Cda 10

Installation and Configuration Guide for
Cisco Context Directory Agent, Release 1.0

January 2016
Cisco Systems, Inc.

www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Text Part Number: OL-26299-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP Addresses or phone numbers in
illustrative content is unintentional and coincidental.
2014 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
ix
Scope
ix
Audience
ix
Document Organization Map

Document Conventions
Documentation Updates
x
xi
Related Documentation xii

Release-Specific Documentation xii
Other Related Documentation xii
Notices
xiii
Obtaining Documentation and Submitting a Service Request

Whats New in Cisco CDA
CHAPTER
xv
Context Directory Agent Overview
1-1
Functional Overview 1-2

Consumer Device 1-3
Active Directory Domain Controller Machines 1-4
Receiving Network Login Information from ISE and ACS
Syslog Servers and Clients 1-5
CDA Performance and Scalability
1-4
1-6
CDA Deployment Recommendations
CHAPTER
xiii
1-6
Installing the Cisco Context Directory Agent
2-1
Requirements 2-1
Supported Operating Systems 2-1
Supported Active Directory Versions 2-2
Hardware Requirements 2-2
Connectivity Requirements 2-3
List of Open Ports 2-3
Active Directory Requirements for Successful Connection with CDA
Setting the Audit Policy 2-7
2-4
Installation and Configuration Guide for Cisco Context Directory Agent, Release 1.0
OL-26299-01
iii
Contents
Permissions Required when an Active Directory User is a Member of the Domain Admin
Group 2-7
Permissions Required when an Active Directory User is Not a Member of the Domain Admin
Group 2-8
Installing Context Directory Agent
2-13
Installing Context Directory Agent Patches

Migrating from AD Agent to CDA
CHAPTER
2-14
2-15
Working with Context Directory Agent
3-1
Understanding the CDA User Interface 3-1

Supported Browsers 3-1
Logging into the CDA User Interface 3-2
CDA Dashboard 3-3
Working in the CDA User Interface 3-3
Consumer Devices 3-4
Adding and Editing Consumer Devices 3-4
Deleting Consumer Devices 3-6
Filtering Consumer Devices 3-6
Active Directory Servers 3-7
Adding and Editing Active Directory Servers 3-7
Importing Active Directory Servers 3-9
Exporting Active Directory Servers 3-10
Deleting Active Directory Servers 3-11
Filtering Active Directory Servers 3-11
Active Directory General Settings 3-12
Sending and Receiving Syslog Messages 3-13
Adding and Editing Syslog Servers/Clients 3-13
Configuring ISE to Forward User Login Events to CDA
Configuring a Default Domain Name 3-17
Deleting Syslog Servers 3-18
Filtering Syslog Servers 3-18
Log Level Settings 3-19
IP-to-User-Identity Mappings 3-19
Mapping Filters 3-22
Registered Devices 3-22
Administrators 3-23
Password Policy 3-24
Session Timeout 3-25
Live Logs 3-25
3-15
iv
OL-26299-01
Contents
CHAPTER
CDA Command Reference
4-1
EXEC Commands 4-2

application install 4-2
application remove 4-3
application reset-config 4-4
application reset-passwd 4-6
application start 4-7
application stop 4-8
application upgrade 4-9
backup 4-10
backup-logs 4-11
clock 4-12
configure 4-13
copy 4-14
debug 4-17
delete 4-20
dir 4-21
exit 4-23
forceout 4-24
halt 4-24
help 4-25
mkdir 4-26
nslookup 4-27
patch install 4-28
patch remove 4-29
ping 4-30
ping6 4-31
reload 4-33
restore 4-34
rmdir 4-35
show 4-36
ssh 4-38
tech 4-39
telnet 4-40
terminal length 4-41
terminal session-timeout 4-42
terminal session-welcome 4-42
terminal terminal-type 4-43
traceroute 4-44
OL-26299-01
Contents
undebug 4-44
write 4-46
Show Commands 4-48
show application 4-48
show backup history 4-50
show cdp 4-51
show clock 4-52
show cpu 4-53
show disks 4-55
show icmp-status 4-57
show interface 4-58
show inventory 4-60
show logging 4-61
show logins 4-63
show memory 4-64
show ntp 4-65
show ports 4-66
show process 4-67
show repository 4-69
show restore 4-70
show running-config 4-70
show startup-config 4-72
show tech-support 4-73
show terminal 4-75
show timezone 4-76
show timezones 4-76
show udi 4-78
show uptime 4-78
show users 4-79
show version 4-80
Configuration Commands 4-81
backup-staging-url 4-82
cdp holdtime 4-82
cdp run 4-83
cdp timer 4-84
clock timezone 4-85
do 4-87
end 4-90
exit 4-90
hostname 4-91
vi
OL-26299-01
Contents
icmp echo 4-92

interface 4-92
ipv6 address autoconfig 4-93
ipv6 address dhcp 4-95
ip address 4-97
ip default-gateway 4-98
ip domain-name 4-98
ip name-server 4-99
ip route 4-100
kron occurrence 4-101
kron policy-list 4-102
logging 4-103
ntp 4-105
ntp authenticate 4-106
ntp authentication-key 4-107
ntp server 4-108
ntp trusted-key 4-110
password-policy 4-111
repository 4-112
service 4-114
shutdown 4-115
snmp-server community 4-116
snmp-server contact 4-117
snmp-server host 4-118
snmp-server location 4-118
username 4-119
INDEX
OL-26299-01
vii
Contents
viii
OL-26299-01
Preface
Revised: January 5, 2016, OL-26299-01
This guide provides an overview of the Cisco Context Directory Agent (CDA) application, the high level
architecture and how to use the CDA application. In addition, it describes how to install the CDA
application, including the requirement on Active Directory to allow a successful connection with CDA.
The CDA provides the same functionalities as AD Agent 1.0 with the addition of a user interface for
system configuration and dedicated operation system. The flows and semantics between the CDA and
ASA, WSA, and DC remain the same as in AD Agent 1.0. However, the underlying implementation is
changed and adhere to Cisco Identity Services Engine (ISE) technologies.
This preface covers the following topics:
Audience
Related Documentation
Other Related Documentation
Scope
This guide is applicable only if you have installed the latest patch for CDA 1.0.
CDA patches introduce new functionality and it is recommended to install the latest patch. If you do not
install the latest patch for CDA, the functional aspects described in Whats New in Cisco CDA section
of this guide will not be applicable.
Audience
This guide is written for network administrators who will be using the Cisco Context Directory Agent
in their deployments. This guide assumes you have a working knowledge of networking principles and
applications, and have experience as a network system administrator.
OL-26299-01
ix

The topics in this guide are grouped into introduction, functional tasks, and reference categories, and are
organized in the following way:
Chapter
Description
Provides a brief summary of the new features introduced in

each CDA release.
Chapter 1, Context Directory Agent

Overview
Provides an overview of the Cisco Context Directory Agent.
Chapter 2, Installing the Cisco Context Provides details about how to install your Cisco Context
Directory Agent
directory Agent software, how to migrate from Cisco AD
Agent to CDA.
Chapter 3, Working with Context
Directory Agent
Provides step-by-step procedure on how to work with and

use the Cisco Context Directory Agent.
Chapter 4, CDA Command Reference Provides a list of CLI commands available in the Cisco
Context Directory Agent and their usage.
This guide uses the convention whereby the symbol ^ represents the key labeled Control. For example,
the key combination ^z means Hold down the Control key while you press the z key.
Command descriptions use these conventions:
Examples that contain system prompts denote interactive sessions and indicate the commands that
you should enter at the prompt. The system prompt indicates the current level of the EXEC
command interpreter. For example, the prompt Router> indicates that you should be at the user
level, and the prompt Router# indicates that you should be at the privileged level. Access to the
privileged level usually requires a password.
Commands and keywords are in boldface font.
Arguments for which you supply values are in italic font.
Elements in square brackets ([ ]) are optional.
Alternative keywords from which you must choose one are grouped in braces ({}) and separated by
vertical bars (|).
Examples use these conventions:
Caution
Terminal sessions and sample console screen displays are in screen font.
Information you enter is in boldface screen font.
Nonprinting characters, such as passwords, are in angle brackets (< >).
Default responses to system prompts are in square brackets ([]).
An exclamation point (!) at the beginning of a line indicates a comment line.
Means reader be careful. You are capable of doing something that might result in equipment damage or
loss of data.
OL-26299-01
Timesaver
Note
Means the described action saves time. You can save time by performing the action described in the
paragraph.
Means reader take note. Notes identify important information that you should think about before
continuing, contain helpful suggestions, or provide references to materials not contained in the
document.
The following table lists the creation and update history of this document.
Table 1
Updates to Installation and Configuration Guide for Cisco Context Directory Agent,
Release 1.0
Date
Description
Oct 2015
Added and updated the following sections:
July 2014
Jan 15, 2014
Connectivity Requirements, page 3
Active Directory Servers, page 7
Exporting Active Directory Servers, page 10
Sending and Receiving Syslog Messages, page 13
Adding and Editing Syslog Servers/Clients, page 13
Supported Active Directory Versions, page 2
Active Directory Requirements for Successful Connection with CDA, page 4
Permissions Required when an Active Directory User is a Member of the

Domain Admin Group, page 7
Permissions Required when an Active Directory User is Not a Member of the

Configuring a Default Domain Name, page 17
Live Logs, page 25
Receiving Network Login Information from ISE and ACS, page 4
List of Open Ports, page 3
Importing Active Directory Servers, page 9
Adding and Editing Syslog Servers/Clients, page 13
Configuring ISE to Forward User Login Events to CDA, page 15
OL-26299-01
xi
Table 1
Updates to Installation and Configuration Guide for Cisco Context Directory Agent,
Release 1.0
Date
Description
Feb, 2013
Updated the following sections:
June, 2012
Scope, page ix
Active Directory Domain Controller Machines, page 4
Active Directory Requirements for Successful Connection with CDA, page 4
Adding and Editing Active Directory Servers, page 7
Active Directory General Settings, page 12
Cisco Context Directory Agent, Release 1.0
Related Documentation
Note
We sometimes update the electronic documentation after original publication. Therefore, you should
also review the documentation on Cisco.com for any updates.
Release-Specific Documentation
Table 2 lists the product documentation available for the Cisco Context Directory Agent Release 1.0.
Table 2
Product Documentation for Cisco Context Directory Agent, 1.0,
Document Title
Location
Installation and Configuration Guide for Cisco

Context Directory Agent, Release 1.0
http://www.cisco.com/en/US/docs/security/ibf/cd
a_10/Install_Config_guide/cda10.html
Release Notes for Context Directory Agent,

Release 1.0
a_10/release_notes/cda10_rn.html
Open Source Licenses used in Context Directory

Agent, Release 1.0
a_10/open_source_doc/open_source.pdf
Other Related Documentation

Links to Adaptive Security Appliance (ASA) 5500 Series documentation and Cisco IronPort Web
Security Appliance (WSA) documentation are available on Cisco.com at the following locations:
Cisco ASA 5500 Series Adaptive Security Appliances Page

http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html
Cisco IronPort Web Security Appliances Page

http://www.cisco.com/en/US/products/ps10164/tsd_products_support_series_home.html
xii
OL-26299-01
Notices
See http://www.cisco.com/en/US/docs/security/ibf/cda_10/open_source_doc/open_source.pdf for all
the Open Source Licenses used in the Cisco Context Directory Agent, Release 1.0.

For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the Whats New in Cisco Product Documentation as an RSS feed and set content to be
delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently
supports RSS Version 2.0.
OL-26299-01
xiii
xiv
OL-26299-01

Revised: January 5, 2016, OL-26299-01
This section describes new features, updates, and changes that have been added to the Cisco Context
Directory Agent (CDA).
Table 1
New in CDA 1.0, Patch 1
Feature
Location
Windows 2012 support
NTLMv2 support
Table 2-4, Supported Authentication Types

Based on CDA and AD NTLM Version Settings
Configuration of permissions required when an

Active Directory user is not a member of the
domain admin group
Table 2
Permissions Required when an Active

Directory User is a Member of the Domain
Admin Group, page 7

Directory User is Not a Member of the
Domain Admin Group, page 8.
Feature
Location
Connect to Cisco ISE or Cisco Secure ACS
Import Active Directory server from the user

interface
Receiving Network Login Information from

ISE and ACS, page 4
Sending and Receiving Syslog Messages,

page 13
Configuring ISE to Forward User Login

Events to CDA, page 15
Importing Active Directory Servers, page 9
OL-26299-01
xv
Table 3
Feature
Location
Windows 2012 R2 support

Directory User is a Member of the Domain
Admin Group, page 7

Directory User is Not a Member of the
Configure a default domain name for users whose Configuring a Default Domain Name, page 17
domain name cannot be derived from syslog
messages.
Statistics of daily events per DC in Livelogs
Table 4
Live Logs, page 25
Feature
Location
Exporting Domain Controllers from Active

Directory Servers dashlet
Exporting Active Directory Servers, page 10
The uptime and downtime of Domain Controllers Active Directory Servers, page 7
are displayed as a new field in Active Directory
Servers dashlet.
Supports the latest ISE and ACS versions for
syslog servers:
ISE 1.3 and 2.0
ACS 5.6, 5.7, and 5.8
xvi
OL-26299-01
CH A P T E R

