Home > Cisco > Interface > Cisco Ise 14 User Guide

Cisco Ise 14 User Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Ise 14 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 232
    Add page 211 to Favourites
    image text
    Enable zoom 
    							ise/admin(config)#ntpauthentication-key2md5plainSharedWithServise/admin(config)#ntpauthentication-key3md5plainSharedWithSer
Example 2
ise/admin(config)#nontpauthentication-key3(Removesauthenticationkey3.)
Example 3
ise/admin(config)#nontpauthentication-key(Removesallauthenticationkeys.)
Related CommandsDescriptionCommand
ntp
ntpauthenticate
ntpserver
ntptrusted-key
showntp
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
203
Cisco ISE CLI Commands in Configuration Mode
ntp authentication-key
    Add page 212 to Favourites
    image text
    Enable zoom 
    							ntp server
ToallowforsoftwareclocksynchronizationbytheNTPserverforthesystem,usethentpservercommand
inconfigurationmode.Allowsuptothreeserverseachwithakeyinaseparateline.Thekeyisanoptional
parameterbutthekeyisrequiredforNTPauthentication.
TheCiscoISEalwaysrequiresavalidandreachableNTPserver.
Althoughkeyisanoptionalparameter,itmustbeconfiguredifyouneedtoauthenticateanNTPserver.
Todisablethiscapability,usethenoformofthiscommandonlywhenyouwanttoremoveanNTPserver
andaddanotherone.
ntpserver{ip-address|hostname}key
Syntax DescriptionAllowsthesystemtosynchronizewithaspecifiedserver.server
IPv4orIPv6addressorhostnameoftheserverprovidingtheclock
synchronization.Argumentsarelimitedto255alphanumeric
characters.
ip-address|hostname
Specifiesthatpublic-keyauthenticationshouldbeusedforNTP
server.Ifyouchoosethisoption,ensurethatyouimporttheNTP
server'spublickeyintotheCiscoISEnodeusingthecrypto
command.
autokey
(Optional).Peerkeynumber.Supportsupto65535numeric
characters.
Thiskeyneedstobedefinedwithakeyvalue,byusingthentp
authentication-keycommand,andalsoneedstobeaddedasa
trusted-keybyusingthentptrusted-keycommand.
Forauthenticationtowork,thekeyandthekeyvalueshouldbethe
sameasthatwhichisdefinedontheactualNTPserver.
key
Command DefaultNoserversareconfiguredbydefault.
Command ModesConfiguration(config)#
Usage GuidelinesUsethisntpservercommandwithatrustedkeyifyouwanttoallowthesystemtosynchronizewithaspecified
server.
Thekeyisoptional,butitisrequiredforNTPauthentication.Definethiskeyinthentpauthentication-key
commandfirstandaddthiskeytothentptrusted-keycommandbeforeyoucanaddittothentpserver
command.
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
204
Cisco ISE CLI Commands in Configuration Mode
ntp server
    Add page 213 to Favourites
    image text
    Enable zoom 
    							Theshowntpcommanddisplaysthestatusofsynchronization.IfnoneoftheconfiguredNTPserversare
reachableornotauthenticated(ifNTPauthenticationisconfigured),thenthiscommanddisplayssynchronization
tolocalwiththeleaststratum.
IfanNTPserverisnotreachableorisnotproperlyauthenticated,thenitsreachasperthiscommandstatistics
willbe0.
TodefineanNTPserverconfigurationandauthenticationkeysfromtheCiscoISEAdminportal,seethe
SystemTimeandNTPServerSettingssectionintheCiscoIdentityServicesEngineAdministrationGuide.
Thiscommandgivesconflictinginformationduringthesynchronizationprocess.Thesynchronization
processcantakeupto20minutestocomplete.
Note
Related CommandsDescriptionCommand
ntp
ntpauthenticate
ntpauthentication-key
ntptrusted-key
showntp
ConfiguringTrustedKeysforNTPServerAuthentication
VerifyingtheStatusofSynchronization
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
205
Cisco ISE CLI Commands in Configuration Mode
ntp server
    Add page 214 to Favourites
    image text
    Enable zoom 
    							Configuring Trusted Keys for NTP Server Authentication
ToallowforsoftwareclocksynchronizationbytheNTPserverforthesystem,usethentpservercommand
inconfigurationmode.
