Home > Cisco > Interface > Cisco Ise 14 User Guide

Cisco Ise 14 User Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Ise 14 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 232
    Add page 31 to Favourites
    image text
    Enable zoom 
    							Key Performance Metrics Statistical Data
Toobtainkeyperformancemetrics(KPM),usetheGenerateDailyKPMStatsorGenerateKPMStatsfor
last8Weeksoptionintheapplicationconfigurecommand.ThisdataiscollectedfromtheMonitoringnodes.
Theoutputofthiscommandprovidesstatisticalinformationabouttheendpointsthatconnecttoyour
deployment.YoucanchoosetogenerateareportforKPMstatisticsdailyorforthelast8weeks.Thereport
issavedtothelocaldisk.
IfyouhaveresettheMonitoringdatabase(option4)beforegeneratingtheKPMstatistics,options12and13
willnotreturnanydatabecausetheMonitoringdatabaseisreset.
Example
ise/admin#applicationconfigureiseSelectionISEconfigurationoption[1]ResetM&TSessionDatabase[2]RebuildM&TUnusableIndexes[3]PurgeM&TOperationalData[4]ResetM&TDatabase[5]RefreshDatabaseStatistics[6]DisplayProfilerStatistics[7]ExportInternalCAStore[8]ImportInternalCAStore[9]CreateMissingConfigIndexes[10]CreateMissingM&TIndexes[11]Enable/DisableACSMigration[12]GenerateDailyKPMStats[13]GenerateKPMStatsforlast8Weeks[14]Enable/DisableCounterAttributeCollection[15]ViewAdminUsers[16]Exit
12
YouareabouttogenerateDailyKPM(KeyPerformanceMetrics).%WarningGeneratingKPMstatsmayimpactISEperformanceduringthegenerationofthereport.Itissuggestedtorunthisreportduringnon-peakhoursandwhennotconflictingwithotherscheduledoperationsofISE.Areyousureyouwanttoproceed?y/n[n]:yStartingtogenerateDailyKPMstatsCopyingfilesto/localdiskCompletedgeneratingdailyKPMstats.Youcanfinddetailsinfollowingfileslocatedunder/localdiskKPM_onboarding_results_27_MAR_2015.xlsKPM_trx_load_27_MAR_2015.xls
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
23
Cisco ISE CLI Commands in EXEC Mode
Key Performance Metrics Statistical Data
    Add page 32 to Favourites
    image text
    Enable zoom 
    							application remove
Youarenotallowedtoruntheapplicationremovecommandfromthecommand-lineinterface(CLI)to
removeCiscoISEunlessyouareexplicitlyinstructedtodosoforanupgrade.
Note
ToremoveaspecificapplicationotherthanCiscoISE,usetheapplicationremovecommandinEXECmode.
application[remove{application-name}]
WhenyoudonotwanttoremoveanyotherapplicationotherthanCiscoISE,usethenoformofthiscommand.
noapplication[remove{application-name}]
Syntax DescriptionRemovesoruninstallsanapplication.remove
Applicationname.Supportsupto255alphanumericcharacters.
Removesoruninstallsanapplication.
application-name
Command DefaultNodefaultbehaviororvalues.
Command ModesEXEC
Usage GuidelinesRemovesoruninstallsanapplication.
Example
ise/admin#applicationremoveiseContinuewithapplicationremoval?[y/n]yApplicationsuccessfullyuninstalledise/admin#
Related CommandsDescriptionCommand
applicationconfigure
applicationinstall
applicationreset-config
applicationreset-passwd
applicationstart
applicationstop
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
24
Cisco ISE CLI Commands in EXEC Mode
application remove
    Add page 33 to Favourites
    image text
    Enable zoom 
    							DescriptionCommand
applicationupgrade
showapplication
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
25
Cisco ISE CLI Commands in EXEC Mode
application remove
    Add page 34 to Favourites
    image text
    Enable zoom 
    							application reset-config
ToresettheCiscoISEapplicationconfigurationtofactorydefaultsorretaintheexistingfactorysettings,use
theapplicationreset-configcommandinEXECmode.Inadditiontoself-signedcertificates,youcanalso
resetservercertificatesorretaintheexistingservercertificates.
application[reset-config{application-name}]
Syntax DescriptionResetstheCiscoISEapplicationconfigurationandclearstheCisco
ISEdatabase.
reset-config
Nameoftheapplicationconfigurationyouwanttoreset.Supports
upto255alphanumericcharacters.
application-name
Command DefaultNodefaultbehaviororvalues.
Command ModesEXEC
Usage GuidelinesYoucanusetheapplicationreset-configcommandtoresettheCiscoISEconfigurationandcleartheCisco
ISEdatabasewithoutreimagingtheCiscoISEapplianceorVMware.Theresetrequiresyoutoenternew
CiscoISEdatabaseadministratoranduserpasswords.
Althoughtheapplicationreset-configcommandresetstheCiscoISEconfigurationtofactorydefaults,
theoperatingsystem(CiscoADE-OS)configurationstillremainsintact.TheCiscoADE-OSconfiguration
includesitemssuchasthenetworksettings,CLIpasswordpolicy,andbackuphistory.
