Home > Cisco > Interface > Cisco Ise 14 User Guide

Cisco Ise 14 User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Ise 14 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

View all the pages

Add page 191 to Favourites

image text

Enable zoom

							ip default-gateway
TodefineorsetadefaultgatewaywithanIPaddress,usetheipdefault-gatewaycommandinconfiguration
mode.
ipdefault-gatewayip-address
Todisablethisfunction,usethenoformofthiscommand.
noipdefault-gateway
Syntax DescriptionDefinesadefaultgatewaywithanIPaddress.default-gateway
IPaddressofthedefaultgateway.ip-address
Command DefaultDisabled.
Command ModesConfiguration(config)#
Usage GuidelinesIfyouentermorethanoneargumentornoargumentsatall,anerroroccurs.
Example
ise/admin(config)#ipdefault-gateway209.165.202.129ise/admin(config)#
Related CommandsDescriptionCommand
ipaddress
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
183
Cisco ISE CLI Commands in Configuration Mode
ip default-gateway

Add page 192 to Favourites

image text

Enable zoom

							ip domain-name
TodefineadefaultdomainnamethattheCiscoISEserverusestocompletehostnames,usetheipdomain-name
commandinconfigurationmode.
ipdomain-namedomain-name
Todisablethisfunction,usethenoformofthiscommand.
noipdomain-name
Syntax DescriptionDefinesadefaultdomainname.domain-name
Defaultdomainnameusedtocompletethehostnames.Containsat
least2to64alphanumericcharacters.
domain-name
Command DefaultEnabled.
Command ModesConfiguration(config)#
Usage Guidelines
If'Ctrl-C'isissuedduringtheCLIconfigurationchangeof'ipdomain-name'command,incaseofip
domain-namechangethesystemmayendupinastatewheresomeapplicationcomponentshavetheold
domain-nameandsomecomponentsusethenewdomain-name.
ThiswillbringtheCiscoISEnodeintoanon-workingstate.Theworkaroundforthisistoissueanother
'ipdomain-name'configurationCLItosetthedomainnametothedesiredvalue.
Note
Ifyouentermoreorfewerarguments,anerroroccurs.
IfyouupdatethedomainnamefortheCiscoISEserverwiththiscommand,itdisplaysthefollowingwarning
message:Warning:Updatingthedomainnamewillcauseanycertificateusingtheolddomainnametobecomeinvalid.Therefore,anewself-signedcertificateusingthenewdomain
namewillbegeneratednowforusewithHTTPs/EAP.IfCA-signedcertificateswereusedonthisnode,pleaseimportthemwiththecorrectdomainname.Inaddition,ifthisISEnodewillbejoininganewActiveDirectorydomain,pleaseleaveyourcurrentActiveDirectorydomainbeforeproceeding.
Example
ise/admin(config)#ipdomain-namecisco.comise/admin(config)#
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
184
Cisco ISE CLI Commands in Configuration Mode
ip domain-name

Add page 193 to Favourites

image text

Enable zoom

							Related CommandsDescriptionCommand
ipname-server
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
185
Cisco ISE CLI Commands in Configuration Mode
ip domain-name

