Cisco Ise 14 User Guide
Have a look at the manual Cisco Ise 14 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 28
Example 2
ToimportacopyoftheCiscoISECAcertificatesandkeys,useoption8.
ise/admin#applicationconfigureiseSelectionISEconfigurationoption[1]ResetM&TSessionDatabase[2]RebuildM&TUnusableIndexes[3]PurgeM&TOperationalData[4]ResetM&TDatabase[5]RefreshDatabaseStatistics[6]DisplayProfilerStatistics[7]ExportInternalCAStore[8]ImportInternalCAStore[9]CreateMissingConfigIndexes[10]CreateMissingM&TIndexes[11]Enable/DisableACSMigration[12]GenerateDailyKPMStats[13]GenerateKPMStatsforlast8Weeks[14]Exit...](http://img.usermanuals.tech/thumb/17/104723/w64_ise-14-user-guide-1524839461_d-27.png "Page 28
Example 2
ToimportacopyoftheCiscoISECAcertificatesandkeys,useoption8.
ise/admin#applicationconfigureiseSelectionISEconfigurationoption[1]ResetM&TSessionDatabase[2]RebuildM&TUnusableIndexes[3]PurgeM&TOperationalData[4]ResetM&TDatabase[5]RefreshDatabaseStatistics[6]DisplayProfilerStatistics[7]ExportInternalCAStore[8]ImportInternalCAStore[9]CreateMissingConfigIndexes[10]CreateMissingM&TIndexes[11]Enable/DisableACSMigration[12]GenerateDailyKPMStats[13]GenerateKPMStatsforlast8Weeks[14]Exit...")
![Page 32
application remove
Youarenotallowedtoruntheapplicationremovecommandfromthecommand-lineinterface(CLI)to
removeCiscoISEunlessyouareexplicitlyinstructedtodosoforanupgrade.
Note
ToremoveaspecificapplicationotherthanCiscoISE,usetheapplicationremovecommandinEXECmode.
application[remove{application-name}]
WhenyoudonotwanttoremoveanyotherapplicationotherthanCiscoISE,usethenoformofthiscommand.
noapplication[remove{application-name}]
Syntax DescriptionRemovesoruninstallsanapplication.remove...](http://img.usermanuals.tech/thumb/17/104723/w64_ise-14-user-guide-1524839461_d-31.png "Page 32
application remove
Youarenotallowedtoruntheapplicationremovecommandfromthecommand-lineinterface(CLI)to
removeCiscoISEunlessyouareexplicitlyinstructedtodosoforanupgrade.
Note
ToremoveaspecificapplicationotherthanCiscoISE,usetheapplicationremovecommandinEXECmode.
application[remove{application-name}]
WhenyoudonotwanttoremoveanyotherapplicationotherthanCiscoISE,usethenoformofthiscommand.
noapplication[remove{application-name}]
Syntax DescriptionRemovesoruninstallsanapplication.remove...")
![Page 34
application reset-config
ToresettheCiscoISEapplicationconfigurationtofactorydefaultsorretaintheexistingfactorysettings,use
theapplicationreset-configcommandinEXECmode.Inadditiontoself-signedcertificates,youcanalso
resetservercertificatesorretaintheexistingservercertificates.
application[reset-config{application-name}]
Syntax DescriptionResetstheCiscoISEapplicationconfigurationandclearstheCisco
ISEdatabase.
reset-config
Nameoftheapplicationconfigurationyouwanttoreset.Supports...](http://img.usermanuals.tech/thumb/17/104723/w64_ise-14-user-guide-1524839461_d-33.png "Page 34
application reset-config
ToresettheCiscoISEapplicationconfigurationtofactorydefaultsorretaintheexistingfactorysettings,use
theapplicationreset-configcommandinEXECmode.Inadditiontoself-signedcertificates,youcanalso
resetservercertificatesorretaintheexistingservercertificates.
application[reset-config{application-name}]
Syntax DescriptionResetstheCiscoISEapplicationconfigurationandclearstheCisco
ISEdatabase.
reset-config
Nameoftheapplicationconfigurationyouwanttoreset.Supports...")