ise/admin(config)#ntpserverntp.esl.cisco.comkey1%WARNING:Key1needstobedefinedasantptrusted-key.ise/admin(config)#ise/admin(config)#ntptrusted-key1%WARNING:Key1needstobedefinedasantpauthentication-key.ise/admin(config)#ise/admin(config)#ntpauthentication-key1md5plainSharedWithServeise/admin(config)#
ise/admin(config)#ntpserverntp.esl.cisco.com1ise/admin(config)#ntpserver171.68.10.802ise/admin(config)#ntpserver171.68.10.1503ise/admin(config)#ise/admin(config)#doshowrunning-configGeneratingconfiguration...!hostnameise!ipdomain-namecisco.com!interfaceGigabitEthernet0ipaddress172.21.79.246255.255.255.0ipv6addressautoconfig!ipname-server171.70.168.183!ipdefault-gateway172.21.79.1!clocktimezoneUTC!ntpauthentication-key1md5hashee18afc7608ac7ecdbeefc5351ad118bc9ce1ef3ntpauthentication-key2md5hashf1ef7b05c0d1cd4c18c8b70e8c76f37f33c33b59ntpauthentication-key3md5hashee18afc7608ac7ec2d7ac6d09226111dce07da37ntptrusted-key1ntptrusted-key2ntptrusted-key3ntpauthenticatentpserverntp.esl.cisco.comkey1ntpserver171.68.10.80key2ntpserver171.68.10.150key3!--More--
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
206
Cisco ISE CLI Commands in Configuration Mode
Configuring Trusted Keys for NTP Server Authentication
    Add page 215 to Favourites
    image text
    Enable zoom 
    							Verifying the Status of Synchronization
Tocheckthestatusofsynchronization,usetheshowntpcommand.
Example 1
ise/admin#showntpPrimaryNTP:ntp.esl.cisco.comSecondaryNTP:171.68.10.80TertiaryNTP:171.68.10.150synchronisedtolocalnetatstratum11timecorrecttowithin448mspollingserverevery64sremoterefidsttwhenpollreachdelayoffsetjitter==============================================================================*127.127.1.0.LOCL.10l4664370.0000.0000.001171.68.10.80.RMOT.16u466400.0000.0000.000171.68.10.150.INIT.16u476400.0000.0000.000Warning:Outputresultsmayconflictduringperiodsofchangingsynchronization.ise/admin#
Example 2
ise/admin#showntpPrimaryNTP:ntp.esl.cisco.comSecondaryNTP:171.68.10.150TertiaryNTP:171.68.10.80synchronisedtoNTPserver(171.68.10.150)atstratum3timecorrecttowithin16mspollingserverevery64sremoterefidsttwhenpollreachdelayoffsetjitter==============================================================================127.127.1.0.LOCL.10l35643770.0000.0000.001+171.68.10.80144.254.15.1222u36643771.4747.3812.095*171.68.10.150144.254.15.1222u33643770.92210.4852.198Warning:Outputresultsmayconflictduringperiodsofchangingsynchronization.ise/admin#
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
207
Cisco ISE CLI Commands in Configuration Mode
Verifying the Status of Synchronization
    Add page 216 to Favourites
    image text
    Enable zoom 
    							ntp trusted-key
Toaddatimesourcetothetrustedlist,usethentptrusted-keycommandwithauniqueidentifier.
ntptrusted-keykey
Todisablethiscapability,usethenoformofthiscommand.
nontptrusted-key
Syntax DescriptionTheidentifierthatyouwanttoassigntothiskey.trusted-key
Specifieskeynumbersfortrustedtimesourcesthatneedstobedefined
asNTPauthenticationkeys.Supportsupto65535numericcharacters.
key
Command DefaultNone
Command ModesConfiguration(config)#
Usage GuidelinesDefinethiskeyasanNTPauthenticationkeyandthenaddthiskeytothetrustedlistbeforeyouaddthiskey
toanNTPserver.Keysthatareaddedtothetrustedlistcanonlybeusedthatallowssynchronizationbythe
NTPserverwiththesystem.
Example 1
ise/admin#configureise/admin(config)#ise/admin(config)#ntptrusted-key1ise/admin(config)#ntptrusted-key2ise/admin(config)#ntptrusted-key3ise/admin(config)#nontptrusted-key2(Removeskey2fromthetrustedlist).
Example 2
ise/admin(config)#nontptrusted-key(Removesallkeysfromthetrustedlist).
