Cisco Ise 14 User Guide
Have a look at the manual Cisco Ise 14 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Switch to Configuration Mode in EXEC Mode InEXECmode,youcanenterintoconfigurationmodebyrunningtheconfigureorconfigureterminal(conf t)command. YoucannotenterconfigurationcommandsdirectlyinEXECmodefromtheCiscoISECLI.Someofthe configurationcommandsrequireyoutoentertheconfigurationsubmodetocompletethecommand configuration. Toexitconfigurationmode,entertheexit,end,orCtrl-zcommand. Configurationcommandsincludeinterface,PolicyList,andrepository. Youcanperformconfigurationtasksinconfigurationmode.Youmustsaveyourconfigurationchangesso thatyoupreservethemduringasystemreloadorpoweroutage. Whenyousavetheconfiguration,thesecommandsremainacrossCiscoISEserverreboots,butonlyifyou runeitherofthesecommands: •copyrunning-configstartup-config •writememory Configuring Cisco ISE in the Configuration Mode Youcanenterconfigurationandconfigurationsubmodescommandstochangetheactualconfigurationofthe CiscoISEserverinconfigurationmode. Step 1Enterconfigureterminaltoenterintotheconfigurationmode. ise/admin#configureterminalEnterconfigurationcommands,oneperline.EndwithCNTL-Z.ise/admin(config)#(configurationmode) Step 2Enteraquestionmark(?)toobtainalistingofcommandsintheconfigurationmode. ise/admin(config)#?Configurecommands:cdpCDPConfigurationparametersclockConfiguretimezoneconn-limitConfigureaTCPconnectionlimitfromsourceIPdoEXECcommandendExitfromconfiguremodeexitExitfromconfiguremodehostnameConfigurehostnameicmpConfigureicmpechorequestsinterfaceConfigureinterfaceipConfigureIPfeatureskronConfigurecommandschedulerloggingConfiguresystemloggingmax-ssh-sessionsConfigurenumberofconcurrentSSHsessionsnoNegateacommandorsetitsdefaultsntpSpecifyNTPconfigurationpassword-policyPasswordPolicyConfigurationrate-limitConfigureaTCP/UDP/ICMPpacketratelimitfromsourceIPrepositoryConfigureRepositoryserviceSpecifyservicetomanagesnmp-serverConfiguresnmpserver Cisco Identity Services Engine CLI Reference Guide, Release 1.4 153 Cisco ISE CLI Commands in Configuration Mode Switch to Configuration Mode in EXEC Mode
synflood-limitConfigureaTCPSYNpacketratelimitusernameUsercreation Step 3Enterintotheconfigurationsubmode.Theconfigurationmodehasseveralconfigurationsubmodes.Eachofthese submodesplacesyoudeeperintheprompthierarchy.Fromthislevel,youcanentercommandsdirectlyintotheCisco ISEconfiguration. ise/admin(config)#interfaceGigabitEthernet0ise/admin(config-GigabitEthernet)# Step 4EnterexitinsequenceatthecommandprompttoexitbothConfigurationandEXECmodes.Whenyouenterexit,Cisco ISEbacksyououtonelevelandreturnsyoutothepreviouslevel.Whenyouenterexitagain,CiscoISEbacksyouout totheEXEClevel. ise/admin(config)#exitise/admin#exit Configuring Cisco ISE in the Configuration Submode Youcanentercommandsforspecificconfigurationsintheconfigurationsubmodes.Youcanusetheexitor endcommandtoexitthispromptandreturntotheconfigurationprompt. Step 1Enterconfigureterminaltoenterintotheconfigurationmode. ise/admin#configureterminalEnterconfigurationcommands,oneperline.EndwithCNTL-Z.ise/admin(config)#(configurationmode) Step 2Enterintotheconfigurationsubmode. ise/admin#configureterminalise/admin(config)#interfaceGigabitEthernet0ise/admin(config-GigabitEthernet)#?Configureethernetinterface:doEXECcommandendExitfromconfiguremodeexitExitfromthissubmodeipConfigureIPfeaturesipv6ConfigureIPv6featuresnoNegateacommandorsetitsdefaultsshutdownShutdowntheinterfaceise/admin(config-GigabitEthernet)#ip?addressConfigureIPaddress Step 3Enterexitatthecommandprompttoexitbothconfigurationsubmodeandconfigurationmode. ise/admin(config-GigabitEthernet)#exitise/admin(config)#exitise/admin# Cisco Identity Services Engine CLI Reference Guide, Release 1.4 154 Cisco ISE CLI Commands in Configuration Mode Configuring Cisco ISE in the Configuration Submode
