrator.

Before you begin

To access the Cisco ISE CLI, use any Secure Shell (SSH) client that supports SSH v2.

Procedure


Step 1

Use any SSH client and start an SSH session.

Step 2

Press Enter or Spacebar to connect.

Step 3

Enter a hostname, username, port number, and authentication method. For example, you enter ise for the hostname or the IPv4/IPv6 IP address of the remote host, admin for the username, and 22 for the port number; and, for the authentication method, choose Password from the drop-down list.

Step 4

Click Connect, or press Enter.

Step 5

Enter your assigned password for the administrator.

Step 6

(Optional) Enter a profile name in the Add Profile window and click Add to Profile.

Step 7

Click Close on the Add Profile window.


Cisco ISE CLI Administrator Account

During the intial setup, you are prompted to enter a username and password that creates the CLI administrator account. Log into the Cisco ISE server using this account when when you restart Cisco ISE after the initial configuration.

After the intial setup, the passwords for Cisco ISE GUI and Cisco ISE CLI are managed independantly. Updating one password does not affect the other password.

You must always protect the CLI administrator account credentials, and use this account to explicitly create and manage additional administrator and user accounts with access to the Cisco ISE server.

CLI administrators can execute all commands to perform system-level configuration in EXEC mode (root access) and other configuration tasks in configuration mode in the Cisco ISE server. You can start and stop the Cisco ISE application software, backup and restore the Cisco ISE application data, apply software patches and upgrades to the Cisco ISE application software, view all system and application logs, and reload or shutdown the Cisco ISE devices.

A pound sign (#) appears at the end of the prompt for an administrator account, regardless of the submode.

Cisco ISE CLI User Accounts

Any user whose account you create from the Cisco ISE Admin portal cannot automatically log into the Cisco ISE CLI. You must explicitly create user accounts with access to the CLI using the CLI administrator account. Use the command generate-password <username> to generate a password that complies with the Cisco ISE Password Policy for a CLI user account.

Creating a Cisco ISE CLI User Account

You must run the username command in configuration mode to create CLI user accounts.

Procedure


Step 1

Log into the Cisco ISE CLI using the CLI administrator account.

Step 2

Enter into configuration mode and run the username command.


ise/admin# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ise/admin(config)# username duke password plain Plain@123 role user email duke@cisco.com
ise/admin(config)# exit
ise/admin#

Step 3

Log into the Cisco ISE CLI using the CLI user account.


Cisco ISE CLI User Account Privileges

User accounts have access to a restricted number of commands, including the following commands:

  • crypto: Crypto operations

  • exit: Exit the management session

  • generate-password: Username for which password has to be generated

  • license: License operations

  • nslookup: DNS lookup for an IP address or hostname

  • password: Update Password

  • ping: Ping a remote ip address

  • ping6: Ping a remote ipv6 address

  • show: Show information about the system

  • terminal: Set terminal type

  • traceroute: Trace the route to a remote ip address

Supported Hardware and Software Platforms for Cisco ISE CLI

You can connect to the Cisco ISE server and access the CLI using the following:

  • A system running Microsoft Windows 10 or later releases.

  • A system running Linux, such as Red Hat or Fedora.

  • An Apple computer running Mac OS X 10.4 or later.

  • Any terminal device compatible with VT100 or ANSI characteristics. On VT100-type and ANSI devices, you can use cursor-control and cursor-movement keys including the left arrow, right arrow, up arrow, down arrow, Delete, and Backspace keys. The Cisco ISE CLI senses the use of the cursor-control keys and automatically uses the optimal device characteristics.