Unlike traditional security mechanisms, Ciscos security gateways such as ASA-CX, WSA, ASA and the
Cloud-based CWS service, provide security to networks based on the context of the entity requiring
access. While traditional network and content security gateways used to rely on the entitys IP Address
only to determine if it should pass the security gateway or not, todays Cisco products allow to take into
account much additional information, and make decisions based on the complete context of the network
entity, such as the user currently using it, what operating system it uses, what location is it in, and so on.
Security administrators write policies using reference to this context, and when network traffic hits the
security gateway, it needs to check what is the context of the originating (and sometimes, also the
destined) IP Address.
Cisco Context Directory Agent (CDA) is a mechanism that maps IP Addresses to usernames in order to
allow security gateways to understand which user is using which IP Address in the network, so those
security gateways can now make decisions based on those users (or the groups to which the users belong
to).
CDA runs on a Cisco Linux machine; monitors in real time a collection of Active Directory domain
controller (DC) machines for authentication-related events that generally indicate user logins; learns,
analyzes, and caches mappings of IP Addresses and user identities in its database; and makes the latest
mappings available to its consumer devices.
Starting with patch 2, CDA can now receive information from Cisco Identity Services Engine (ISE) and
Cisco Secure Access Control Server (ACS) machines about 802.1x network logins, in order to map users
that do not directly login into Active Directory. CDA acts as a syslog server, receiving syslog messages
from ISE and ACS, and populates the mapping table using network login information derived from ISE
and ACS.
Consumer devices, such as the Cisco Adaptive Security Appliance (ASA) and the Cisco IronPort Web
Security Appliance (WSA), interact with the CDA using the RADIUS protocol in order to obtain the
latest set of IP-to-user-identity mappings, in any one of the following ways:
On-DemandCDA can respond to an on-demand query from the consumer device for a specific
mapping.
Full DownloadCDA can respond to a request from the consumer device for the entire set of
mappings currently in its cache.
For both the on-demand and full-download methods, the request from the consumer device can be
specially tagged to indicate that it also includes a registration regarding any subsequent updates.
For example, when a consumer device requests a basic on-demand query, CDA responds with the
specific mapping that might have been found in its cache, and does not send any further updates about
that mapping. On the other hand, if the on-demand query also includes a registration, the initial response
OL-26299-01
1-1
Chapter 1
Functional Overview
from CDA is the same as before and if, at a later point in time, that specific mapping undergoes a change,
then CDA proactively notifies the requesting consumer device (as well as any other consumer devices
that have registered for notification) about the change in that specific mapping.
Similarly, when a consumer device requests a basic full download, CDA transfers a snapshot of the
session data containing all of the mappings currently found in its cache, and does not send any further
updates. On the other hand, if the request is to register for replication, then the initial response from CDA
is the same as before. At a later point in time, if the set of mappings undergoes any sort of change (new
mappings added or certain mappings changed and so on), then CDA proactively notifies the requesting
consumer device (as well as any other consumer devices that have registered for replication) about these
changes, relative to the snapshot that was previously sent.
The IP-to-user-identity mappings that are discovered, maintained, and provided by CDA can include not
only IPv4 addresses, but also IPv6 addresses.
CDA can send logs to one or more syslog servers.
CDA continues to function if any of the Active Directory domain controllers or the consumer devices
have failed. It obtains information from other domain controllers. However, there is no failover for CDA.
CDA internally contains a watchdog functionality that continuously monitors the Linux processes
internal to it, automatically restarting them if it detects that they have crashed. While there is no failover
for CDA in itself, the solution as a whole does support failover, controlled by the consumer devices,
using their capability to configure a primary and secondary CDA (similar to primary and secondary
RADIUS server), and failover to the secondary server in case the primary is unresponsive. It should be
noted that primary and secondary CDAs are completely unaware of each other, and do not exchange any
state information.
Related Topic:
Functional Overview, page 1-2
Functional Overview
Figure 1-1 represents a simplified view of the CDA solution. In this example, a user logs in from a
computer and generates web traffic by requesting access to a server. The consumer device intercepts the
web traffic and sends a RADIUS request to CDA asking for the user who logged into the computer. CDA,
which has been maintaining the latest set of IP-to-user-identity mappings, sends the user information to
the consumer device. The consumer device uses the user identity information to determine whether or
not to grant access to the end user.
In this example, CDA learns about the user either from the authentication that occurred in the domain
controller, or by the authentication performed by ISE that grants network access to the user. The
advantage of integrating CDA with ISE is to allow CDA to provide user information from authentication
identity servers, which are different than Active Directory servers.
In case ASA is deployed in the network as a VPN concentrator, CDA accepts mapping update events in
addition to the login events received from the Active Directory.
1-2
OL-26299-01
Chapter 1

Functional Overview
Figure 1-1
CDA Architecture
The CDA is responsible for:
Providing (push and pull, single and bulk) IP-to-user-identity mappings to the consumer devices.
Receiving notification on IP-to-user-identity mapping from consumer devices.
Providing an interface to retrieve the status of various components (CDA and domain controllers).
Maintaining a session directory of IP-to-user-identity mappings.
Caching the session information.
Learning the mappings at real time from Microsoft domain controllers, ISE/ACS or ASA VPN. CDA
notifies the consumer devices upon user changes.
Reading historical log data from domain controller to learn about existing IP-to-user-identity
mappings.
Providing configuration mechanism using the user interface to configure CDA, viewing the
concurrent mapping list and log events.
Cleaning expired mappings periodically. Expiration is defined by user logon TTL.
CDA interacts with the following components in a network:
Consumer Device
Active Directory Domain Controller Machines
Syslog Servers and Clients
Consumer Device
Consumer devices are responsible for actively retrieving (and/or passively receiving) the latest
IP-to-user-identity mappings from CDA. A consumer device is responsible for:
Retrieving the IP-to-user-identity mappings from CDA.
OL-26299-01
1-3
Chapter 1
Functional Overview
Receiving notifications of IP-to-user-identity mappings from CDA.
Enforcing identity based firewall policy.
Basic monitoring of the Active Directory connectivity via CDA.
Retrieving group information directly from the Active Directory.
Web-auth fallback for IPs that CDA did not map to identity.
Forwarding of new mappings revealed by consumer devices via the web-auth to CDA.
Forwarding IP-to-user-identity mapping for VPN sessions.
Running NetBIOS probing and forwarding disconnect notification to CDA.
These updates are sent as RADIUS Accounting-Request messages.

Related Topics:
Active Directory Domain Controller Machines, page 1-4
Syslog Servers and Clients, page 1-5
Active Directory Domain Controller Machines

CDA monitors the security event log of the Active Directory domain controllers in order to retrieve
information about user logins and deliver this data to the consumer devices.
Upon startup CDA reads a time based window (history) of users that are already logged-in. After CDA
is up and running it monitors and retrieves user logins in realtime. Connection is required between CDA
and the Active Directory domain controller for retrieving the user login events.
To connect to the Active Directory domain controllers, the CDA uses an Active Directory user.
An Active Directory user used by CDA must have the required permissions in order to connect and
monitor the Active Directory domain controllers
The Active directory user used by CDA can be a member of the Domain Admin Group; however this is
not mandatory if you have installed the latest CDA patch (any future CDA patches would include this
functionality as well).
The connection between CDA and the Active Directory domain controller is also authenticated using MS
NTLM protocol. CDA patch 2 supports NTLMv1 and NTLMv2.
Receiving Network Login Information from ISE and ACS

Most wireless networks and a large portion of wired network employees today use 802.1x to control who
and what can access the network. When a non-AD workstation (such an Apple MacBook or iMac,
Android or iOS phone or tablet, or anything that is not running off a domain member) accesses the
network, as it does not login to Active Directory, the domain controllers have no trace of its identity. In
such cases CDA cannot build an IP to identity map.
Through the interaction with ISE and ACS, CDA can now be aware of the network logins, be it of a
domain member or not, and can build an IP Address to identity map of a much larger portion of the
network. CDA receives syslog messages from ISE and/or ACS in order to derive which users have logged
in to the network, analyzes those messages to extract the username and the IP Address it is using, and
inserts this information into the Identity Mapping table.
1-4
OL-26299-01
Chapter 1

Functional Overview
Figure 1-2 explains how CDA maps both 802.1x login events and non-802.1x AD login events (AD and
non-AD.)
Figure 1-2
Mapping Both AD and Non-AD Events

802.1x Logins
over RADIUS
802.1x Enabled
Network Access Devices
Identity Services
Engine
Context Directory
Di
Agent
Network Acces
Devices w/o 802.1x
Microsoft
Active Directory
Domain Controllers
AD
Logins
371132
Security Gateway
with Identity-based
Policy
This integration allows consumer devices such as ASA-CX and WSA to make security decisions for a
large portion of network endpoints, including those that are not domain members. CDA passes the
information to the consumer devices in the same format whether the user/domain information was
received from a Windows domain controller event log or through integration with ISE/ACS.
Related Topics
Sending and Receiving Syslog Messages, page 3-13
Adding and Editing Syslog Servers/Clients, page 3-13
Syslog Servers and Clients

CDA can forward logs containing administrative and troubleshooting information to one or more syslog
servers. It also updates the IP-to-user-identity mapping information. The contents of these logs are
identical to that of the customer logs that are locally available on the CDA machine. The syslog
mechanism allows this information to be distributed remotely, to any target machine running a syslog
server and capable of receiving syslog messages.
CDA can also act as a syslog server when one or more syslog clients are added. It can connect to Cisco
Identity Services Engine (ISE) and Cisco Secure Access Control System (ACS) and receive syslog
messages.
Related Topics:
Consumer Device, page 1-3
Active Directory Domain Controller Machines, page 1-4
OL-26299-01
1-5
Chapter 1

CDA can support up to 80 domain controller machines, and can internally cache up to 64,000
IP-to-user-identity mappings. It supports up to 100 Identity consumer devices. CDA processes 1000
IP-to-user-identity mappings per second (input and output).
CDA is tested to support three Syslog clients (when it acts as a syslog server), twenty administrators,
and five concurrent admin user interface sessions.

It is recommended to consider the following aspects while deploying CDA:
CDA interoperates with the consumer devices using the UDP protocol. Therefore, it is
recommended for CDA to be located geographically near the consumer devices. This is mainly
important when CDA sends bulk data to the consumer device, which can be time consuming over
the WAN.
It is recommended that any CDA node in the deployment receive all user login information from the
Active Directory domain controllers. This will allow consumer devices to interoperate with the local
CDA for all user logins data. Moreover, having the Active Directory Domain Controller
geographically near the CDA will increase reliability.
To achieve high availability you can use two CDAs with the same configuration where both CDAs
must retrieve same user login information from the same Active Directory Domain Controllers. It is
the role of the consumer device to switch to the second CDA in case the first CDA is non-responding.
1-6
OL-26299-01
Chapter 1

Figure 1-3
The Recommended CDA Deployment Type
Branch 1
Consumer
Device
Backup
CDA
CDA
Consumer
Device
Active Directory
Domain Controller
Branch 2
Consumer
Device
Backup
CDA
Consumer
Device
Active Directory
Domain Controller
303372
CDA
OL-26299-01
1-7
Chapter 1
1-8
OL-26299-01
CH A P T E R

The Cisco Context Directory Agent (CDA) is a software application that is packaged as an ISO image.
You can download it from Cisco.com. You must install it on a dedicated X86 machine or a virtual
machine on VMware ESX server and configure it with consumer devices and Active Directory domain
controllers.
This chapter contains the following:
Requirements, page 2-1
Installing Context Directory Agent, page 2-13
Migrating from AD Agent to CDA, page 2-15
Requirements
This section contains the following topics:
Supported Operating Systems, page 2-1
Hardware Requirements, page 2-2
Connectivity Requirements, page 2-3
List of Open Ports, page 2-3
Active Directory Requirements for Successful Connection with CDA, page 2-4
Supported Operating Systems

CDA is installed on the Cisco Linux OS it is bundled with.When installing the CDA ISO image on a
standalone machine or on a VMWare server, Linux is installed as the OS and CDA is an application
running on top of it.
Related Topics:
OL-26299-01
2-1
Chapter 2
Requirements
Supported Active Directory Versions

CDA supports the following Active Directory versions:
Windows 2003
Windows 2003R2
Windows 2008
Windows 2008 R2
Windows 2012
Windows 2012 R2
Hardware Requirements
The CDA machine must be a separate, dedicated appliance or a VMWare. You can install CDA on
UCSC-C220-M3S appliance, see Table 2-1 for NIC requirements.
In all cases, a CDA machine must meet the standard hardware and VMWare specifications listed in
Table 2-1.
Table 2-1
Standard/Performance Hardware Requirements for a Standalone Appliance or a

VMWare with Equivalent Resources
Component
Specification
CPU
Intel Xeon 2.66 GHz Q9400 (Quad Core)
System memory
4 GB of SDRAM
Hard disk space
250 GB
NIC
1 NIC or virtual NIC. For UCS-C220-M3S

appliance, you must use the Broadcom 5709, 1
Gbps, 2 port NIC.
Table 2-2 lists the minimum hardware requirements for installing CDA on a VMWare.
Table 2-2
Minimum Hardware Requirements for a VMWare
Component
Specification
CPU
2 Virtual Processors
System memory
2 GB of SDRAM
Hard disk space
120 GB
NIC
1 virtual NIC. CDA supports Flexible and E1000

types of NIC. VMXNET 2 and VMXNET 3 are
not supported.
Related Topics:
2-2
OL-26299-01
Chapter 2