Related CommandsDescriptionCommand
ntp
ntpauthenticate
ntpauthentication-key
ntpserver
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
208
Cisco ISE CLI Commands in Configuration Mode
ntp trusted-key
    Add page 217 to Favourites
    image text
    Enable zoom 
    							DescriptionCommand
showntp
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
209
Cisco ISE CLI Commands in Configuration Mode
ntp trusted-key
    Add page 218 to Favourites
    image text
    Enable zoom 
    							rate-limit
ToconfigurethelimitofTCP/UDP/ICMPpacketsfromasourceIPaddress,usetherate-limitcommandin
configurationmode.Toremovethisfunction,usethenoformofthiscommand.
rate-limit250ip-addressnet-maskport
Syntax DescriptionAnaveragenumberofTCP/UDP/ICMPpacketspersecond.
SourceIPaddresstoapplythepacketratelimit.ip-address
SourceIPmasktoapplythepacketratelimit.net-mask
Destinationportnumbertoapplythepacketratelimit.port
Command DefaultNodefaultbehaviororvalues.
Command ModesConfiguration(config)#
Usage GuidelinesNone.
Example
ise49/admin(config)#rate-limit4000ip20.20.20.20port443%Notice:Actualratelimitroundedupbyiptablesto5000persecondise49/admin(config)#doshowrunning-config|inclraterate-limit5000ip20.20.20.20port443ise49/admin(config)#ise49/admin(config)#rate-limit6000ip10.10.10.10port443%Notice:Actualratelimitroundedupbyiptablesto10000persecondise49/admin(config)#doshowrunning-config|inclraterate-limit10000ip10.10.10.10port443rate-limit5000ip20.20.20.20port443ise49/admin(config)#
Related CommandsDescriptionCommand
conn-limit
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
210
Cisco ISE CLI Commands in Configuration Mode
rate-limit
    Add page 219 to Favourites
    image text
    Enable zoom 
    							password-policy
Toenableorconfigurethepasswordsonthesystem,usethepassword-policycommandinconfiguration
mode.Todisablethisfunction,usethenoformofthiscommand.
password-policyoptions
Thepassword-policycommandrequiresapolicyoption(seeSyntaxDescription).Youmustenterthe
password-expiration-enabledcommandbeforetheotherpassword-expirationcommands.
Note
Afteryouenterthepassword-policycommand,youcanentertheconfig-password-policyconfiguration
submode.
Note
Syntax DescriptionRequiresadigitinuserpasswords.digit-required
DisablestheabilitytousethewordCiscooranycombinationasthe
password.
disable-cisco-password
Disablestheabilityofthepasswordtocontainmorethanfouridentical
characters.
disable-repeat-chars
Execcommand.do
Exitfromconfiguremode.end
Exitfromthissubmode.exit
Requiresalowercaseletterinuserpasswords.lower-case-required
Minimumnumberofcharactersforavalidpassword.Supportsupto
40characters.
min-password-length
Negateacommandorsetitsdefaults.no
Preventsusersfromreusingapartoftheirpreviouspassword.no-previous-password
Prohibitsusersfromreusingtheirusernameasapartofapassword.no-username
Numberofcharacterstobedifferentfromtheoldpassword.password-delta
Numberofdaysuntilapasswordexpires.Supportsanintegerupto
3650.
password-expiration-days
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
211
Cisco ISE CLI Commands in Configuration Mode
password-policy
    Add page 220 to Favourites
    image text
    Enable zoom 
    							Enablespasswordexpiration.
Youmustenterthepassword-expiration-enabledcommand
beforetheotherpassword-expirationcommands.
Note
password-expiration-enabled
Numberofdaysbeforeexpirationthatwarningsofimpending
expirationbegin.Supportsanintegerupto3650.
password-expiration-warning
Locksapasswordafterseveralfailures.password-lock-enabled
Numberoffailedattemptsbeforeuserpasswordlocks.Supportsan
integerupto20.
password-lock-retry-count
Setsthetimeinminutesafterwhichtheaccountlockoutiscleared.
Supportstimevaluesfrom5minutesto1440minutes.
password-time-lockout
Requiresaspecialcharacterinuserpasswords.special-required
Requiresanuppercaseletterinuserpasswords.upper-case-required
Command DefaultNodefaultbehaviororvalues.
Command ModesConfiguration(config-password-policy)#
Usage GuidelinesNone.
Example
ise/admin(config)#password-policyise/admin(config-password-policy)#password-expiration-days30ise/admin(config-password-policy)#exitise/admin(config)#
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
212
Cisco ISE CLI Commands in Configuration Mode
password-policy
    All Cisco manuals Comments (0)

    Related Manuals for Cisco Ise 14 User Guide