Add page 194 to Favourites

image text

Enable zoom

							ip host
Toassociateahostaliasandfullyqualifieddomainname(FQDN)stringtoanethernetinterfacesuchaseth1,
eth2,andeth3otherthaneth0,usetheiphostcommandinglobalconfigurationmode.
WhenCiscoISEprocessesanauthorizationprofileredirectURL,itreplacestheIPaddresswiththeFQDN
oftheCiscoISEnode.
iphost[ipv4-address|ipv6-address][host-alias|FQDN-string]
ToremovetheassociationofhostaliasandFQDN,usethenoformofthiscommand.
noiphost[ipv4-address|ipv6-address][host-alias|FQDN-string]
Syntax DescriptionIPv4addressofthenetworkinterface.ipv4-address
IPv6addressofthenetworkinterface.ipv6-address
Hostaliasisthenamethatyouassigntothenetworkinterface.host-alias
Fullyqualifieddomainname(FQDN)ofthenetworkinterface.FQDN-string
IfyouhavethePrimaryAdministrationNode(PAN)auto-failoverconfigurationenabled,disableitbefore
youchangethehostaliasandFQDNofanethernetinterface.YoucanenablethePANauto-failover
configurationafterthehostaliasandFQDNconfigurationiscomplete.
IfyouhavethePANauto-failoverconfigurationenabledinyourdeployment,thefollowingmessageappears:
PANAutoFailoverisenabled,thisoperationisnotallowed!PleasedisablePANAuto-failoverfirst.
Command DefaultNodefaultbehaviororvalues.
Command ModesConfiguration(config)#
Usage GuidelinesSupportedIPv6addressformatsinclude:
•Fullnotation:Eightgroupsoffourhexadecimaldigitsseparatedbycolons.Forexample,
2001:0db8:85a3:0000:0000:8a2e:0370:7334
•Shortenednotation:Excludeleadingzerosinagroup;replacegroupsofzeroswithtwoconsecutive
colons.Forexample:2001:db8:85a3::8a2e:370:7334
•Dotted-quadnotation(IPv4-mappedandIPv4compatible-IPv6addresses):Forexample,::ffff:192.0.2.128
Usetheiphostcommandtoaddhostaliasandfullyqualifieddomainname(FQDN)stringforanIPaddress
mapping.ItisusedtofindoutthematchingFQDNforethernetinterfacessuchaseth1,eth2,andeth3.Use
theshowrunning-configcommandtoviewthehostaliasdefinitions.
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
186
Cisco ISE CLI Commands in Configuration Mode
ip host

Add page 195 to Favourites

image text

Enable zoom

							YoucanprovideeitherthehostaliasortheFQDNstring,orboth.Ifyouprovideboththevalues,thehost
aliasmustmatchthefirstcomponentoftheFQDNstring.IfyouprovideonlytheFQDNstring,CiscoISE
replacestheIPaddressintheURLwiththeFQDN.Ifyouprovideonlythehostalias,CiscoISEcombines
thehostaliaswiththeconfiguredIPdomainnametoformacompleteFQDN,andreplacestheIPaddressof
thenetworkinterfaceintheURLwiththeFQDN.
Example 1
ise/admin(config)#iphost172.21.79.96ise1ise1.cisco.comHostaliaswasmodified.YoumustrestartISEforchangetotakeeffect.DoyouwanttorestartISEnow?(yes/no)yesStoppingISEMonitoring&TroubleshootingLogProcessor...StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEApplicationServer...StoppingISEProfilerDB...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEDatabaseprocesses...StartingISEDatabaseprocesses...StoppingISEDatabaseprocesses...StartingISEDatabaseprocesses...StartingISEMonitoring&TroubleshootingSessionDatabase...StartingISEProfilerDB...StartingISEApplicationServer...StartingISEMonitoring&TroubleshootingLogCollector...StartingISEMonitoring&TroubleshootingLogProcessor...Note:ISEProcessesareinitializing.Use'showapplicationstatusise'CLItoverifyallprocessesareinrunningstate.ise/admin(config)#
Example 2
ise/admin(config)#ipv6host2001:db8:cc00:1::1ise1ise1.cisco.comHostaliaswasmodified.YoumustrestartISEforchangetotakeeffect.DoyouwanttorestartISEnow?(yes/no)yesStoppingISEMonitoring&TroubleshootingLogProcessor...StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEApplicationServer...StoppingISEProfilerDB...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEDatabaseprocesses...StartingISEDatabaseprocesses...StoppingISEDatabaseprocesses...StartingISEDatabaseprocesses...StartingISEMonitoring&TroubleshootingSessionDatabase...StartingISEProfilerDB...StartingISEApplicationServer...StartingISEMonitoring&TroubleshootingLogCollector...StartingISEMonitoring&TroubleshootingLogProcessor...Note:ISEProcessesareinitializing.Use'showapplicationstatusise'CLItoverifyallprocessesareinrunningstate.ise/admin(config)#
Related CommandsDescriptionCommand
ipdomain-name
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
187
Cisco ISE CLI Commands in Configuration Mode
ip host