Requirements
Connectivity Requirements
For CDA to function properly, it must be able to communicate freely with all the consumer devices,
Active Directory domain controller machines from which it should receive logs, and target syslog servers
that are configured with it. If log forwarding is being employed, then connectivity is required only
between CDA and the aggregating domain controller machines, there is no need to provide connectivity
between all domain controller machines and CDA in a centralized log forwarding deployment. CDA
initiates a connection with Domain controller's RPC port 135. After establishing the connection, Domain
controllers choose a higher port dynamically.
If Windows Firewall (or any other comparable third-party firewall software) is running on any of the
Active Directory domain controller machines, then the firewall software on each of these endpoints must
be configured with the necessary exceptions to allow this communication to flow freely.
This section uses the Windows Firewall as an example and details the exceptions that must be defined
on any of the endpoints that might be running Windows Firewall.
For any other comparable third-party firewall software, refer to that vendor's documentation on how to
configure the corresponding exceptions.
Windows Firewall Exceptions to be Configured on Each Separate Active Directory Domain Controller Machine
For each separate Active Directory domain controller machine that is configured on the CDA machine
using the GUI, if Windows Firewall is enabled on that separate domain controller machine, then you
must define a Windows Firewall exception on that particular domain controller machine that will allow
the necessary Windows Management Instrumentation (WMI) related communication.
If that domain controller machine is running Windows Server 2008, Windows Server 2008 R2, Windows
Server 2012, or Windows Server 2012 R2, then you can configure this WMI-related exception using the
following Windows command line (written in a single line):
netsh advfirewall firewall set rule group=Windows Management Instrumentation (WMI)" new
enable=yes
If that domain controller machine is running Windows Server 2003 or Windows Server 2003 R2 (with
SP1 or later installed), then you can configure this WMI-related exception using the following Windows
command line (written in a single line):
netsh firewall set service RemoteAdmin enable
Related Topics:
List of Open Ports

Table 2-3 lists some of the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
ports that CDA uses for communication with consumer devices. These ports are open by default on CDA.
CDA chooses the ports dynamically to communicate with the Domain Controllers.
OL-26299-01
2-3
Chapter 2
Requirements
Table 2-3
List of Default Open Ports on CDA
Port No.
Protocol
Service
Purpose
22
TCP
The Secure Shell (SSH) Protocol
CDA SSH CLI Administration
80
TCP
HTTP (Web GUI, redirected to

HTTPS)
CDA GUI Administration

interface (for redirect only)
123
UDP
NTP
Time server
443
TCP
HTTPS (Secure web GUI)
CDA GUI Administration

interface
1645
UDP
RADIUS
CDA and device consumer

(ASA/WSA) interface
1646
UDP
RADIUS

(ASA/WSA) interface
1812
UDP
RADIUS

(ASA/WSA) interface
1813
UDP
RADIUS Accounting

(ASA/WSA) interface
514
UDP
Syslog
CDA and ISE/ACS interface
1468
TCP
Syslog
6514
SSL
SSL Syslog
The ports mentioned in Table 2-3 should be open to establish proper communication between CDA and
ASA or WSA.
The following ports are open for internal communication between CDA processes, but blocked for access
from outside the appliance:
8005
8009
8020
8090
8091
8092
8093
Active Directory Requirements for Successful Connection with CDA

CDA leverages Active Directory login audit events generated by the Active Directory domain controller
to gather user logins information. In order for CDA to work appropriately, CDA needs to be able to
connect to Active Directory and fetch the user logins information.
The following steps should be performed on the Active Directory domain controller:
1.
Make sure the Active Directory version is supported (refer to Supported Active Directory Versions)
and there is network connectivity between Active Directory domain controller and CDA (refer to
Connectivity Requirements)
2-4
OL-26299-01
Chapter 2

Requirements
2.
Make sure relevant Microsoft patches are installed on the Active Directory domain controllers.
The following patches for Windows Server 2008 are required:

a. http://support.microsoft.com/kb/958124
This patch fixes a memory leak in Microsofts WMI, which prevents CDA to establish
successful connection with the domain controller (CDA administrator can experience it in CDA
Active Directory domain controller GUI page, where the status need to be up once the
connection establishes successfully).
b. http://support.microsoft.com/kb/973995
This patch fixes different memory leak in Microsofts WMI, which sporadically prevents the
Active Directory domain controller from writing the necessary user login events to the Security
Log of the domain controller. As result CDA may not get all user login events from this domain
controller.
The following patches for Windows Server 2008 R2 are required (unless SP1 is installed):
This patch fixes memory leak in Microsofts WMI, which sporadically prevents the Active
Directory domain controller from writing the necessary user login events to the Security Log of
the domain controller. As result CDA may not get all user login events from this domain
controller.
b. http://support.microsoft.com/kb/2617858
This patch fixes unexpectedly slow startup or logon process in Windows Server 2008 R2.
The patches listed at the following link, for WMI related issues on Windows platform are required:
These hotfixes are associated with the operation and functionality of the WMI service and its
related components.
3.
Make sure the Active Directory logs the user login events in the Windows Security Log.
Verify that the settings of the Audit Policy (part of the Group Policy Management settings)
allows successful logons to generate the necessary events in the Windows Security Log (this is the
default Windows setting, but you must explicitly ensure that this setting is correct). See Setting the
Audit Policy, page 2-7.
4.
You must have an Active Directory user with sufficient permissions to be used by CDA to connect
to the Active Directory. In CDA patch 2, you can choose whether this user is member of the Active
Directory domain admin group or not. Follow the following instructions to define permissions either
for admin domain group user or none admin domain group user:
Permissions Required when an Active Directory User is a Member of the Domain Admin
Group, page 2-7

Permissions Required when an Active Directory User is Not a Member of the Domain Admin
Group, page 2-8

5.
The Active Directory user used by CDA can be authenticated either by NTLMv1 or NTLMv2. You
need to verify that the Active Directory NTLM settings are aligned with CDA NTLM settings to
ensure successful authenticated connection between CDA and the Active Directory Domain
Controller. Figure 2-1 illustrates all Microsoft NTLM options. In case CDA is set to NTLMv2, all
six options described in Figure 2-1 are supported. In case CDA is set to support NTLMv1, only the
first five options are supported. This is also summarized in Table 2-4.
OL-26299-01
2-5
Chapter 2
Requirements
Table 2-4
Supported Authentication Types Based on CDA and AD NTLM Version Settings
CDA NTLM setting options / Active

Directory (AD) NTLM setting options
NTLMv1
NTLMv2
Send LM & NTLM responses
connection is allowed
Send LM & NTLM - use NTLMv2 session connection is allowed

security if negotiated
Send NTLM response only
Send NTLMv2 response only
Send NTLMv2 response only. Refuse LM connection is allowed
Send NTLMv2 response only. Refuse LM connection is refused

& NTLM
Figure 2-1
6.
MS NTLM Authentication Type Options
Make sure that you have created a firewall rule to allow traffic to dllhost.exe on Active Directory
domain controllers.
Related Topics:
2-6
OL-26299-01
Chapter 2

Requirements
Setting the Audit Policy

Ensure that the Audit Policy (part of the Group Policy Management settings) allows successful
logons to generate the necessary events in the Windows Security Log of that AD domain controller
machine (this is the default Windows setting, but you must explicitly ensure that this setting is correct).
Step 1
Choose Start > Programs > Administrative Tools > Group Policy Management.
Step 2
Navigate under Domains to the relevant domain and expand the navigation tree.
Step 3
Choose Default Domain Controller Policy, right click and choose Edit.
The Group Policy Management Editor appears.
Step 4
Step 5
Choose Default Domain Controllers Policy > Computer Configuration > Policies > Windows
Settings > Security Settings.
For Windows Server 2003 or Windows Server 2008 (non-R2), choose Local Policies > Audit Policy.
For the two Policy items, Audit Account Logon Events and Audit Logon Events, ensure that the
corresponding Policy Setting for each of these either directly or indirectly includes the Success
condition. To include the Success condition indirectly, the Policy Setting must be set to Not
Defined, indicating that the effective value will be inherited from a higher level domain, and the
Policy Setting for that higher level domain must be configured to explicitly include the Success
condition.
For Windows Server 2008 R2 and Windows 2012, choose Advanced Audit Policy Configuration
> Audit Policies > Account Logon. For the two Policy items, Audit Kerberos Authentication
Service and Audit Kerberos Service Ticket Operations, ensure that the corresponding Policy
Setting for each of these either directly or indirectly includes the Success condition as described
above.
If any Audit Policy item settings have been changed, you should then run gpupdate /force to force
the new settings to take effect.
Permissions Required when an Active Directory User is a Member of the Domain Admin Group
No special permission is required for the following Active Directory versions:
Windows 2003
Windows 2003R2
Windows 2008
For Windows 2008 R2,Windows 2012, and Windows 2012 R2, the Domain Admin group does not have
full control on certain registry keys in the Windows operating system by default. In order to get the CDA
to work, Active Directory admin must give the Active Directory user Full Control permissions on the
following registry keys:
HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
In order to grant full control, the Active Directory admin must first take ownership of the key. To do this:
Step 1
Go to the Owner tab by right clicking the key.
Step 2
Click Permissions.
OL-26299-01
2-7
Chapter 2
Requirements
Step 3
Click Advanced.
Permissions Required when an Active Directory User is Not a Member of the Domain Admin Group
For CDA to work with Windows 2012 R2, Active Directory admin must first give the Active Directory
user Full Control permissions on the following registry keys:
HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
The following permissions also are required when an Active Directory user is not part of the Domain
Admin group but of the Domain Users group:
Required Registry Changes, page 2-8
Permissions to Use DCOM on the Domain Controller, page 2-9
Permissions to the WMI Root\CIMv2 Name Space, page 2-10
Access to Read the Security Event Log of the Active Directory Domain Controller, page 2-11
The above four permissions are valid for all the following Active Directory versions:
Windows 2003
Windows 2003R2
Windows 2008
Windows 2008 R2
Windows 2012
Windows 2012 R2
Required Registry Changes

For CDA to work with a Domain User, certain registry keys should be added manually. These registry
changes are required to establish a valid connection between CDA and domain controllers to retrieve the
users login authentication events. CDA does not require installation of an agent on the domain
controllers or on a machine in the domain.
The changes are described in the following registry script. The Active Directory admin can also copy
and paste this into a text file with a .reg extension and double click it to make the registry changes. For
adding registry keys as described below, the user must be an owner of the root key.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
"AppID"="{76A64158-CB41-11D1-8B02-00600806D9B6}"
[HKEY_CLASSES_ROOT\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
"DllSurrogate"="
"
[HKEY_CLASSES_ROOT\Wow6432Node\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
"DllSurrogate"=" "
2-8
OL-26299-01
Chapter 2

Requirements
Make sure that you include two spaces in the value of the key DllSurrogate.
You should keep the empty lines as shown in the script above, including an empty line at the end of the
file.
Permissions to Use DCOM on the Domain Controller

The Active Directory user must have permissions to use DCOM (remote COM) on the Domain
Controller. You can do this by using the dcomcnfg tool.
Step 1
Run the dcomcnfg tool from the command line.
Step 2
Expand Component Services.
Step 3
Expand Computers and click on My Computer.
Step 4
Select Action from the menu bar, click on properties and click on COM Security.
Step 5
Make sure that the CDA account for both Access and Launch has Allow permissions. The Active
Directory user should be added to all the four options (Edit Limits and Edit Default for both Access
Permissions and Launch and Activation Permissions). See Figure 2-2.
Step 6
Allow all Local and Remote access for both Access Permissions and Launch and Activation Permissions.
Figure 2-2
My Computer Properties
OL-26299-01
2-9
Chapter 2
Requirements
Figure 2-3
Local and Remote Access for Access Permissions
Figure 2-4
Local and Remote Access for Launch and Activation Permissions
Permissions to the WMI Root\CIMv2 Name Space

The Active Directory users do not have the Execute Methods and Remote Enable permissions by default.
These can be granted by using the wmimgmt.msc MMC console.
2-10
OL-26299-01
Chapter 2

Requirements
Step 1
Click Start > Run and type wmimgmt.msc.
Step 2
Right-click WMI Control and click Properties.
Step 3
Under the Security tab expand Root and choose CIMV2.
Step 4
Click Security.
Step 5
Add the Active Directory user and give the required permissions as shown in Figure 2-5
Figure 2-5
Required Permissions for WMI Root\CIMv2 Name Space
Access to Read the Security Event Log of the Active Directory Domain Controller
On Windows 2008 and later, this can be done by adding the user to a group called Event Log Readers.
On all older versions of Windows, this can be done by editing a registry key in the following way:
Step 1
Find the SID for the account in order to delegate access to the Security event logs.
Step 2
Use the following command from the command line, as shown in Figure 2-6 to list all the SID accounts:
wmic useraccount get name,sid
You can also use the following for a specific username and domain:
wmic useraccount where name=cdaUser get domain,name,sid
Step 3
Find the SID open Registry Editor and browse to the following location:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Eventlog
OL-26299-01
2-11
Chapter 2
Requirements
Step 4
Click on Security and double click CustomSD. See Figure 2-7.