![Page 35
ISEpxGridprocessesaredisabledStoppingISEApplicationServer...StoppingISECertificateAuthorityService...StoppingISEProfilerDatabase...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEADConnector...StoppingISEDatabaseprocesses...EntertheISEadministratorusernametocreate[admin]:adminEnterthepasswordfor'admin':Re-enterthepasswordfor'admin':ExtractingISEdatabasecontent...StartingISEdatabaseprocesses...CreatingISEM&Tsessiondirectory...PerformingISEdatabasepriming...applica...](http://img.usermanuals.tech/thumb/17/104723/w64_ise-14-user-guide-1524839461_d-34.png "Page 35
ISEpxGridprocessesaredisabledStoppingISEApplicationServer...StoppingISECertificateAuthorityService...StoppingISEProfilerDatabase...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEADConnector...StoppingISEDatabaseprocesses...EntertheISEadministratorusernametocreate[admin]:adminEnterthepasswordfor'admin':Re-enterthepasswordfor'admin':ExtractingISEdatabasecontent...StartingISEdatabaseprocesses...CreatingISEM&Tsessiondirectory...PerformingISEdatabasepriming...applica...")
![Page 36
application reset-passwd
ToresettheAdminportalloginpasswordforaspecifieduseraccount(usuallyanexistingadministrator
account)inCiscoISEaftertheadministratoraccounthasbeendisabledduetoincorrectpasswordentries,use
theapplicationreset-passwdcommandinEXECmode.YoucanalsousethiscommandtoresettheCisco
ISEdatabaseadministratoranduserpasswords.
application[reset-passwd{application-name}{administrator-ID|internal-database-admin|
internal-database-user}]
Syntax...](http://img.usermanuals.tech/thumb/17/104723/w64_ise-14-user-guide-1524839461_d-35.png "Page 36
application reset-passwd
ToresettheAdminportalloginpasswordforaspecifieduseraccount(usuallyanexistingadministrator
account)inCiscoISEaftertheadministratoraccounthasbeendisabledduetoincorrectpasswordentries,use
theapplicationreset-passwdcommandinEXECmode.YoucanalsousethiscommandtoresettheCisco
ISEdatabaseadministratoranduserpasswords.
application[reset-passwd{application-name}{administrator-ID|internal-database-admin|
internal-database-user}]
Syntax...")
Key Performance Metrics Statistical Data Toobtainkeyperformancemetrics(KPM),usetheGenerateDailyKPMStatsorGenerateKPMStatsfor last8Weeksoptionintheapplicationconfigurecommand.ThisdataiscollectedfromtheMonitoringnodes. Theoutputofthiscommandprovidesstatisticalinformationabouttheendpointsthatconnecttoyour deployment.YoucanchoosetogenerateareportforKPMstatisticsdailyorforthelast8weeks.Thereport issavedtothelocaldisk. IfyouhaveresettheMonitoringdatabase(option4)beforegeneratingtheKPMstatistics,options12and13 willnotreturnanydatabecausetheMonitoringdatabaseisreset. Example ise/admin#applicationconfigureiseSelectionISEconfigurationoption[1]ResetM&TSessionDatabase[2]RebuildM&TUnusableIndexes[3]PurgeM&TOperationalData[4]ResetM&TDatabase[5]RefreshDatabaseStatistics[6]DisplayProfilerStatistics[7]ExportInternalCAStore[8]ImportInternalCAStore[9]CreateMissingConfigIndexes[10]CreateMissingM&TIndexes[11]Enable/DisableACSMigration[12]GenerateDailyKPMStats[13]GenerateKPMStatsforlast8Weeks[14]Enable/DisableCounterAttributeCollection[15]ViewAdminUsers[16]Exit 12 YouareabouttogenerateDailyKPM(KeyPerformanceMetrics).%WarningGeneratingKPMstatsmayimpactISEperformanceduringthegenerationofthereport.Itissuggestedtorunthisreportduringnon-peakhoursandwhennotconflictingwithotherscheduledoperationsofISE.Areyousureyouwanttoproceed?y/n[n]:yStartingtogenerateDailyKPMstatsCopyingfilesto/localdiskCompletedgeneratingdailyKPMstats.Youcanfinddetailsinfollowingfileslocatedunder/localdiskKPM_onboarding_results_27_MAR_2015.xlsKPM_trx_load_27_MAR_2015.xls Cisco Identity Services Engine CLI Reference Guide, Release 1.4 23 Cisco ISE CLI Commands in EXEC Mode Key Performance Metrics Statistical Data
application remove
Youarenotallowedtoruntheapplicationremovecommandfromthecommand-lineinterface(CLI)to
removeCiscoISEunlessyouareexplicitlyinstructedtodosoforanupgrade.