Note
WhenyouresettheCiscoISEapplicationconfigurationfromtheCLI,itperformsaleaveoperation
disconnectingtheISEnodefromtheActiveDirectorydomainifitisalreadyjoined.However,theCiscoISE
nodeaccountisnotremovedfromtheActiveDirectorydomain.Werecommendthatyouperformaleave
operationfromtheCiscoISEAdminportalwiththeActiveDirectorycredentials.Theleaveoperationremoves
thenodeaccountfromtheActiveDirectorydomain.
Example
IfauserselectstheNooption,thecommanddeletesservercertificatesandregeneratesonlyself-signed
certificates.IftheuserselectstheYesoption,thecommandretainsexistingservercertificatesbyexporting
themtoalocation.Theservercertificatesarethenimportedfromthislocation.
ise/admin#applicationreset-configiseInitializeyourISEconfigurationtofactorydefaults?(y/n):yLeavingcurrentlyconnectedADdomainsifany...PleaserejointoADdomainsfromtheadministrativeGUIRetainexistingISEservercertificates?(y/n):yReinitializinglocalISEconfigurationtofactorydefaults...StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEMonitoring&TroubleshootingLogProcessor...ISEIdentityMappingServiceisdisabled
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
26
Cisco ISE CLI Commands in EXEC Mode
application reset-config
    Add page 35 to Favourites
    image text
    Enable zoom 
    							ISEpxGridprocessesaredisabledStoppingISEApplicationServer...StoppingISECertificateAuthorityService...StoppingISEProfilerDatabase...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEADConnector...StoppingISEDatabaseprocesses...EntertheISEadministratorusernametocreate[admin]:adminEnterthepasswordfor'admin':Re-enterthepasswordfor'admin':ExtractingISEdatabasecontent...StartingISEdatabaseprocesses...CreatingISEM&Tsessiondirectory...PerformingISEdatabasepriming...applicationreset-configissuccessise/admin#
Related CommandsDescriptionCommand
applicationconfigure
applicationinstall
applicationremove
applicationstart
applicationstop
applicationupgrade
showapplication
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
27
Cisco ISE CLI Commands in EXEC Mode
application reset-config
    Add page 36 to Favourites
    image text
    Enable zoom 
    							application reset-passwd
ToresettheAdminportalloginpasswordforaspecifieduseraccount(usuallyanexistingadministrator
account)inCiscoISEaftertheadministratoraccounthasbeendisabledduetoincorrectpasswordentries,use
theapplicationreset-passwdcommandinEXECmode.YoucanalsousethiscommandtoresettheCisco
ISEdatabaseadministratoranduserpasswords.
application[reset-passwd{application-name}{administrator-ID|internal-database-admin|
internal-database-user}]
Syntax DescriptionResetstheadministratoraccountpassword.reset-passwd
Applicationname.Supportsupto255alphanumericcharacters.application-name
Nameofadisabledadministratoraccountforwhichyouwanttoreset
thepassword.
administrator-ID
IdentifiestheCiscoISEdatabasesystem-levelpassword.Youmust
createthispassword(thereisnodefault).Thepasswordmustbea
minimumof11charactersinlengthandincludeatleastonelowercase
letter,atleastoneuppercaseletter,andatleastonenumber(0-9).
internal-database-admin
IdentifiestheCiscoISEdatabaseaccess-levelpassword.Youmust
createthispassword(thereisnodefault).Thepasswordmustbea
minimumof11charactersinlengthandincludeatleastonelowercase
letter,atleastoneuppercaseletter,andatleastonenumber(0to9).
internal-database-user
internal-comm-user
Command DefaultNodefaultbehaviororvalues.necessarytodisabletheadministratoraccountinCiscoISE
Command ModesEXEC
Usage GuidelinesThefollowingspecialcharactersareallowedwhenresettingtheCiscoISEAdminportalpassword:
_-*&$@!~
>
    Add page 37 to Favourites
    image text
    Enable zoom 
    							Typically,youneedtospecifytheCiscoISEdatabaseadministratoranduserpasswordsonlyonceduringan
initialconfigurationorupgrade.Ifitisnecessarytochangeeitherofthesepasswordslater,youcanusethe
applicationreset-passwdcommand.
UTF-8adminuserscanchangepasswordsonlythroughtheCiscoISEAdminportal.
Example
ise/admin#applicationreset-passwdiseadminEnternewpassword:******Confirmnewpassword:******Passwordresetsuccessfully.ise/admin#
Related CommandsDescriptionCommand
applicationconfigure
applicationinstall
applicationremove
applicationreset-config
applicationstart
applicationstop
applicationupgrade
showapplication
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
29
Cisco ISE CLI Commands in EXEC Mode
application reset-passwd
    Add page 38 to Favourites
    image text
    Enable zoom 
    							application start
Toenableaspecificapplication,usetheapplicationstartcommandinEXECmode.Todisablestartingan
application,usethenoformofthiscommand.
application[start{application-name|safe}]
noapplication[start{application-name|safe}]
Syntax DescriptionEnablesanapplicationbundle.start
Nameofthepredefinedapplicationthatyouwanttoenable.Supports
upto255alphanumericcharacters.
application-name
Startsanapplicationinsafemode.safe
Command DefaultNodefaultbehaviororvalues.