For example, to allow read access to the cda_agent account (SID S-1-5-21-1742827456-3351963980-3809373604-1107), enter
(A;;0x1;;;S-1-5-21-1742827456-3351963980-3809373604-1107)
Step 5
Restart the WMI service on the DC. You can restart the WMI services in the following two ways:
a.
Run the following command from the CLI,

net stop winmgmt
net start winmgmt.
b.
Run Services.msc (This opens the Windows Services Management window)

In the Windows Services Management window, locate Windows Management Instrumentation
service, right click and select Restart.
Figure 2-6
List All the SID Accounts
Figure 2-7
Edit CustomSD String
2-12
OL-26299-01
Chapter 2


Context Directory Agent is packaged as an ISO image. You can download the package from Cisco.com
and install it on a dedicated X86 machine or a VMWare ESX server.
CDA supports VMWare ESX versions 4.0, 4.1, and 5.0.
If you are installing CDA on a VMWare:
You must select Use Guest OS as Linux CentOS 4/5 32 bit. Misconfiguration of the guest OS
might result in very low performance.
You must select LSI Logic Parallel as the SCSI controller.
VMWare tools are automatically installed.
To install the Context Directory Agent, complete the following steps:

Step 1
Download the CDA ISO image, cda-1.0.0.xxx.i386.iso and save it in your local repository.
Step 2
Burn the ISO image on a DVD.
Step 3
Insert the DVD, choose the option to install the image from the optical drive.
The CDA package installation begins. After the installation is complete, the machine is rebooted. The
following prompt is displayed when the boot sequence is completed:
**********************************************
Please type setup to configure the appliance
**********************************************
The boot sequence takes about two minutes to complete.

Step 4
At the prompt, enter setup to start the Setup program. You are prompted to enter networking parameters
and first credentials.
The following illustrates a sample Setup program and default prompts:
localhost.localdomain login: setup
Press Ctrl-C to abort setup
Enter Hostname[]: cda-server
Enter IP Address []: 192.168.10.10
Enter IP netmask []: 255.255.255.0
Enter IP default gateway []: 192.168.10.100
Enter default DNS domain []: cisco.com
Enter primary nameserver []: 200.150.200.150
Enter secondary nameserver? Y/N: n
Enter primary NTP server [time.nist.gov]: clock.cisco.com
Enter secondary NTP server? Y/N: n
Enter system timezone [UTC]: UTC
Enter username [admin]: admin
Enter password:
Enter password again:
Bringing up the network interface...
Pinging the gateway...
Pinging the primary nameserver...
OL-26299-01
2-13
Chapter 2
Do not use Ctrl-C from this point on...

Installing applications...
Installing cda...
Pre install
Post Install
Application bundle (cda) installed successfully

=== Initial setup for application: cda ===
Generating configuration...
Rebooting...
Step 5
Install the latest patch available for CDA. See Installing Context Directory Agent Patches, page 2-14.
Step 6
You can log in to the CDA CLI after the machine is rebooted and verify the package installation. The
following illustrates a sample verification procedure:
# login: admin
/admin# show application
<name> <description>
cda Cisco Context Directory Agent
/admin# show application status cda
CDA application server is running PID:2840
Step 7
Note
You can now log in to the CDA user interface and start configuring your CDA.
The username and password specified during the initial setup program can be used for both the CLI and
the GUI. If you change the GUI password using the user interface, the CLI password does not change
and vice versa.
Related Topics:

You can download and install the latest CDA 1.0, patch from Cisco.com.
Step 1
Create a repository which will allow you to upload the patch into CDA. Refer to repository section on
page 4-112 for instructions on how to create a repository.
Step 2
Download the latest CDA patch to the repository created.
2-14
OL-26299-01
Chapter 2

Step 3
Install the CDA patch, as described in patch install section on page 4-28.
Step 4
Verify that the patch is installed as follow:

/admin# sh application version cda
Cisco Application Deployment Engine OS Release:
ADE-OS Build Version:
ADE-OS System Architecture: i368
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All right reserved.
Hostname: pmbu-ibf--pip08
Version information of installed applications
--------------------------------------------Cisco Context Directory Agent
--------------------------------------------Version
: 1.0.0.011
Build Date
: Tue May 8 15:34:26 2012
Install Date : Tue Jul 15 08:53:18 2014
Cisco Context Directory Agent
--------------------------------------------Version
: 3
Build number : NA
Install Date : Mon Jul 28 09:35:09 2014

CDA is compatible with AD agent. If AD Agent is already deployed in the network, you can replace it
by CDA with a similar corresponding configuration, without requiring software changes or upgrades in
other components of the Identity Based Firewall solutionActive Directory servers and Identity
consumer devices (ASA/WSA).
Before you transition from AD Agent to CDA, take a note of the following AD Agent configuration
details:
General configuration options:

Use the AD agent command adacfg options list
Syslog servers, including IP Address and facility:

Use the AD agent command adacfg syslog list
Connected Active Directory DC list, including username, password, host and domain FQDNs:
Use the AD agent command adacfg dc list (does not show the password.)
Consumer devices (or subnets), including IP Address/subnet, shared secret:

Use the AD agent command adacfg client list (does not show the shared secret.)
See the Installation and Setup Guide for the Active Directory Agent, Release 1.0 for all the syntax and
output examples for the above commands.
Install and configure CDA to correspond to your existing AD Agent application.
OL-26299-01
2-15
Chapter 2
Optionally configure the Active Directory General Settings. AD monitoring in the CDA is the
equivalent of dcStatusTime in AD agent (note that the 10 seconds default in CDA is different from
the 60 seconds default in AD agent.)
History in CDA is the equivalent of dcHistoryTime in AD agent (note the 10 minutes default in
CDA is different than the 24 hours default in AD Agent)
User logon expiration period in CDA is the equivalent of userLogonTTL in AD agent (here the 24
hours default remains the same).
Set the security policy on the DC machines. The differences between the AD agent and CDA with
respect to Active Directory security policy setting is applicable only for Windows 2008R2 servers.
For CDA, set the account permission on Microsoft Windows 2008 R2 server as described in Step 2
of Adding and Editing Active Directory Servers section on page 7.
Optionally, configure the Log Level setting in CDA to correspond to logLevel in AD Agent.
Optionally, add any syslog servers from adacfg syslog list to CDA.
Add all Active Directory Servers from adacfg dc list to CDA.
Add all Identity Consumers from adacfg client list to CDA.
If you are replacing the AD agent server with the CDA server, using the same hostname/IP Address, no
changes are required in the consumer device (ASA/WSA) configuration, and consumer devices
automatically connect to the CDA to retrieve identify mapping information.
If it is otherwise and you are newly adding a CDA server in your deployment, you have to update the
configuration on the consumer device, to point to the new CDA server. For more information, refer to
the ASA and WSA documentation on Cisco.com.
2-16
OL-26299-01
CH A P T E R

The Cisco Context Directory Agent (CDA) is a web based application that supports HTTPS, using
self-signed certificate.
This chapter contains:
Understanding the CDA User Interface, page 3-1
Working in the CDA User Interface, page 3-3
Understanding the CDA User Interface

This section contains:
Supported Browsers, page 3-1
Logging into the CDA User Interface, page 3-2
CDA Dashboard, page 3-3
Supported Browsers
The following browsers are supported with CDA:
Table 3-1
Supported Browsers for CDA
Operating System
Supported Browsers
Linux
Firefox versions 9 and 10
Win 7
Microsoft Internet Explorer version 11, Firefox version 41, Google Chrome
version 45
Win XP
Microsoft Internet Explorer versions 8, Firefox versions 9 and 11
Mac OSX
Safari version 5.1.5
Related Topics:
OL-26299-01
3-1
Chapter 3
Understanding the CDA User Interface
Logging into the CDA User Interface

You can open a web browser and get connected to CDA through the web interface.
To log in to the CDA user interface, complete the following steps:
Step 1
Enter the CDA machine URL in the web browser, https://<ip_address/hostname>/cda
Step 2
Enter your user name and password in the CDA login page (Figure 3-1), and click Login.
Figure 3-1
Step 3
CDA Login Page
The CDA Dashboard is displayed (Figure 3-2) when you first log in.
3-2
OL-26299-01
Chapter 3

Working in the CDA User Interface
Figure 3-2
CDA Dashboard
Related Topics:
CDA Dashboard
The CDA Dashboard provides dashlets to quickly create, edit, or delete Active Directory servers,
Consumer devices, Syslog servers, and Administrators.
It also provides dashlets with lists of existing Active Directory servers, Consumer devices, and Syslog
servers. In addition, the dashboard provides links to Active Directory general settings, registered devices
page, and log level settings. See Figure 3-2.
To go back to the Dashboard from any other page, click Home.
Related Topics:

Consumer Devices, page 3-4
Active Directory Servers, page 3-7
IP-to-User-Identity Mappings, page 3-19
Mapping Filters, page 3-22
OL-26299-01
3-3
Chapter 3
Registered Devices, page 3-22
Administrators, page 3-23
Password Policy, page 3-24
Session Timeout, page 3-25
Live Logs, page 3-25
Consumer Devices
Consumer devices are responsible for actively retrieving (and/or passively receiving) the latest
IP-to-user-identity mappings from CDA. You can add, edit or delete network devices. CDA validates that
the IP Address ranges in this table do not overlap.
Adding and Editing Consumer Devices, page 3-4
Deleting Consumer Devices, page 3-6
Filtering Consumer Devices, page 3-6
Adding and Editing Consumer Devices

Consumer device entries in the dashlet are not synonymous with the actual ASA and WSA firewall
devices. Instead, each Consumer Device entry here is a logical rule, permitting an IP Address (if the
Mask is 32), or a range of addresses (if the Mask is 0-31), to communicate with CDA over RADIUS.
Creating a consumer device entry in the table or dashlet does not actually initiate any communication
with the device. It only creates the rule that allows the consumer device to communicate with CDA over
RADIUS. CDA acts as the RADIUS server in this case, hence it does not initiate the conversation with
the device. It is the actual consumer device that initiates the RADIUS conversation with CDA. First add
the consumer device IP Address or range in CDA, and then configure the device itself to contact CDA
using the CLI or management GUI.
To add or edit a consumer device, complete the following steps:
Step 1
Click Add on the Identity Consumers dashlet, or check the check box next to a device and click Edit to
edit it. You can alternatively click Add Consumer Devices link on the Dashboard.
The Consumer Device Configuration dialog box appears (Figure 3-4).
3-4
OL-26299-01
Chapter 3

Step 2
Figure 3-3
Identity Consumers Dashlet
Figure 3-4
Consumer Device Configuration Dialog Box
Fill in or edit the following details:
NameName of the rule.
IP AddressIP Address (subnet) of the consumer device (range of devices).
Mask (range)A number between 0-32. This describes the consumer device IP range in CIDR
notation.
Shared SecretPassphrase that a consumer device will use for communicating with the CDA
device. The Shared secret entered here should be identical to that configured in the device with that
IP Address (or each of the multiple devices in the IP range), attempting to access CDA via this rule.
Step 3
Check the Show Secret check box if you want the shared secret to be displayed in plain text.
Step 4
Click Save.
OL-26299-01
3-5
Chapter 3
The new network device is listed in the Identity Consumers dashlet.
Related Topics:
Deleting Consumer Devices

It is advised to first configure the consumer device to stop querying CDA before deleting it as a consumer
device in CDA. Deleting a consumer device also disallows this device to communicate with CDA as it
deletes the security rule that allowed this communication.
To delete a Consumer device, complete the following steps:
Step 1
From the Identity Consumers dashlet, select the check box next to device you want to delete in the list
and click Delete.
CDA will prompt for a confirmation.
Step 2
Click OK.
The consumer device is deleted.
Related Topics:
Filtering Consumer Devices

You can filter Consumer devices based on the following criteria:
IP Address
Mask
Name
To filter the Consumer Devices list, complete the following steps:

Step 1
Click the filter
icon in the Identity Consumers dashlet.
Step 2
Fill in the criteria on which you want to filter.
Step 3
Press Enter.
Related Topics:
3-6
OL-26299-01
Chapter 3

Active Directory Servers

The Active Directory maintains the organization identities and their information. CDA inter operates
with the Active Directory (or the domain controller) to obtain the IP-to-user-identity mapping
information using the MS WMI protocol. You can add, edit, import, export, or delete Active Directory
servers. You should also add a backup Active Directory Domain Controller machine.
CDA 1.0, patch 5, introduces a new uptime/downtime field in the Active Directory Server details table
of the Active Directory Server dashlet. You can view this field when you expand each Active Directory
server to see its details. This field displays the time for which the selected Active Directory servers is up
or down.
Adding and Editing Active Directory Servers, page 3-7
Importing Active Directory Servers, page 3-9
Exporting Active Directory Servers, page 3-10
Deleting Active Directory Servers, page 3-11
Filtering Active Directory Servers, page 3-11
Active Directory General Settings, page 3-12
Adding and Editing Active Directory Servers

Prerequisite
Make sure all the requirements as described in Active Directory Requirements for Successful
Connection with CDA section on page 2-4 are fulfilled, for a successful connection with CDA.
To add or edit an Active Directory server, complete the following steps:
Step 1
Click Add on the Active Directory Servers dashlet, or check the check box next to a server and click
Edit to edit it. You can alternatively click Add Active Directory Server link on the Dashboard.
The Active Directory Server Configuration dialog box appears. (Figure 3-5).
OL-26299-01
3-7
Chapter 3
Figure 3-5
Step 2
Active Directory Server Configuration Dialog Box
Fill in the following details:
General Settings
Display NameDisplay name of the Active Directory server.
Domain FQDNDomain fully qualified domain name (FQDN) of the Active Directory server.
Host FQDNHost FQDN of the Active Directory server.
Administrator
User nameUsername that CDA will use to communicate with the Active Directory server.
PasswordPassword that CDA will use to communicate with the Active Directory server. It
should be the password corresponding to the username specified above.