Note
ToremoveaspecificapplicationotherthanCiscoISE,usetheapplicationremovecommandinEXECmode.
application[remove{application-name}]
WhenyoudonotwanttoremoveanyotherapplicationotherthanCiscoISE,usethenoformofthiscommand.
noapplication[remove{application-name}]
Syntax DescriptionRemovesoruninstallsanapplication.remove
Applicationname.Supportsupto255alphanumericcharacters.
Removesoruninstallsanapplication.
application-name
Command DefaultNodefaultbehaviororvalues.
Command ModesEXEC
Usage GuidelinesRemovesoruninstallsanapplication.
Example
ise/admin#applicationremoveiseContinuewithapplicationremoval?[y/n]yApplicationsuccessfullyuninstalledise/admin#
Related CommandsDescriptionCommand
applicationconfigure
applicationinstall
applicationreset-config
applicationreset-passwd
applicationstart
applicationstop
Cisco Identity Services Engine CLI Reference Guide, Release 1.4
24
Cisco ISE CLI Commands in EXEC Mode
application remove
DescriptionCommand applicationupgrade showapplication Cisco Identity Services Engine CLI Reference Guide, Release 1.4 25 Cisco ISE CLI Commands in EXEC Mode application remove
application reset-config
ToresettheCiscoISEapplicationconfigurationtofactorydefaultsorretaintheexistingfactorysettings,use
theapplicationreset-configcommandinEXECmode.Inadditiontoself-signedcertificates,youcanalso
resetservercertificatesorretaintheexistingservercertificates.
application[reset-config{application-name}]
Syntax DescriptionResetstheCiscoISEapplicationconfigurationandclearstheCisco
ISEdatabase.
reset-config
Nameoftheapplicationconfigurationyouwanttoreset.Supports
upto255alphanumericcharacters.
application-name
Command DefaultNodefaultbehaviororvalues.
Command ModesEXEC
Usage GuidelinesYoucanusetheapplicationreset-configcommandtoresettheCiscoISEconfigurationandcleartheCisco
ISEdatabasewithoutreimagingtheCiscoISEapplianceorVMware.Theresetrequiresyoutoenternew
CiscoISEdatabaseadministratoranduserpasswords.
Althoughtheapplicationreset-configcommandresetstheCiscoISEconfigurationtofactorydefaults,
theoperatingsystem(CiscoADE-OS)configurationstillremainsintact.TheCiscoADE-OSconfiguration
includesitemssuchasthenetworksettings,CLIpasswordpolicy,andbackuphistory.
Note
WhenyouresettheCiscoISEapplicationconfigurationfromtheCLI,itperformsaleaveoperation
disconnectingtheISEnodefromtheActiveDirectorydomainifitisalreadyjoined.However,theCiscoISE
nodeaccountisnotremovedfromtheActiveDirectorydomain.Werecommendthatyouperformaleave
operationfromtheCiscoISEAdminportalwiththeActiveDirectorycredentials.Theleaveoperationremoves
thenodeaccountfromtheActiveDirectorydomain.
Example
IfauserselectstheNooption,thecommanddeletesservercertificatesandregeneratesonlyself-signed
certificates.IftheuserselectstheYesoption,thecommandretainsexistingservercertificatesbyexporting
themtoalocation.Theservercertificatesarethenimportedfromthislocation.