CLI Configuration Command Default Settings CLIconfigurationcommandscanhaveadefaultform,whichreturnsthecommandsettingstothedefault values.Mostcommandsdisablebydefault,soinsuchcasesusingthedefaultformhasthesameresultas usingthenoformofthecommand. However,somecommandsareenabledbydefaultandhavevariablessettocertaindefaultvalues.Inthese cases,thedefaultformofthecommandenablesthecommandandsetsthevariablestotheirdefaultvalues. Cisco Identity Services Engine CLI Reference Guide, Release 1.4 155 Cisco ISE CLI Commands in Configuration Mode CLI Configuration Command Default Settings
cdp holdtime TospecifytheamountoftimeforwhichthereceivingdeviceshouldholdaCiscoDiscoveryProtocolpacket fromtheCiscoISEserverbeforediscardingit,usethecdpholdtimecommandinconfigurationmode. cdpholdtimeseconds Toreverttothedefaultsetting,usethenoformofthiscommand. nocdpholdtime Syntax DescriptionSpecifiestheCiscoDiscoveryProtocolholdtimeadvertised.holdtime Advertisedholdtimevalue,inseconds.Thevaluerangesfrom10to 255seconds. seconds Command DefaultThedefaultCDPholdtime,insecondsis180. Command ModesConfiguration(config)# Usage GuidelinesCiscoDiscoveryProtocolpacketstransmitwithatimetolive,orholdtime,value.Thereceivingdevicewill discardtheCiscoDiscoveryProtocolinformationintheCiscoDiscoveryProtocolpacketaftertheholdtime haselapsed. Thecdpholdtimecommandtakesonlyoneargument;otherwise,anerroroccurs. Example ise/admin(config)#cdpholdtime60ise/admin(config)# Related CommandsDescriptionCommand cdptimer cdprun Cisco Identity Services Engine CLI Reference Guide, Release 1.4 156 Cisco ISE CLI Commands in Configuration Mode cdp holdtime
cdp run ToenabletheCiscoDiscoveryProtocolonallinterfaces,usethecdpruncommandinconfigurationmode. cdprunGigabitEthernet TodisabletheCiscoDiscoveryProtocol,usethenoformofthiscommand. nocdprun Syntax DescriptionEnablestheCiscoDiscoveryProtocol.DisablestheCiscoDiscovery Protocolwhenyouusethenoformofthecdpruncommand. run (Optional).SpecifiestheGigabitEthernetinterfaceonwhichtoenable theCiscoDiscoveryProtocol. GigabitEthernet SpecifiestheGigabitEthernetinterfacenumberonwhichtoenable theCiscoDiscoveryProtocol. 0-3 Command DefaultNodefaultbehaviororvalues. Command ModesConfiguration(config)# Usage GuidelinesThecommandhasoneoptionalargument,whichisaninterfacename.Withoutanoptionalinterfacename, thecommandenablestheCiscoDiscoveryProtocolonallinterfaces. Thedefaultforthiscommandisoninterfacesthatarealreadyupandrunning.Whenyouarebringingup aninterface,stoptheCiscoDiscoveryProtocolfirst;then,starttheCiscoDiscoveryProtocolagain. Note Example ise/admin(config)#cdprunGigabitEthernet0ise/admin(config)# Related CommandsDescriptionCommand cdpholdtime cdptimer Cisco Identity Services Engine CLI Reference Guide, Release 1.4 157 Cisco ISE CLI Commands in Configuration Mode cdp run
cdp timer TospecifyhowoftentheCiscoISEserversendsCiscoDiscoveryProtocolupdates,usethecdptimercommand inconfigurationmode. cdptimerseconds Toreverttothedefaultsetting,usethenoformofthiscommand. nocdptimer Syntax DescriptionRefreshesatthetimeintervalspecified.timer Specifieshowoften,inseconds,theCiscoISEserversendsCisco DiscoveryProtocolupdates.Thevaluerangesfrom5to254seconds. seconds Command DefaultThedefaultrefreshingtimeintervalvalue,insecondsis60. Command ModesConfiguration(config)# Usage GuidelinesCiscoDiscoveryProtocolpacketstransmitwithatimetolive,orholdtime,value.Thereceivingdevicewill discardtheCiscoDiscoveryProtocolinformationintheCiscoDiscoveryProtocolpacketaftertheholdtime haselapsed. Thecdptimercommandtakesonlyoneargument;otherwise,anerroroccurs. Example ise/admin(config)#cdptimer60ise/admin(config)# Related CommandsDescriptionCommand cdpholdtime cdprun Cisco Identity Services Engine CLI Reference Guide, Release 1.4 158 Cisco ISE CLI Commands in Configuration Mode cdp timer