This account must have the necessary privileges as described in the Active Directory Requirements
for Successful Connection with CDA section on page 2-4.
Step 3
Click Save.
The new Active Directory sever is listed in the Active Directory Servers dashlet.
If the Group Policy enforced on the Domain Controller is set to Send NTLMv2 response only. Refuse
LM & NTLM, see Figure 3-6, then you should use NTLMv2 to connect to the Domain Controller. You
must check the Use NTLMv2 check box in Active Directory General Settings, for the CDA to
successfully connect to the Domain Controller.
To see what is the Group Policy applied on the Domain Controller:
Step 1
Go to Start > Administrative Tools > Group Policy Management
Step 2
Choose Default Domain Controllers Policy, right click and choose Edit.
Group Policy Management Editor appears.
Step 3
Go to Security Settings > Local Policies > Security Options.
3-8
OL-26299-01
Chapter 3

The Local Security Settings tab shows the Group Policy.
Figure 3-6
Security Setting
Related Topics:
Importing Active Directory Servers

You can import Active Directory servers from a .txt or a .csv file.
Step 1
Click Import on the Active Directory Servers dashlet.
Step 2
Click Browse and select the .txt or .csv file from your local system. See Figure 3-7 for a sample .csv
import file. You can also right-click the Generate Template link on the top right corner to save a sample
import file.
Step 3
Click Import. All the active directory servers in the file will be imported. You can see the import result
in the Results area (Figure 3-8.) Errors, if any, are also listed in the same area.
OL-26299-01
3-9
Chapter 3
Note
The passwords within the import file (.csv or .txt) should be kept unencrypted, and this file
should be treated as a sensitive file. Upon import, CDA would store those passwords internally
hashed.
Figure 3-7
Sample Import File
Figure 3-8
Import Result
Related Topics:
Exporting Active Directory Servers

CDA 1.0 patch 5, allows you to export Active Directory servers details to a comma separated value (.csv)
file using the export option available on the Active Directory Server dashlet. This option exports all
Active Directory servers that are listed in the Active Directory Server dashlet to a .csv file. You can save
this file to a local drive. All the Active Directory server details except the password are exported to the
3-10
OL-26299-01
Chapter 3

CSV file. The password is not exported to ensure safety of the Active Directory servers. See Figure 3-9
for a sample csv export file.
Step 1
Click Export on the Active Directory Servers dashlet.

CDA prompts you to save the file to your local drive.
Step 2
Choose an appropriate location and click Save.

CDA exports the listed Active Directory servers to a .csv file and saves the .csv file in the location that
you specify. See Figure 3-9 for a sample csv export file.
Figure 3-9
Sample Export File
Deleting Active Directory Servers

To delete an Active Directory server, complete the following steps:
Step 1
From the Active Directory Servers dashlet, select the check box next to Active Directory server you want
to delete in the list and click Delete.
Step 2
Click OK.
The Active Directory server is deleted.
Related Topics:
Filtering Active Directory Servers

You can filter Active Directory servers based on the Domain FQDN.
To filter the Active Directory servers list, complete the following steps:
Step 1
Click the filter
icon in the Active Directory Servers dashlet.
Step 2
Enter the Domain FQDN of the server.
OL-26299-01
3-11
Chapter 3
Step 3
Press Enter.
Related Topics:
Active Directory General Settings

You can change the Active Directory General Settings to configure how CDA interacts with the Active
Directory servers.
To configure the Active Directory general settings, complete the following steps:
Step 1
Click the Active Directory General Settings link on the Dashboard.

The Active Directory General Settings dialog box is displayed.
Step 2
MonitoringTime span between consecutive monitoring of the DC machines up/down status.
HistorySpecify the number of minutes in the past from which to start reading the security logs of
DC machines that are configured. For example, if you want history for the past ten minutes, enter 10.
User Logon Expiration PeriodTime duration after which logged-in user is marked as logged-out.
Use NTLMv2Check this check box to use NTLMv2 protocol. This will cause CDA to use
NTLMv2 authentication protocol when connecting to Active Directory Domain Controllers. This
check box is not checked by default after installing CDA, patch 2.
Make sure all the requirements as described in Active Directory Requirements for Successful
Connection with CDA section on page 2-4 are fulfilled, for a successful connection with CDA.
If the Group Policy enforced on the Domain Controller is set to Send NTLMv2 response only.
Refuse LM & NTLM, see Figure 3-6, then you should use NTLMv2 to connect to the Domain
Controller for the CDA to successfully connect to the Domain Controller.
Step 3
Click Save.
Related Topics:
3-12
OL-26299-01
Chapter 3

Sending and Receiving Syslog Messages

CDA can forward logs containing administrative and troubleshooting information to one or more syslog
servers. The contents of these logs are identical to that of the customer logs that are locally available on
the CDA machine.
CDA can also act as a syslog server when one or more syslog clients are added. It can connect to Cisco
Identity Services Engine (ISE) and Cisco Secure Access Control System (ACS) and receive syslog
messages. You can check live logs to see the syslog messages received. The advantage is to integrate
CDA with 802.1x deployment and support other devices that are not necessarily authenticated by
Microsoft domain controller.
CDA supports ISE 1.1, 1.2, 1.3, and 2.0 and ACS 5.3, 5.4, 5.6, 5.7, and 5.8 only. CDA supports only
Cisco devices for ISE 2.0.
You can add, edit or delete syslog servers or clients.
CDA supports the following three type of syslog messages:
UDP syslog, where CDA listens for incoming UDP messages from ISE on port 514.
TCP syslog, where CDA listens for incoming TCP messages from ISE on port 1468.
Semisecure TCP syslog, where CDA listens for incoming TCP messages from ISE on port 6514. In
this case, you should import CDA certificate into ISE certificate store. CDA does not authenticate
ISE by its certificate, the certificate is required by ISE to authenticate CDA and for encrypting the
syslog content over the TCP connection.
Configuring ISE to Forward User Login Events to CDA, page 3-15
Deleting Syslog Servers, page 3-18
Filtering Syslog Servers, page 3-18
Log Level Settings, page 3-19
Adding and Editing Syslog Servers/Clients

To add or edit a syslog server/client, complete the following steps:
Step 1
Click Add on the Syslog dashlet, or check the check box next to a server and click Edit to edit it. You
can alternatively click Add Syslog Server/Client link on the Dashboard.
The Syslog Server/Client Configuration dialog box appears. (Figure 3-5).
OL-26299-01
3-13
Chapter 3
Figure 3-10
Step 2
Display NameDisplay name of the syslog server/client.
IP AddressIP Address of the syslog server/client.
FacilitySyslog facility.
Listen for SyslogCheck this check box to enable CDA to receive syslog messages from Cisco
ISE/ACS.
ProtocolSelect the protocol that you want to use. CDA can connect to ISE 1.2, 1.3, and 2.0 and
ACS 5.5, 5.6, 5.7, and 5.8 via UDP, TCP and SSL. It can connect to ISE 1.1.x and ACS 5.3/5.4 via
UDP only. CDA supports only Cisco devices for ISE 2.0.
Note
Step 3
Syslog Server/Client Configuration Dialog Box
Currently, secure syslog over SSL is used for encryption only and does not authenticate ISE/ACS
as certified sender of syslog messages.
PortThis is a display-only field. The port number changes according to the protocol you select.
Get CertificateClick this to download the security certificate and send it to the ISE server. When
you connect CDA with ISE using SSL, you need to be authenticated before the connection is
established. To do this, you have to send this security certificate to the ISE server and then import
it in to the ISE certificate store, in order to establish a connection.
Click Save.
The new sever/client is listed in the Syslog Server/Client dashlet.
For users who are authenticated through ISE against , the domain that ISE is joined to is used as the
domain name. For users who are authenticated through ISE but not against , do not have a domain and
LOCAL is used as the domain name.
3-14
OL-26299-01
Chapter 3

Related Topics:
Configuring ISE to Forward User Login Events to CDA, page 3-15
Configuring ISE to Forward User Login Events to CDA

In order to setup CDA to receive syslog messages from ISE, you have to set remote log target in ISE,
which will forward passed authentication and RADIUS accounting syslog messages to CDA. In CDA
you have to setup syslog server that will receive syslog messages from ISE.
The following steps describe the required configuration in ISE and CDA.
Step 1
Configure a new remote log target in ISE. This log target should be the CDA machine that will receive
syslog messages originated by ISE (Figure 3-11.) For more information on how to configure remote log
target, see the Cisco Identity Services Engine User Guide, Release 1.2.
Figure 3-11
Step 2
Configuring Remote Log Target in ISE
Configure ISE to forward Passed Authentication syslog messages to CDA (Figure 3-12.) For more
information, see Cisco Identity Services Engine User Guide, Release 1.2.
OL-26299-01
3-15
Chapter 3
Figure 3-12
Step 3
Configuring ISE to Forward Passed Authentication Syslog Messages
Configure ISE to forward RADIUS Accounting syslog messages to CDA(Figure 3-13.) For more
information, see Cisco Identity Services Engine User Guide, Release 1.2.
Figure 3-13
Configuring ISE to Forward RADIUS Accounting Syslog Messages
See Adding and Editing Syslog Servers/Clients section on page 3-13 for information on how to
configure syslog servers in CDA with ISE details. Ensure that when configuring CDA, you check the
Listen for Syslog checkbox so messages from ISE are parsed.
Related Topic
Receiving Network Login Information from ISE and ACS, page 1-4
3-16
OL-26299-01
Chapter 3

Configuring a Default Domain Name

If the attribute for domain name is not set by the syslog client (ISE/ACS), by default CDA uses LOCAL
as the domain name in the IP-to-User-Identity Mappings page. This happens in cases such as EAP-TLS
authentications, RADIUS authentications, etc. To avoid this, you can configure a domain name that
would be displayed in case the domain name of the user is unknown.
If the attribute of the domain name is missing and you configured a replacement domain name, that name
will be applied to all the syslog listeners. You cannot configure different domain names for several
domains. The replacement domain name will be applied to all future syslog messages you will receive
after the configuration.
To configure a common domain name for users whose domain cannot be derived from ISE/ACS,
complete the following steps:
Step 1
Go to the CDA Home page.
Step 2
Choose Settings from the Syslog dashlet.
Step 3
Enter a replacement Domain Name.
Step 4
Click Save.
Figure 3-14
Default Domain Name
In the Figure 3-14, the highlighted domain name shows the default name displayed as LOCAL. You can
change the default domain name as shown in Figure 3-15.
Figure 3-15
Change the Default Domain Name
After you change the default domain name, the updated name is displayed in the IP-to-User-Identity
Mappings page, as shown in Figure 3-16.
OL-26299-01
3-17
Chapter 3
Figure 3-16
Domain Name Configured
Deleting Syslog Servers

To delete a Syslog server, complete the following steps:
Step 1
From the Syslog Servers dashlet, select the check box next to server you want to delete in the list and
click Delete.
Step 2
Click OK.
The Syslog server is deleted.
Related Topics:
Filtering Syslog Servers

You can filter Syslog servers based on the following criteria:
Name
IP Address
Facility
To filter the syslog server list, complete the following steps:

Step 1
Click the filter
icon in the Syslog Servers dashlet.
Step 2
Fill in the criteria on which you want to filter.
Step 3
Press Enter.
Related Topics:
3-18
OL-26299-01
Chapter 3

Log Level Settings

This is used to globally configure log level settings used for logs sent to syslog servers and the logs that
are stored on the CDA machine and can be viewed in the user interface under live logs.
To configure the global log level settings, complete the following steps:
Step 1
Click the Log Level Settings link on the Dashboard.

The Global Log Level Settings dialog box is displayed.
Step 2
Step 3
Select a log level for the Log Level drop-down list. CDA provides the following log levels:
Fatal
Error
Warning
Notice
Info
Debug
Click Save.
Related Topics:
IP-to-User-Identity Mappings
CDA lists all the currently cashed IP-to-user-identity mappings and allows the administrator to refresh,
filter and delete the mappings. Figure 3-17 shows the IP-to-user-identity mappings page.
OL-26299-01
3-19
Chapter 3
Figure 3-17
IP-to-User-Identity Mappings Page
Listing the IP-to-User-Identity Mappings

To list the IP-to-user-identity mappings, choose Mappings > IP to Identity.
Refreshing the IP-to-User-Identity Mappings Page

this page gets automatically refreshed after every 10 seconds, by default. You can change the refresh rate
to one of the following:
20 seconds
30 seconds
1 minute
2 minutes
none
Filtering the IP-to-User-Identity Mappings Page

You can use the quick filter or advanced filter options to filter the IP-to-user-identity mapping records.
Step 1
Choose Mapping > IP to Identity.

The Mapping of IP Addresses to Identities page appears, which lists all the IP-to-user-identity mapping
records.
Step 2
Click the Show drop-down to list the filter options.