ise/admin#applicationreset-configiseInitializeyourISEconfigurationtofactorydefaults?(y/n):yLeavingcurrentlyconnectedADdomainsifany...PleaserejointoADdomainsfromtheadministrativeGUIRetainexistingISEservercertificates?(y/n):yReinitializinglocalISEconfigurationtofactorydefaults...StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEMonitoring&TroubleshootingLogProcessor...ISEIdentityMappingServiceisdisabled
Cisco Identity Services Engine CLI Reference Guide, Release 1.4
26
Cisco ISE CLI Commands in EXEC Mode
application reset-config
ISEpxGridprocessesaredisabledStoppingISEApplicationServer...StoppingISECertificateAuthorityService...StoppingISEProfilerDatabase...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEADConnector...StoppingISEDatabaseprocesses...EntertheISEadministratorusernametocreate[admin]:adminEnterthepasswordfor'admin':Re-enterthepasswordfor'admin':ExtractingISEdatabasecontent...StartingISEdatabaseprocesses...CreatingISEM&Tsessiondirectory...PerformingISEdatabasepriming...applicationreset-configissuccessise/admin# Related CommandsDescriptionCommand applicationconfigure applicationinstall applicationremove applicationstart applicationstop applicationupgrade showapplication Cisco Identity Services Engine CLI Reference Guide, Release 1.4 27 Cisco ISE CLI Commands in EXEC Mode application reset-config
application reset-passwd
ToresettheAdminportalloginpasswordforaspecifieduseraccount(usuallyanexistingadministrator
account)inCiscoISEaftertheadministratoraccounthasbeendisabledduetoincorrectpasswordentries,use
theapplicationreset-passwdcommandinEXECmode.YoucanalsousethiscommandtoresettheCisco
ISEdatabaseadministratoranduserpasswords.
application[reset-passwd{application-name}{administrator-ID|internal-database-admin|
internal-database-user}]
Syntax DescriptionResetstheadministratoraccountpassword.reset-passwd
Applicationname.Supportsupto255alphanumericcharacters.application-name
Nameofadisabledadministratoraccountforwhichyouwanttoreset
thepassword.
administrator-ID
IdentifiestheCiscoISEdatabasesystem-levelpassword.Youmust
createthispassword(thereisnodefault).Thepasswordmustbea
minimumof11charactersinlengthandincludeatleastonelowercase
letter,atleastoneuppercaseletter,andatleastonenumber(0-9).
internal-database-admin
IdentifiestheCiscoISEdatabaseaccess-levelpassword.Youmust
createthispassword(thereisnodefault).Thepasswordmustbea
minimumof11charactersinlengthandincludeatleastonelowercase
letter,atleastoneuppercaseletter,andatleastonenumber(0to9).
internal-database-user
internal-comm-user
Command DefaultNodefaultbehaviororvalues.necessarytodisabletheadministratoraccountinCiscoISE
Command ModesEXEC
Usage GuidelinesThefollowingspecialcharactersareallowedwhenresettingtheCiscoISEAdminportalpassword:
_-*&$@!~
>
Typically,youneedtospecifytheCiscoISEdatabaseadministratoranduserpasswordsonlyonceduringan initialconfigurationorupgrade.Ifitisnecessarytochangeeitherofthesepasswordslater,youcanusethe applicationreset-passwdcommand. UTF-8adminuserscanchangepasswordsonlythroughtheCiscoISEAdminportal. Example ise/admin#applicationreset-passwdiseadminEnternewpassword:******Confirmnewpassword:******Passwordresetsuccessfully.ise/admin# Related CommandsDescriptionCommand applicationconfigure applicationinstall applicationremove applicationreset-config applicationstart applicationstop applicationupgrade showapplication Cisco Identity Services Engine CLI Reference Guide, Release 1.4 29 Cisco ISE CLI Commands in EXEC Mode application reset-passwd
application start
Toenableaspecificapplication,usetheapplicationstartcommandinEXECmode.Todisablestartingan
application,usethenoformofthiscommand.
application[start{application-name|safe}]
noapplication[start{application-name|safe}]
Syntax DescriptionEnablesanapplicationbundle.start
Nameofthepredefinedapplicationthatyouwanttoenable.Supports
upto255alphanumericcharacters.
application-name
Startsanapplicationinsafemode.safe
Command DefaultNodefaultbehaviororvalues.
Command ModesEXEC
Usage GuidelinesEnablesanapplication.
YoucannotusethiscommandtostartCiscoISE.Ifyoutryto,youwillbepromptedthatCiscoISEisalready
running.
YoucanusetheapplicationstartsafecommandtostartCiscoISEinasafemodethatallowsyoutodisable
accesscontroltemporarilytotheAdminportalandthenrestarttheapplicationaftermakingnecessarychanges.