Command ModesEXEC
Usage GuidelinesEnablesanapplication.
YoucannotusethiscommandtostartCiscoISE.Ifyoutryto,youwillbepromptedthatCiscoISEisalready
running.
YoucanusetheapplicationstartsafecommandtostartCiscoISEinasafemodethatallowsyoutodisable
accesscontroltemporarilytotheAdminportalandthenrestarttheapplicationaftermakingnecessarychanges.
Thesafeoptionprovidesameansofrecoveryintheeventthatyouasanadministratorinadvertentlylockout
allusersfromaccessingtheCiscoISEAdminportal.Thiseventcanhappenifyouconfigureanincorrect"IP
Access"listintheAdministration>AdminAccess>Settings>Accesspage.The'safe'optionalsobypasses
certificate-basedauthenticationandrevertstothedefaultusernameandpasswordauthenticationforlogging
intotheCiscoISEAdminportal.
Example 1
ise/admin#applicationstartiseStartingISEMonitoring&TroubleshootingSessionDatabase...StartingISEProfilerDatabase...StartingISEApplicationServer...StartingISECertificateAuthorityService...StartingISEMonitoring&TroubleshootingLogProcessor...StartingISEMonitoring&TroubleshootingLogCollector...StartingISEADConnector...Note:ISEProcessesareinitializing.Use'showapplicationstatusise'CLItoverifyallprocessesareinrunningstate.
ise/admin#showapplicationstatusise
ISEPROCESSNAMESTATEPROCESSID--------------------------------------------------------------------
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
30
Cisco ISE CLI Commands in EXEC Mode
application start
    Add page 39 to Favourites
    image text
    Enable zoom 
    							DatabaseListenerrunning30171DatabaseServerrunning33PROCESSESApplicationServerinitializingProfilerDatabaserunning31315ADConnectorrunning1732M&TSessionDatabaserunning31225M&TLogCollectorrunning1625M&TLogProcessorrunning1584CertificateAuthorityServicerunning1532pxGridInfrastructureServicedisabledpxGridPublisherSubscriberServicedisabledpxGridConnectionManagerdisabledpxGridControllerdisabledIdentityMappingServicedisabledise/admin#
Starting Cisco ISE Application in Safe Mode
Thepurposeofthe'safe'optionistobypassaccessrestrictionsthatmayhavebeencausedinadvertently.When
thesafemodeisusedtostartCiscoISEservices,thefollowingbehaviorisobserved:
•IPaccessrestrictionistemporarilydisabledtoallowadministratorsloggingintocorrectIPaccess
restrictionsiftheyinadvertentlylockthemselves.
•OnFIPSenabledhosts,ifthe'safe'optionispassedonapplicationstartup,theFIPSintegritycheckis
temporarilydisabled.Normally,ifFIPSintegritycheckfails,CiscoISEservicesarenotstarted.Users
canbypasstheFIPSintegritycheckwiththe'safe'optiononapplicationstart.
•OnFIPSenabledhosts,ifthe'safe'optionispassedonapplicationstartup,thehardwarerandomnumber
generatorintegritycheckisdisabled.
•Ifcertificate-basedauthenticationisused,the'safe'optiononapplicationstartwilltemporarilyuse
usernameandpasswordbasedauthentication.
ThesechangesaretemporaryandonlyrelevantforthatinstanceoftheCiscoISEapplication.IftheCisco
ISEservicesarerestartedagainwithoutthe'safe'option,allofthedefaultfunctionalityisrestored.
Note
ise/admin#applicationstopise
StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEMonitoring&TroubleshootingLogProcessor...ISEIdentityMappingServiceisdisabledISEpxGridprocessesaredisabledStoppingISEApplicationServer...StoppingISECertificateAuthorityService...StoppingISEProfilerDatabase...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEADConnector...StoppingISEDatabaseprocesses...
ise/admin#applicationstartisesafe
StoppingISEMonitoring&TroubleshootingLogCollector...StoppingISEMonitoring&TroubleshootingLogProcessor...ISEIdentityMappingServiceisdisabledISEpxGridprocessesaredisabledStoppingISEApplicationServer...StoppingISECertificateAuthorityService...StoppingISEProfilerDatabase...StoppingISEMonitoring&TroubleshootingSessionDatabase...StoppingISEADConnector...StoppingISEDatabaseprocesses...
Cisco Identity Services Engine CLI Reference Guide, Release 1.4    
31
Cisco ISE CLI Commands in EXEC Mode
application start
    Add page 40 to Favourites
    image text
    Enable zoom 
    							ise/admin#
Related CommandsDescriptionCommand
applicationconfigure
applicationinstall
applicationremove
applicationreset-config
applicationreset-passwd
applicationstop
applicationupgrade
showapplication
   Cisco Identity Services Engine CLI Reference Guide, Release 1.4
32
Cisco ISE CLI Commands in EXEC Mode
application start
    All Cisco manuals Comments (0)

    Related Manuals for Cisco Ise 14 User Guide