Here, you can choose a Quick Filter, an Advanced Filter for filtering, or the Manage Preset Filters option,
which allows you to manage preset filters for filtering.
3-20
OL-26299-01
Chapter 3

Note
To return to the IP-to-user-identity mapping list, choose All from the Show drop-down list to display all
the mappings without filtering.
To filter by using the Quick Filter option, complete the following steps:
A quick filter filters IP-to-user-identity mapping based on each attribute on the Mapping of IP Addresses
to Identities page.
To filter, click inside any field and enter the search criteria in the text box. It refreshes the page with the
results on the Mapping of IP Addresses to Identities page. If you clear the field, it displays the list of all
the mappings on the Mapping of IP Addresses to Identities page.
To filter by using the Advanced Filter option, complete the following steps:
An advanced filter enables you to filter IP-to-user-identity mapping by using variables that are more
complex. It contains one or more filters that filter mappings based on the values that match the field
descriptions. A filter on a single row filters mappings based on each attribute and the value that you
define in the filter. Multiple filters can be used to match the values and filter mappings by using any one
or all of the filters within a single advanced filter.
Step 1
Choose an attribute from the drop-down list. You can filter the IP-to-user-identity mapping records on
any of the following record attributes:
IP
Mapping-Type
Domain
Mapping-Origin
Time stamp
User name
Response-to-probe
Step 2
Choose the operator from the drop-down list.
Step 3
Enter the value for the attribute that you selected.
Step 4
Click the Add Row (plus [+] sign) button to add a filter, or click the Remove Row (minus [-] sign) button
to remove a filter.
Step 5
Choose All to match the value in each filter, or Any to match the value in any one of the filters.
Step 6
Click Go to start filtering.
Step 7
Click the Save icon to save the filter.

The Save a Preset Filter dialog appears. Enter a file name to save the filter, and click Save. Do not include
spaces when creating the name for a preset filter. Click Cancel to clear the filter without saving the
current filter.
OL-26299-01
3-21
Chapter 3
Deleting the IP-to-User-Identity Mappings

You can delete the selected mappings or clear all the mapping records. Both of these operations are
asynchronous by nature, therefore, it will take some time for the Identity to IP mappings page to reflect
the change.
To delete a mapping, complete the following steps:
Step 1
Choose Mappings > IP to Identity
Step 2
Select the check box next to the mapping you want to delete
Step 3
Click Delete.
Mapping Filters
You can use the Mapping Filters to block particular users or IP Addresses from being monitored by CDA.
You can create filters and specify user names, IP Addresses or both. CDA will ignore mapping updates
with the specified users and/or IP Addresses, and will not collect mapping data from those updates. The
data for the filtered users/IP Addresses will not be cashed by CDA. Hence, it will not be listed on the
IP-to-Identity mapping page, nor will it be distributed to consumer devices.
To create Mapping filters, complete the following steps:
Step 1
Choose Mappings > Filters.
Step 2
Click Add.
The Mapping Filters Configuration dialog box is displayed.
Step 3
Step 4
UsernameUsername of the device that needs to be blocked.
IP AddressIP Address of the device that needs to be blocked.
Apply on existing mappingsCheck this check box if you want the filter to apply on the existing
IP-to-user-identity mapping records.
Click Save.
The new filter will be listed on the filters page.
Registered Devices
Registered Devices page displays a list of consumer devices that are connected to CDA and have been
subscribed to receive mapping updates for specific IP Addresses (On demand with registration), or for
the entire mapping database (Full download with registration).
Note that some consumer devices do not register for updates, and will not show up in this page, even
though they communicate with CDA as required. For such devices, this does not indicate any issue.
Cisco WSA is an example of such a device.
To view all the registered devices, click on the Registered Devices tab in the home page.
3-22
OL-26299-01
Chapter 3

This page lists the following details:
Status
IP Address
Configuration Name
Configuration Range
The status field indicates whether the device is in-sync (green) or out-of-sync (red) with CDA. The
other fields display information that was provided when the device was configured.
Administrators
You can add CDA administrators with admin or user privileges to access the CDA user interface.
An administrator with only user privilege has access to all the CDA user interface screens and
functionality, except the System menu.
An administrator with both user and admin privileges has access to all the CDA user interface screens
and functionality, including the System menu.
Adding and Editing Administrators

To add or edit an administrator, complete the following steps:
Step 1
Choose System > Administrators

The Administrators page appears.
Step 2
Step 3
Step 4
Do one of the following
Click Add to add a new device
Select the check box next to an existing administrator in the list and click Edit.
Enter the following details:
User name
Password
Verify Password
Authority
First Name
Last Name
Click Save to save add or edit the administrator.
Deleting Administrators
To delete an administrator, complete the following steps:
Step 1
Choose System > Administrators
Step 2
Select the check box next to the administrator you want to delete in the list and click Delete.
OL-26299-01
3-23
Chapter 3

Step 3
Click OK.
The administrator is deleted.
Password Policy
You can create a password policy for administrator accounts to enhance security. The policy that you
define here is applied to all accounts with admin privilege in CDA.
To configure the password policy, complete the following steps:
Step 1
Choose System > Password Policy

The Password Policy page appears.
Step 2
Enter the following information:
Check or uncheck the attributes a new password must contain:

Lower case letters
Upper case letters
Digits
Special characters
Check or uncheck the attributes a new password must not contain:

Three or more consecutive charactersCheck this check box to restrict the use of three or more
consecutive characters.
Username (or reversed)Check this check box to restrict the use of the administrator username
or its characters in reverse order.

Cisco (or reversed)Check this check box to restrict the use of the word cisco or its
characters in reverse order.

Custom word (or Reversed)Restrict the use of any word that you define or these characters in
reverse order.
Step 3
Minimum Length(Required) Specifies the minimum length of the password (in characters). The
default is 4 characters.
Maximum Length(Required) Specifies the maximum length of the password (in characters). The
default is 99 characters.
Click Save to save the policy.
3-24
OL-26299-01
Chapter 3

Session Timeout
CDA also allows you to determine the length of time a CDA user interface session can be inactive and
still remain connected. You can specify a time in minutes after which CDA logs out the administrator.
After a session timeout, the administrator must log in again to access the CDA user interface.
To configure the session timeout, complete the following steps:
Step 1
Choose System > Session Timeout

The Session Timeout page appears.
Step 2
Enter the Session timeout value in minutes.
Step 3
Click Save.
Live Logs
CDA live logs provide a mechanism for diagnosing, troubleshooting, and auditing the operations of
CDA. Live logs gather all the information you need for auditing and troubleshooting the system. Live
logs are stored in the db/reports.db file and in the configured Syslog servers. The live logs GUI presents
up to the last 10,000 messages generated by CDA.
Message types
CDA live logs list the following messages:
Syslog Server Messages (when CDA is connected as a syslog server)
CDA Control Messages
Configuration Changes
Mapping Updates
Sync Requests
CoA Based Traffic
Session Data Snapshot Transfer
On-demand Queries
Keep Alive Requests
Domain Status Query
DC Status Tracking
Statistics of daily events per DC
Message Content
CDA live log messages include the following information:
Timestamp
Severity
Origin Component
Message Coe
OL-26299-01
3-25
Chapter 3
Message Text
Log Levels
The following are the log levels and their status symbols supported by CDA:
Debug
Info
Notice
Warning
Error
Fatal
Verbosity Levels
CDA enables you to configure log verbosity to one of the following values:
NONE
FATAL
ERROR
WARN
INFO
DEBUG
Filtering the Live Logs

You can filter the live logs on any of the log attribute. The log attributes are:
Time stamp
Severity
Origin Component
Message
Attributes
To filter the live logs, complete the following steps:

Step 1
Click the filter
icon in the Live Logs page.
Step 2
Enter the filter criteria in the text box.

The filtered data is displayed.
3-26
OL-26299-01
Chapter 3

Refreshing the Live Logs Page

This page is automatically refreshed after every 10 seconds, by default. You can change the refresh rate
to one of the following:
20 seconds
30 seconds
1 minute
2 minutes
none
Deleting the Live Logs

You can clear all the live logs by clicking the Clear button.
OL-26299-01
3-27
Chapter 3
3-28
OL-26299-01
CH A P T E R

This chapter contains an alphabetical listing of the commands specific to the Cisco Context Directory
Agent (CDA).
The commands comprise these modes:
EXEC
System-level
Show
Configuration
Configuration submode
Note
Use the EXEC mode system-level config or configure command to access the Configuration
mode.
Each of the commands in this chapter is followed by a brief description of its use, command syntax,
usage guidelines, and one or more examples. Throughout this chapter, the CDA server uses the name
CDA in place of the CDA servers hostname.
Note
If an error occurs in any command usage, use the debug command to determine the cause of the error.
This appendix describes:
EXEC Commands, page 4-2
Show Commands, page 4-48
Configuration Commands, page 4-81
OL-26299-01
4-1
Chapter 4
EXEC Commands
EXEC Commands
This section lists each EXEC command and includes a brief description of its use, command syntax,
usage guidelines, and sample output.
Table 4-1 lists the EXEC commands that this section describes.
Table 4-1
List of EXEC Commands
application install
delete
restore
application remove
dir
rmdir
application reset-config
exit
show (see Show Commands)
application reset-passwd
forceout
ssh
application start
halt
tech
application stop
help
telnet
application upgrade
mkdir
terminal length
backup
nslookup
terminal session-timeout
backup-logs
patch install
terminal session-welcome
clock
patch remove
terminal terminal-type
configure
ping
traceroute
copy
ping6
undebug
debug
reload
write
application install
Note
You are not allowed to run the application install command from the CLI under normal operations
because the CDA application is preinstalled with the provided ISO image on all supported appliances
and VMware.
To install a specific application other than the CDA, use the application install command in the EXEC
mode. To remove this function, use the application remove command.
application install application-bundle remote-repository-name
Syntax Description
Defaults
application
The application command for an application install and administration.
install
Installs a specific application.
application-bundle
Application bundle filename. Supports up to 255 alphanumeric characters.
remote-repository-name
Remote repository name. Supports up to 255 alphanumeric characters.
No default behavior or values.
4-2
OL-26299-01
Chapter 4

EXEC Commands
Command Modes
EXEC
Usage Guidelines
Installs the specified application bundle on the appliance. The application bundle file is pulled from the
specified repository.
If you issue the application install or application remove command when another installation or
removal operation of an application is in progress, you will see the following warning message:
An existing application install, remove, or upgrade is in progress. Try again shortly.
Examples
/admin# application install cda-appbundle-1.0.0.011.i386.tar.gz myrepository

Save the current ADE-OS running configuration? (yes/no) [yes] ?
Saved the ADE-OS running configuration to startup successfully
Initiating Application installation...
Application successfully installed
/admin#
Related Commands
Command
Description
application install
Configures an application.
application remove
Removes or uninstalls an application.
Resets an application configuration to factory defaults.
Resets an application password for a specified user.
application start
Starts or enables an application.
application stop
Stops or disables an application.
application upgrade
Upgrades an application bundle.
show application
Shows application information for the installed application packages

on the system.
application remove
Note
You are not allowed to run the application remove command from the CLI to remove the CDA
application unless you are explicitly instructed for an upgrade.
To remove a specific application other than the CDA, use the application remove command in the EXEC
mode. To remove this function, use the no form of this command.
application remove application-name
Syntax Description
application
remove
application-name
Application name. Supports up to 255 alphanumeric characters.
OL-26299-01
4-3
Chapter 4
EXEC Commands
Defaults
Command Modes
EXEC
Usage Guidelines
Examples
/admin# application remove cda

Continue with application removal? [y/n] y
Application successfully uninstalled
/admin#
Related Commands
Command
Description
application install
application install
Installs an application bundle.
application start
application stop
application upgrade
show application

on the system.
To reset the CDA application configuration and clear the CDA database, use the application
reset-config command in the EXEC mode. (This command does not reset your initial chassis
configuration settings like the IP Address, netmask, administrator user interface password, and so on.)
Part of this reset function requires you to enter new CDA administrator name and passwords.
application reset-config application-name
Syntax Description
Defaults
application
reset-config
Resets the CDA application configuration and clears the CDA database.
application-name
Name of the application configuration you want to reset. Supports up to

255 alphanumeric characters.
4-4
OL-26299-01
Chapter 4

EXEC Commands
Command Modes
EXEC
Usage Guidelines
You can use the application reset-config command to reset the CDA configuration and clear the CDA
database without reimaging the CDA appliance or VMware, and reset the CDA username and passwords.
Note
Examples
Although the application reset-config command resets the CDA configuration to factory
defaults, the operating system (Cisco ADE-OS) configuration still remains intact. The Cisco
ADE-OS configuration includes items such as the network settings, CLI password policy, and
backup history.
Example 1
/admin# application reset-config cda
The existing configuration will be lost. Are you sure? [Y/n] Y
Stopping CDA Watchdog...
Stopping CDA Application Server...
Stopping AD Context Manager...
Stopping AD Context Observer...
Stopping CDA Logger...
Enter the CDA administrator username to create[admin]:
Enter the password for 'admin':
Re-enter the password for 'admin':
Starting CDA...
/admin#
Related Commands
Command
Description
application install
application install
application remove
application start
application stop
application upgrade
show application

on the system.
OL-26299-01
4-5
Chapter 4
EXEC Commands
To reset the administrator user interface login password for a specified user account (usually an existing
administrator account) in CDA after you have lost the user account credentials, use the application
reset-passwd command in the EXEC mode.
application reset-passwd application-name administrator-ID
application
reset-passwd
Resets the administrator account password.
application-name
administrator-ID
The name of an existing administrator account that has been disabled and for
which you want to reset the password.
Defaults
Command Modes
EXEC
Usage Guidelines
Resets administrator password.
Examples
admin# application reset-passwd cda admin