Add page 196 to Favourites

image text

Enable zoom

							ip name-server
TosettheDomainNameServer(DNS)foruseduringaDNSquery,usetheipname-servercommandin
configurationmode.YoucanconfigureonetofourDNSservers.
ipname-serverip-address{ip-address*}
Todisablethisfunction,usethenoformofthiscommand.
noipname-serverip-address{ip-address*}
Usingthenoformofthiscommandremovesallnameserversfromtheconfiguration.Usingthenoform
ofthiscommandandoneoftheIPnamesremovesonlythatnameserver.
Note
Syntax DescriptionConfiguresIPaddressesofnameserver(s)touse.name-server
Addressofanameserver.ip-address
(Optional).IPaddressesofadditionalnameservers.
YoucanconfigurethreeIPv4addressesandoneIPv6address
inthenameserver.
Note
ip-address*
IfyouhavetheprimaryAdministrationnode(PAN)auto-failoverconfigurationenabledinyourdeployment,
removeitbeforeyouruntheipname-servercommandandenableitafteryouconfiguretheDNSserver(s).
Command DefaultNodefaultbehaviororvalues.
Command ModesConfiguration(config)#
Usage GuidelinesThefirstnameserverthatisaddedwiththeipname-servercommandoccupiesthefirstpositionandthe
systemusesthatserverfirsttoresolvetheIPaddresses.
YoucanaddnameserverstothesystemusingIPv4orIPv6addresses.YoucanconfigureonetothreeIPv4
addressesthroughasinglecommand.Ifyouhavealreadyconfiguredthesystemwithfournameservers,you
mustremoveatleastoneservertoaddadditionalnameservers.
Toplaceanameserverinthefirstpositionsothatthesubsystemusesitfirst,youmustremoveallname
serverswiththenoformofthiscommandbeforeyouproceed.
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
188
Cisco ISE CLI Commands in Configuration Mode
ip name-server

Add page 197 to Favourites

image text

Enable zoom

							IfyoumodifiedthissettingforADconnectivity,youmustrestartCiscoISEforthechangestotakeeffect.
Also,ensurethatallDNSserversconfiguredinCiscoISEareabletoresolveallrelevantADDNSrecords.
IftheconfiguredADjoinpointsarenotcorrectlyresolvedaftertheDNSsettingsarechanged,youmust
manuallyperformtheLeaveoperationandre-jointheADjoinpoint.
Note
IfyouhavethePANauto-failoverconfigurationenabledinyourdeployment,thefollowingmessageappears:
PANAutoFailoverisenabled,thisoperationisnotallowed!PleasedisablePANAuto-failoverfirst.
Example 1
ise/admin(config)#ipname-server?PrimaryDNSserverIPaddressDNSserver2IPaddressDNSserver3IPaddressIPv6DNSserveraddressise/admin(config)#ipname-server
Example 2
YoucanseethefollowingoutputafteryouconfiguretheIPnameserver.
ise/admin#showrun|inname-serveripname-server171.70.168.183171.68.226.12064.102.6.247ipname-server3201:db8:0:20:f41d:eee:7e66:4ebaise/admin#
Example 3
ise/admin(config)#ipname-server?ipname-server10.126.107.12010.126.107.10710.106.230.244DNSServerwasmodified.IfyoumodifiedthissettingforADconnectivity,youmustrestartISEforthechangetotakeeffect.DoyouwanttorestartISEnow?(yes/no)
Related CommandsDescriptionCommand
ipdomain-name
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
189
Cisco ISE CLI Commands in Configuration Mode
ip name-server