clock timezone Tosetthetimezone,usetheclocktimezonecommandinconfigurationmode. clocktimezonetimezone Todisablethetimezone,usethenoformofthiscommand. noclocktimezone Syntax DescriptionConfiguressystemtimezone.timezone Nameofthetimezonevisiblewheninstandardtime.Supportsupto 64alphanumericcharacters. timezone IfyouhavetheprimaryAdministrationnode(PAN)auto-failoverconfigurationenabled,disableitbeforeyou setthetimezone.Youcanenableitafterthetimezoneisset. Command DefaultCoordinatedUniversalTime(UTC) Command ModesConfiguration(config)# Usage GuidelinesThesysteminternallykeepstimeinUTC.Ifyoudonotknowyourspecifictimezone,youcanenterthe region,country,andcity(seeTables4-1,4-2,and4-3forcommontimezonesandtimezonesforAustralia andAsiatoenteronyoursystem). Severalmoretimezonesareavailabletoyou.Entershowtimezonesandalistofalltimezonesavailable appearsintheCiscoISEserver.Choosethemostappropriateoneforyourtimezone. Note IfyouhavethePANauto-failoverconfigurationenabledinyourdeployment,thefollowingmessageappears: PANAutoFailoverisenabled,thisoperationisnotallowed!PleasedisablePANAuto-failoverfirst. Example ise/admin(config)#clocktimezoneESTise/admin(config)#exitise/admin#showtimezoneESTise/admin# Related CommandsDescriptionCommand showtimezones Cisco Identity Services Engine CLI Reference Guide, Release 1.4 159 Cisco ISE CLI Commands in Configuration Mode clock timezone
DescriptionCommand showtimezone RestoringtheTimeZoneinCiscoISENodes CommonTimeZones AustraliaTimeZones AsiaTimeZones Cisco Identity Services Engine CLI Reference Guide, Release 1.4 160 Cisco ISE CLI Commands in Configuration Mode clock timezone
Restoring the Time Zone in Cisco ISE Nodes WarningChangingthetimezoneonaCiscoISEapplianceafterinstallationcausestheCiscoISEapplication onthatnodetobeunusable.However,thepreferredtimezone(defaultUTC)canbeconfiguredduringthe installationwhentheinitialsetupwizardpromptsyouforthetimezones. ChangingtimezoneimpactsdifferentCiscoISEnodestypesofyourdeployment. Torecoverfromtheimpact,usethefollowingsteps: Standalone or Primary ISE Node ChangingthetimezoneafterinstallationisnotsupportedonaStandaloneorPrimaryISEnode. Ifyouinadvertentlychangethetimezone,dothefollowing: •Reverttothetimezoneback.(thetimezonebeforeitchanged). •Runtheapplicationreset-configisecommandfromtheCLIofthatnode. •Restorefromthelastknowngoodbackupbeforethetimezonechangeonthatnode. Secondary ISE Node Changingthetimezoneonasecondarynoderendersitunusableonyourdeployment. Ifyouwanttochangethetimezoneonthesecondarynodetokeepittobethesameastheprimarynode,do thefollowing: •Deregisterthesecondarynode. •Correctthetimezonetobethesameastheprimarynode. •Runtheapplicationreset-configisecommandfromtheCLIofthatnode. •Reregisterthenodeasasecondarynodetotheprimarynode. Cisco Identity Services Engine CLI Reference Guide, Release 1.4 161 Cisco ISE CLI Commands in Configuration Mode Restoring the Time Zone in Cisco ISE Nodes
Common Time Zones Table 4: Table 4-1 Common Time Zones (Continued) Time Zone NameAcronym or name Europe GreenwichMeanTime,asUTCGMT,GMT0,GMT-0,GMT+0, UTC,Greenwich,Universal,Zulu BritishGB IrishGB-Eire,Eire WesternEuropeTime,asUTCWET CentralEuropeTime,asUTC+1hourCET EasternEuropeTime,asUTC+2hoursEET UnitedStatesandCanada EasternStandardTime,asUTC-5hoursEST,EST5EDT CentralStandardTime,asUTC-6hoursCST,CST6CDT MountainStandardTime,asUTC-7hoursMST,MST7MDT PacificStandardTime,asUTC-8hoursPST,PST8PDT HawaiianStandardTime,asUTC-10hoursHST Cisco Identity Services Engine CLI Reference Guide, Release 1.4 162 Cisco ISE CLI Commands in Configuration Mode Common Time Zones