Enter new password: ******
Confirm new password: ******
Password reset successfully.
/admin#
Related Commands
Command
Description
application install
application installs
application remove
application start
application stop
application upgrade
show application

on the system.
4-6
OL-26299-01
Chapter 4

EXEC Commands
application start
To enable a specific application, use the application start command in the EXEC mode. To remove this
function, use the no form of this command.
application start application-name
Syntax Description
application
start
Enables an application bundle.
application-name
Name of the predefined application that you want to enable. Supports up to

Defaults
Command Modes
EXEC
Usage Guidelines
Enables an application.
You cannot use this command to start the CDA application. If you use this command to start the
application, you can see that the CDA is already running.
Examples
/admin# application start cda

Starting CDA...
You can check the status of CDA using the show application status cda command. If you are checking
the status right after starting CDA, it will show the following output:
CDA Application Server process is not running.
But after a short while the output will be similar to:

CDA Application Server is running, PID: 16420
Related Commands
Command
Description
application install
application install
application remove
application stop
OL-26299-01
4-7
Chapter 4
EXEC Commands
Command
Description
application upgrade
show application

on the system.
application stop
To disable a specific application, use the application stop command in the EXEC mode.
application stop application-name
Syntax Description
application
The application command for application install and administration.
stop
Disables an application.
application-name
Name of the predefined application that you want to disable. Supports up to

Defaults
Command Modes
EXEC
Usage Guidelines
Disables an application.
Examples
/admin# application stop cda

Stopping
Stopping
Stopping
Stopping
Stopping
CDA Watchdog...
CDA Application Server...
AD Context Manager...
AD Context Observer...
CDA Logger...
/admin#
Related Commands
Command
Description
application install
application install
application remove
application start
4-8
OL-26299-01
Chapter 4

EXEC Commands
Command
Description
application upgrade
show application

on the system.
application upgrade
To upgrade a specific application bundle, use the application upgrade command in the EXEC mode.
application upgrade application-bundle remote-repository-name
Syntax Description
application
The application command for application install and administration.
upgrade
Upgrades a specific application bundle in the remote repository.
application-bundle
remote-repository-name Remote repository name. Supports up to 255 alphanumeric characters.
Defaults
Command Modes
EXEC
Usage Guidelines
Upgrades an application bundle, and preserves any application configuration data.

If you issue the application upgrade command when another application upgrade operation is in
progress, you will see the following warning message:
An existing application install, remove, or upgrade is in progress. Try again shortly.
Examples
Caution
Do not issue the backup or restore commands when the upgrade is in progress. This action might cause
the database to be corrupted.
Note
Before attempting to use this application upgrade command to upgrade to a newer release, you must read
the upgrade instructions in the release notes supplied with that newer release. The release notes contains
important instructions updated for upgrading to the newer release, which must be followed.
/admin# application upgrade cda-appbundle-1.1.0.362.i386.tar.gz http

Save the current ADE-OS running configuration? (yes/no) [yes]? yes
Initiating Application Upgrade...
Stopping CDA application before upgrade...
Running CDA Database upgrade...
Upgrading CDA Database schema...
CDA Database schema upgrade completed.
OL-26299-01
4-9
Chapter 4
EXEC Commands
Application upgrade successful

/admin#
Related Commands
Command
Description
application install
application install
application remove
application start
application stop
show application

on the system.
backup
To perform a backup of the CDA configuration data and place the backup in a repository, use the backup
command in the EXEC mode. To perform a backup of only the CDA application data without the Cisco
ADE OS data, use the application command.
Note
Before attempting to use this backup command in the EXEC mode, you must copy the running
configuration to a safe location, such as a network server, or save it as the CDA server startup
configuration. You can use this startup configuration when you restore or troubleshoot your CDA
application from the backup and system logs. For more information of copying the running configuration
to the startup configuration, see the copy section on page 4-14.
backup backup-name repository repository-name application application-name
Syntax Description
Defaults
backup
The command to perform a backup the CDA and Cisco ADE OS and place
the backup in a repository.
backup-name
Name of backup file. Supports up to 100 alphanumeric characters.
repository
Repository command.
repository-name
Location where the files should be backed up to. Supports up to 80

alphanumeric characters.
application
Application command (application-only backup, excludes the Cisco ODE OS

system data).
application-name
4-10
OL-26299-01
Chapter 4

EXEC Commands
Command Modes
EXEC
Usage Guidelines
Performs a backup of the CDA and Cisco ADE OS data and places the backup in a repository.
To perform a backup of only the CDA application data without the Cisco ADE OS data, use the
application command.
Examples
Example 1
/admin# backup mybackup repository myrepository
% Creating backup with timestamped filename: backup-111125-1252.tar.gz.gpg
/admin#
Example 2
/admin# backup mybackup repository myrepository application cda
% Creating backup with timestamped filename: backup-111125-1235.tar.gz.gpg
/admin#
Related Commands
Command
Description
backup-logs
Backs up system logs.
delete
Deletes a file from the CDA server.
dir
Lists a file from the CDA server.
reload
Reboots the system.
repository
Enters the repository submode for configuration of backups.
restore
Restores from backup the file contents of a specific repository.
show backup history
Displays the backup history of the system.
show repository
Displays the available backup files located on a specific repository.
backup-logs
To back up system logs, use the backup-logs command in the EXEC mode.
backup-logs backup-name repository repository-name
Syntax Description
Defaults
backup-logs
The command to back up the system and application logs to a repository.
backup-name
Name of one or more files to back up. Supports up to 100 alphanumeric

characters.
repository
Repository command.
repository-name
Location where files should be backed up to. Supports up to 80 alphanumeric

characters.
OL-26299-01
4-11
Chapter 4
EXEC Commands
Command Modes
EXEC
Usage Guidelines
Backs up system logs with an encrypted (hashed) or unencrypted plaintext password.
Examples
/admin# backup-logs mybackup repository myrepository password plain Lab12345

% Creating log backup with timestamped filename: mybackup-111125-1117.tar.gz.gpg
/admin#
Related Commands
Command
Description
backup
Performs a backup (CDA and Cisco ADE OS) and places the backup in
a repository.
restore
repository
show backup history
Shows the backup history of the system.
show repository
Shows the available backup files located on a specific repository.
clock
To set the system clock, use the clock command in the EXEC mode.
clock set [month day hh:min:ss yyyy]
Syntax Description
clock set
The command that sets the system clock.
month
Current month of the year by name. Supports up to three alphabetic

characters. For example, Jan for January.
day
Current day (by date) of the month. Value = 0 to 31. Supports up to two
numbers.
hh:mm:ss
Current time in hours (24-hour format), minutes, and seconds.
yyyy
Current year (no abbreviation).
Defaults
Command Modes
EXEC
Usage Guidelines
Sets the system clock. You must restart the CDA server after you reset the clock for the change to take
effect. Under normal circumstances (with NTP configured), there is no reason to manually set the system
clock using this command.
4-12
OL-26299-01
Chapter 4

EXEC Commands
Warning
Note
Changing the system time on a CDA appliance causes the CDA application to be unusable in the
deployment.
To ensure that you have the correct system time set at the time of installation, the setup wizard prompts
for an NTP server and tries to sync with it. You must ensure that the configured NTP server during setup
is always reachable so that the system time is always kept accurate, especially in rare situations where
the BIOS time can get corrupted because of power failure or CMOS battery failure and this in turn can
corrupt the ADE-OS system time during reboot.
Examples
/admin# clock set May 5 18:07:20 2010

/admin# show clock
Thu May 5 18:07:26 UTC 2010
/admin#
Related Commands
Command
Description
show clock
Displays the time and date set on the system software clock.
configure
To enter the Configuration mode, use the configure command in the EXEC mode. If the replace option
is used with this command, copies a remote configuration to the system which overwrites the existing
configuration.
configure terminal
Syntax Description
configure
The command that allows you to enter the Configuration mode.
terminal
Executes configuration commands from the terminal.
Defaults
Command Modes
EXEC
Usage Guidelines
Use this command to enter the Configuration mode. Note that commands in this mode write to the
running configuration file as soon as you enter them (press Enter).
To exit the Configuration mode and return to the EXEC mode, enter end, exit, or Ctrl-z.
To view the changes that you have made to the configuration, use the show running-config command
in the EXEC mode.
OL-26299-01
4-13
Chapter 4
EXEC Commands
Examples
Example 1
/admin# configure
Enter configuration commands, one per line. End with CNTL/Z.
/admin(config)#
Example 2
/admin# configure terminal
Enter configuration commands, one per lineAug.nd with CNTL/Z.
/admin(config)#
Related Commands
Command
Description
show running-config
Displays the contents of the currently running configuration file or the

configuration.
show startup-config
Displays the contents of the startup configuration file or the

configuration.
copy
To copy any file from a source to a destination, use the copy command in the EXEC mode. The copy
command in the CDA copies a configuration (running or startup).
Running Configuration
The CDA active configuration stores itself in the CDA RAM. Every configuration command you enter
resides in the running configuration. If you reboot your CDA server, you lose the running configuration.
If you make changes that you want to save, you must copy the running configuration to a safe location,
such as a network server, or save it as the CDA server startup configuration.
Startup Configuration
You cannot edit a startup configuration directly. All commands that you enter store themselves in the
running configuration, which you can copy into the startup configuration.
In other words, when you boot a CDA server, the startup configuration becomes the initial running
configuration. As you modify the configuration, the two diverge: the startup configuration remains the
same; the running configuration reflects the changes that you have made. If you want to make your
changes permanent, you must copy the running configuration to the startup configuration.
The following command lines show some of the copy command scenarios available:
copy running-config startup-configCopies the running configuration to the startup
configuration.
copy run startReplaces the startup configuration with the running configuration.
Note
If you do not save the running configuration, you will lose all your configuration changes during
the next reboot of the CDA server. When you are satisfied that the current configuration is
correct, copy your configuration to the startup configuration with the copy run start command.
4-14
OL-26299-01
Chapter 4

EXEC Commands
copy startup-config running-configCopies the startup configuration to the running

configuration.
copy start runMerges the startup configuration on top of the running configuration.
copy [protocol://hostname/location] startup-configCopies but does not merge a remote file to
the startup configuration.
copy [protocol://hostname/location] running-configCopies and merges a remote file to the
running configuration.
copy startup-config [protocol://hostname/location]Copies the startup configuration to a remote
system.
copy running-config [protocol://hostname/location]Copies the running configuration to a
remote system.
copy logs [protocol://hostname/location]Copies log files from the system to another location.
Note
Syntax Description
The copy command is supported only for the local disk and not for a repository.
copy
The command that copies items.
running-config
Represents the current running configuration file.
startup-config
Represents the configuration file used during initialization (startup).
protocol
See Table 4-2 for protocol keyword options.
hostname
Hostname of destination.
location
Location of destination.
logs
The system log files.
all
Copies all CDA log files from the system to another location. All logs are
packaged as cdalogs.tar.gz and transferred to the specified directory on the
remote host.
filename
Allows you to copy a single CDA log file and transfer it to the specified
directory on the remote host, with its original name.
log_filename
Name of the CDA log file, as displayed by the show logs command (up to
255 characters).
mgmt
Copies the CDA management debug logs and Tomcat logs from the system,
bundles them as mgmtlogs.tar.gz, and transfers them to the specified
directory on the remote host.
runtime
Copies the CDA runtime debug logs from the system, bundles them as
runtimelogs.tar.gz, and transfers them to the specified directory on the
remote host.
Defaults
Command Modes
EXEC
OL-26299-01
4-15
Chapter 4
EXEC Commands
Usage Guidelines
The fundamental function of the copy command allows you to copy a file (such as a system image or
configuration file) from one location to another location. The source and destination for the file specified
uses the CDA file system, through which you can specify any supported local or remote file location.
The file system being used (a local memory source or a remote system) dictates the syntax used in the
command.
You can enter on the command line all the necessary source and destination information and the
username and password to use; or, you can enter the copy command and have the server prompt you for
any missing information.
Timesaver
Aliases reduce the amount of typing that you need to do. For example, type copy run start (the
abbreviated form of the copy running-config startup-config command).
The entire copying process might take several minutes and differs from protocol to protocol and from
network to network.
Use the filename relative to the directory for file transfers.
Possible errors are standard FTP or SCP error messages.
Table 4-2
Protocol Prefix Keywords
Keyword
Source of Destination
ftp
Source or destination URL for FTP network server. The syntax for this alias:
ftp:[[[//username [:password]@]location]/directory]/filename
scp
Source or destination URL for SCP network server. The syntax for this alias:
scp:[[[//username [:password]@]location]/directory]/filename
sftp
Source or destination URL for an SFTP network server. The syntax for this alias:
sftp:[[//location]/directory]/filename
tftp
Source or destination URL for a TFTP network server. The syntax for this alias:
tftp:[[//location]/directory]/filename
Examples
Example 1
/admin# copy run start
/admin#
Example 2
/admin# copy running-config startup-config
/admin#
Example 3
/admin# copy start run
/admin#
Example 4
/admin# copy startup-config running-config
/admin#
4-16
OL-26299-01
Chapter 4

EXEC Commands
Example 5
/admin# copy logs disk:/
Collecting logs...
/admin#
Example 6
/admin# copy disk://mybackup-100805-1910.tar.gz ftp://myftpserver/mydir
Username:
Password:
/admin#
Related Commands
Command
Description
application install
Starts or stops a CDA instance.
backup
a repository.
delete
dir
Lists a file from the CDA server.
reload
Reboots the system.
restore
show application
Shows application status and version information.
show version
Displays information about the software version of the system.
debug
To display errors or events for command situations, use the debug command in the EXEC mode.
debug {all | application | backup-restore | cdp | config | icmp | copy | locks | logging | snmp |
system | transfer | user | utils}
Syntax Description
debug
The command to identify various failures with the CDA server.
all
Enables all debugging.
application
Application files.
allEnables all application debug output. Set level between 0 and 7,

with 0 being severe and 7 being all.
installEnables application install debug output. Set level between 0

and 7, with 0 being severe and 7 being all.
operationEnables application operation debug output. Set level

between 0 and 7, with 0 being severe and 7 being all.
uninstallEnables application uninstall debug output. Set level

OL-26299-01
4-17
Chapter 4
EXEC Commands
backup-restore
cdp
config
icmp
Backs up and restores files.
allEnables all debug output for backup-restore. Set level between 0

backupEnables backup debug output for backup-restore. Set level

backup-logsEnables backup-logs debug output for backup-restore.