Add page 198 to Favourites

image text

Enable zoom

							ip route
Toconfigurethestaticroutes,usetheiproutecommandinconfigurationmode.Toremovestaticroutes,use
thenoformofthiscommand.
iprouteprefixmaskgatewayip-address
noiprouteprefixmask
Syntax DescriptionIProuteprefixforthedestination.prefix
Prefixmaskforthedestination.mask
IPaddressofthenexthopthatcanbeusedtoreachthatnetwork.ip-address
Command DefaultNodefaultbehaviororvalues.
Command ModesConfiguration(config)#
Usage GuidelinesStaticroutesaremanuallyconfigured,whichmakestheminflexible(theycannotdynamicallyadapttonetwork
topologychanges),butextremelystable.Staticroutesoptimizebandwidthutilization,becausenorouting
updatesneedtobesenttomaintainthem.Theyalsomakeiteasytoenforceroutingpolicy.
WhiletheiproutecommandcanbeusedtodefinestaticroutesonindividualCiscoISEnode,thiscommand
isenhancedtodefineadefaultrouteforeachinterfaceandreducetheeffectsofasymmetricalIPforwarding,
whichisinherentinmulti-interfaceIPnodes.
Whenasingledefaultrouteisconfiguredonamulti-interfacenode,allIPtrafficreceivedfromanyofthe
node'sIPinterfacesisroutedtothenexthopofthedefaultgatewaythatproducesasymmetricalIPforwarding.
ConfiguringmultipledefaultroutesontheCiscoISEnodeeliminatestheeffectsofasymmetricforwarding.
Thefollowingexampledescribeshowtoconfiguremultipledefaultroutes:
ConsiderthefollowinginterfaceconfigurationonCiscoISEnodeeth0,eth1,eth2,andeth3interfaces
respectively:
ISEInterfaceIPNetworkGateway192.168.114.10192.168.114.0192.168.114.1192.168.115.10192.168.115.0192.168.115.1192.168.116.10192.168.116.0192.168.116.1192.168.117.10192.168.117.0192.168.117.1
Theiproutecommandisusedheretodefinedefaultroutesforeachinterface.
ise/admin(config)#iproute0.0.0.00.0.0.0192.168.114.1ise/admin(config)#iproute0.0.0.00.0.0.0192.168.115.1ise/admin(config)#iproute0.0.0.00.0.0.0192.168.116.1ise/admin(config)#iproute0.0.0.00.0.0.0192.168.117.1ise/admin(config)#ipdefault-gateway192.168.118.1
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
190
Cisco ISE CLI Commands in Configuration Mode
ip route

Add page 199 to Favourites

image text

Enable zoom

							The"ipdefault-gateway"shownaboveistherouteoflastresortforallinterfaces.Note
Theshowiproutecommanddisplaystheoutputofthestaticroutescreatedusingtheiproutecommand
(defaultroutesandnon-defaultroutes)andsystemcreatedroutesincludingtheoneconfiguredusing"ipdefault
gateway"command.Itdisplaystheoutgoinginterfaceforeachoftheroutes.
WhenyouchangetheIPaddressofaninterfaceandifanystaticroutebecomesunreachableduetoan
unreachablegateway,thestaticroutegetsdeletedfromtherunningconfiguration.Theconsoledisplays
theroutethathasbecomeunreachable.
Note
Example 2
ise/admin(config)#iproute192.168.0.0255.255.0.0gateway172.23.90.2ise/admin(config)#
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
191
Cisco ISE CLI Commands in Configuration Mode
ip route

Add page 200 to Favourites

image text

Enable zoom

							kron occurrence
ToscheduleoneormoreCommandSchedulercommandstorunataspecificdateandtimeorarecurring
level,usethekronoccurrencecommandinconfigurationmode.Todeletethisschedule,usethenoformof
thiscommand.
kronoccurrenceoccurrence-name
Syntax DescriptionSchedulesCommandSchedulercommands.occurrence
Nameoftheoccurrence.Supportsupto80alphanumericcharacters.
(SeethefollowingnoteandSyntaxDescription.)
occurrence-name
Afteryouentertheoccurrence-nameinthekronoccurrencecommand,youentertheconfig-Occurrence
configurationsubmode(seethefollowingSyntaxDescription).
Note
Syntax DescriptionIdentifiesthattheoccurrenceistorunataspecifiedcalendardate
andtime.Usage:at[hh:mm][day-of-week|day-of-month|month
day-of-month].
at
EXECcommand.AllowsyoutoperformanyEXECcommandsin
thismode.
do
Exitsthekron-occurrenceconfigurationsubmodeandreturnsyouto
EXECmode.
end
Exitsthekron-occurrenceconfigurationmode.exit
Negatesthecommandinthismode.
Threekeywordsareavailable:
•at—Usage:at[hh:mm][day-of-week|day-of-month|month
day-of-month].
•policy-list—Specifiesapolicylisttoberunbytheoccurrence.
Supportsupto80alphanumericcharacters.
•recurring—Executionofthepolicylistsshouldberepeated.
no
SpecifiesaCommandSchedulerpolicylisttoberunbythe
occurrence.
policy-list
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
192
Cisco ISE CLI Commands in Configuration Mode
kron occurrence

All Cisco manuals Comments (0)