Thesafeoptionprovidesameansofrecoveryintheeventthatyouasanadministratorinadvertentlylockout
allusersfromaccessingtheCiscoISEAdminportal.Thiseventcanhappenifyouconfigureanincorrect"IP
Access"listintheAdministration>AdminAccess>Settings>Accesspage.The'safe'optionalsobypasses
certificate-basedauthenticationandrevertstothedefaultusernameandpasswordauthenticationforlogging
intotheCiscoISEAdminportal.
Example 1
ise/admin#applicationstartiseStartingISEMonitoring&TroubleshootingSessionDatabase...StartingISEProfilerDatabase...StartingISEApplicationServer...StartingISECertificateAuthorityService...StartingISEMonitoring&TroubleshootingLogProcessor...StartingISEMonitoring&TroubleshootingLogCollector...StartingISEADConnector...Note:ISEProcessesareinitializing.Use'showapplicationstatusise'CLItoverifyallprocessesareinrunningstate.
ise/admin#showapplicationstatusise
ISEPROCESSNAMESTATEPROCESSID--------------------------------------------------------------------
Cisco Identity Services Engine CLI Reference Guide, Release 1.4
30
Cisco ISE CLI Commands in EXEC Mode
application start
DatabaseListenerrunning30171DatabaseServerrunning33PROCESSESApplicationServerinitializingProfilerDatabaserunning31315ADConnectorrunning1732M&TSessionDatabaserunning31225M&TLogCollectorrunning1625M&TLogProcessorrunning1584CertificateAuthorityServicerunning1532pxGridInfrastructureServicedisabledpxGridPublisherSubscriberServicedisabledpxGridConnectionManagerdisabledpxGridControllerdisabledIdentityMappingServicedisabledise/admin# Starting Cisco ISE Application in Safe Mode Thepurposeofthe'safe'optionistobypassaccessrestrictionsthatmayhavebeencausedinadvertently.When thesafemodeisusedtostartCiscoISEservices,thefollowingbehaviorisobserved: •IPaccessrestrictionistemporarilydisabledtoallowadministratorsloggingintocorrectIPaccess restrictionsiftheyinadvertentlylockthemselves. •OnFIPSenabledhosts,ifthe'safe'optionispassedonapplicationstartup,theFIPSintegritycheckis temporarilydisabled.Normally,ifFIPSintegritycheckfails,CiscoISEservicesarenotstarted.Users canbypasstheFIPSintegritycheckwiththe'safe'optiononapplicationstart. •OnFIPSenabledhosts,ifthe'safe'optionispassedonapplicationstartup,thehardwarerandomnumber generatorintegritycheckisdisabled. •Ifcertificate-basedauthenticationisused,the'safe'optiononapplicationstartwilltemporarilyuse usernameandpasswordbasedauthentication. ThesechangesaretemporaryandonlyrelevantforthatinstanceoftheCiscoISEapplication.IftheCisco ISEservicesarerestartedagainwithoutthe'safe'option,allofthedefaultfunctionalityisrestored. Note ise/admin#applicationstopise StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEMonitoring&TroubleshootingLogProcessor...ISEIdentityMappingServiceisdisabledISEpxGridprocessesaredisabledStoppingISEApplicationServer...StoppingISECertificateAuthorityService...StoppingISEProfilerDatabase...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEADConnector...StoppingISEDatabaseprocesses... ise/admin#applicationstartisesafe StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEMonitoring&TroubleshootingLogProcessor...ISEIdentityMappingServiceisdisabledISEpxGridprocessesaredisabledStoppingISEApplicationServer...StoppingISECertificateAuthorityService...StoppingISEProfilerDatabase...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEADConnector...StoppingISEDatabaseprocesses... Cisco Identity Services Engine CLI Reference Guide, Release 1.4 31 Cisco ISE CLI Commands in EXEC Mode application start
ise/admin# Related CommandsDescriptionCommand applicationconfigure applicationinstall applicationremove applicationreset-config applicationreset-passwd applicationstop applicationupgrade showapplication Cisco Identity Services Engine CLI Reference Guide, Release 1.4 32 Cisco ISE CLI Commands in EXEC Mode application start