Set level between 0 and 7, with 0 being severe and 7 being all.
historyEnables history debug output for backup-restore. Set level

restoreEnables restore debug output for backup-restore. Set level

Cisco Discovery Protocol configuration files.
allEnables all Cisco Discovery Protocol configuration debug output.

Set level between 0 and 7, with 0 being severe and 7 being all.
configEnables configuration debug output for Cisco Discovery

Protocol. Set level between 0 and 7, with 0 being severe and 7 being all.
infraEnables infrastructure debug output for Cisco Discovery

Protocol. Set level between 0 and 7, with 0 being severe and 7 being all.
Configuration files.
allEnables all configuration debug output. Set level between 0 and 7,

backupEnables backup configuration debug output. Set level between

0 and 7, with 0 being severe and 7 being all.
clockEnables clock configuration debug output. Set level between 0

infraEnables configuration infrastructure debug output. Set level

kronEnables command scheduler configuration debug output. Set

level between 0 and 7, with 0 being severe and 7 being all.
networkEnables network configuration debug output. Set level

repositoryEnables repository configuration debug output. Set level

serviceEnables service configuration debug output. Set level between

0 and 7, with 0 being severe and 7 being all.
Internet Control Message Protocol (ICMP) echo response configuration.

allEnable all debug output for ICMP echo response configuration. Set
copy
Copy commands. Set level between 0 and 7, with 0 being severe and 7 being
all.
4-18
OL-26299-01
Chapter 4

EXEC Commands
locks
logging
Resource locking.
allEnables all resource locking debug output. Set level between 0 and
7, with 0 being severe and 7 being all.
fileEnables file locking debug output. Set level between 0 and 7, with
0 being severe and 7 being all.
Logging configuration files.

allEnables all logging configuration debug output. Set level between 0 and
snmp
SNMP configuration files.

allEnables all SNMP configuration debug output. Set level between 0 and
system
System files.
allEnables all system files debug output. Set level between 0 and 7,
idEnables system ID debug output. Set level between 0 and 7, with 0

being severe and 7 being all.
infoEnables system info debug output. Set level between 0 and 7, with
initEnables system init debug output. Set level between 0 and 7, with
transfer
File transfer. Set level between 0 and 7, with 0 being severe and 7 being all.
user
User management.
utils
allEnables all user management debug output. Set level between 0

password-policyEnables user management debug output for

password-policy. Set level between 0 and 7, with 0 being severe and 7
being all.
Utilities configuration files.

allEnables all utilities configuration debug output. Set level between 0 and
Defaults
Command Modes
EXEC
Usage Guidelines
Use the debug command to identify various failures within the CDA server; for example, setup failures
or configuration failures.
Examples
/admin# debug all

/admin# mkdir disk:/1
/admin# 6 [15347]: utils: vsh_root_stubs.c[2742] [admin]: mkdir operation success
OL-26299-01
4-19
Chapter 4
EXEC Commands
/admin# rmdir disk:/1

6 [15351]: utils: vsh_root_stubs.c[2601] [admin]: Invoked Remove Directory disk:/1 command
6 [15351]: utils: vsh_root_stubs.c[2663] [admin]: Remove Directory operation success
/admin#
/admin# undebug all
/admin#
Related Commands
Command
Description
undebug
Disables the output (display of errors or events) of the debug command

for various command situations.
delete
To delete a file from the CDA server, use the delete command in the EXEC mode. To remove this
delete filename [disk:/path]
Syntax Description
delete
The command to delete a file from the CDA server.
filename
Filename. Supports up to 80 alphanumeric characters.
disk:/path
Location.
Defaults
Command Modes
EXEC
Usage Guidelines
If you attempt to delete the configuration file or image, the system prompts you to confirm the deletion.
Also, if you attempt to delete the last valid system image, the system prompts you to confirm the
deletion.
Examples
/admin# delete disk:/hs_err_pid19962.log

/admin#
Related Commands
Command
Description
dir
Lists all the files on the CDA server.
4-20
OL-26299-01
Chapter 4

EXEC Commands
dir
To list a file from the CDA server, use the dir command in the EXEC mode. To remove this function,
use the no form of this command.
dir [word] [recursive]
Syntax Description
dir
The command to list files on a local system.
word
Directory name. Supports up to 80 alphanumeric characters. Requires disk:/

preceding the directory name.
recursive
Lists a local directory or filename recursively.
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
/admin# dir
Directory of disk:/
2034113
4096
4096
16384
2996022
4096
4096
Aug
Jun
Aug
Jun
Aug
Aug
Aug
05
10
04
09
05
04
05
2010
2010
2010
2010
2010
2010
2010
19:58:39
02:34:03
23:14:53
02:59:34
19:11:16
23:15:20
12:25:55
ADElogs.tar.gz
activemq-data/
logs/
lost+found/
mybackup-100805-1910.tar.gz
target/
temp/
Usage for disk: filesystem

8076189696 bytes total used
6371618816 bytes free
15234142208 bytes available
/admin#
Example 2
/admin# dir disk:/logs
0 Aug 05 2010 11:53:52 usermgmt.log
/admin#
OL-26299-01
4-21
Chapter 4
EXEC Commands
Example 3
/admin# dir recursive
Directory of disk:/
2034113
2996022
4096
4096
4096
4096
16384
Aug
Aug
Aug
Aug
Jun
Aug
Jun
05
05
04
05
10
04
09
2010
2010
2010
2010
2010
2010
2010
19:58:39
19:11:16
23:14:53
12:25:55
02:34:03
23:15:20
02:59:34
ADElogs.tar.gz
mybackup-100805-1910.tar.gz
logs/
temp/
activemq-data/
target/
lost+found/
Directory of disk:/logs
0 Aug 05 2010 11:53:52 usermgmt.log
Directory of disk:/temp
281
6631
69
231
544145
45231
715
261
1010
1043657
281003
69
2662
79
4032
1043
58377
300
958
28010
122761
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
05
05
05
05
05
05
05
05
05
05
05
05
05
05
05
05
05
05
05
05
05
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
19:12:45
19:12:34
19:12:45
19:12:34
19:12:35
19:12:45
19:12:34
19:12:34
19:12:34
19:12:44
19:12:38
19:12:45
19:12:44
19:12:34
19:12:38
19:12:34
19:12:46
19:12:45
19:12:34
19:12:45
19:12:45
RoleBundles.xml
PipDetails.xml
GroupRoles.xml
ApplicationGroupTypes.xml
ResourceTypes.xml
UserTypes.xml
ApplicationGroups.xml
ApplicationTypes.xml
Pdps.xml
Groups.xml
Resources.xml
GroupUsers.xml
RoleTypes.xml
UserStores.xml
GroupTypes.xml
Organization.xml
UserRoles.xml
Contexts.xml
Applications.xml
Roles.xml
Users.xml
Directory of disk:/activemq-data
4096 Jun 10 2010 02:34:03 localhost/
Directory of disk:/activemq-data/localhost
0
4096
4096
4096
Jun
Jun
Jun
Jun
10
10
10
10
2010
2010
2010
2010
02:34:03
02:34:03
02:34:03
02:34:03
lock
journal/
kr-store/
tmp_storage/
Directory of disk:/activemq-data/localhost/journal
33030144 Aug 06 2010 03:40:26 data-1
2088 Aug 06 2010 03:40:26 data-control
Directory of disk:/activemq-data/localhost/kr-store
4096 Aug 06 2010 03:40:27 data/
4096 Aug 06 2010 03:40:26 state/
Directory of disk:/activemq-data/localhost/kr-store/data
4-22
OL-26299-01
Chapter 4

EXEC Commands
102 Aug 06 2010 03:40:27 index-container-roots

0 Aug 06 2010 03:40:27 lock
Directory of disk:/activemq-data/localhost/kr-store/state
3073
51
204
306
290
71673
0
Aug
Jul
Aug
Jun
Jun
Aug
Jun
06
20
06
10
10
06
10
2010
2010
2010
2010
2010
2010
2010
03:40:26
21:33:33
03:40:26
02:34:03
02:34:03
03:40:26
02:34:03
hash-index-store-state_state
index-transactions-state
index-store-state
index-kaha
data-kaha-1
data-store-state-1
lock
Directory of disk:/activemq-data/localhost/tmp_storage
No files in directory
Directory of disk:/target
4096 Aug 04 2010 23:15:20 logs/
Directory of disk:/target/logs
0 Aug 04 2010 23:15:20 ProfilerPDP.log
2208 Aug 05 2010 11:54:26 ProfilerSensor.log
Directory of disk:/lost+found
No files in directory
/admin#
Related Commands
Command
Description
delete
exit
To close an active terminal session by logging out of the CDA server or to move up one mode level from
the Configuration mode, use the exit command in the EXEC mode.
exit
Syntax Description
No arguments or keywords.
Defaults
OL-26299-01
4-23
Chapter 4
EXEC Commands
Command Modes
EXEC
Usage Guidelines
Use the exit command in EXEC mode to exit an active session (log out of the CDA server) or to move
up from the Configuration mode.
Examples
/admin# exit
/admin#
Related Commands
Command
Description
end
Exits the Configuration mode.
exit
Exits the Configuration mode or EXEC mode.
Ctrl-z
Exits the Configuration mode.
forceout
To force users out of an active terminal session by logging them out of the CDA server, use the forceout
command in the EXEC mode.
forceout username
Syntax Description
forceout
The command that enforces logout of all the sessions of a specific system
user.
username
The name of the user. Supports up to 31 alphanumeric characters.
Defaults
Command Modes
EXEC
Usage Guidelines
Use the forceout command in EXEC mode to force a user from an active session.
Examples
/admin# forceout user1

/admin#
halt
To shut down and power off the system, use the halt command in EXEC mode.
halt
4-24
OL-26299-01
Chapter 4

EXEC Commands
Syntax Description
Defaults
Command Modes
EXEC
Usage Guidelines
Before you issue the halt command, ensure that the CDA is not performing any backup, restore,
installation, upgrade, or remove operation. If you issue the halt command while the CDA is performing
any of these operations, you will get one of the following warning messages:
WARNING: A backup or restore is currently in progress! Continue with halt?
WARNING: An install/upgrade/remove is currently in progress! Continue with halt?
If you get any of these warnings, enter Yes to halt the operation, or enter No to cancel the halt.
If no processes are running when you use the halt command or if you enter Yes in response to the
warning message displayed, the CDA asks you to respond to the following option:
Do you want to save the current configuration?
Enter Yes to save the existing CDA configuration. The CDA displays the following message:
Saved the running configuration to startup successfully
Examples
/admin# halt
/admin#
Related Commands
Command
Description
reload
Reboots the system.
help
To describe the interactive help system for the CDA server, use the help command in the EXEC mode.
help
Syntax Description
Defaults
Command Modes
EXEC
OL-26299-01
4-25
Chapter 4
EXEC Commands
All configuration modes.
Usage Guidelines
Examples
The help command provides a brief description of the context-sensitive help system.
To list all commands available for a particular command mode, enter a question mark (?) at the
system prompt.
To obtain a list of commands that begin with a particular character string, enter the abbreviated
command entry immediately followed by a question mark (?). This form of help is called word help,
because it lists only the keywords or arguments that begin with the abbreviation that you entered.
To list the keywords and arguments associated with a command, enter a question mark (?) in place
of a keyword or argument on the command line. This form of help is called command syntax help,
because it lists the keywords or arguments that apply based on the command, keywords, and
arguments that you have already entered.
/admin# help
Help may be requested at any point in a command by entering
a question mark '?'. If nothing matches, the help list will
be empty and you must backup until entering a '?' shows the
available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a
command argument (e.g. 'show?') and describes each possible
argument.
2. Partial help is provided when an abbreviated argument is entered
and you want to know what arguments match the input
(e.g. 'show pr?'.)
/admin#
mkdir
To create a new directory on the CDA server, use the mkdir command in the EXEC mode.
mkdir directory-name [disk:/path]
Syntax Description
mk dir
The command to create directory.
directory-name
The name of the directory to create. Supports up to 80 alphanumeric

characters.
disk:/path
Use disk:/path with the directory name.
Defaults
Command Modes
EXEC
4-26
OL-26299-01
Chapter 4

EXEC Commands
Usage Guidelines
Use disk:/path with the directory name; otherwise, an error appears that indicates that the disk:/path
must be included.
Examples
/admin# mkdir disk:/test

/admin# dir
Directory of disk:/
4096
4096
16384
4096
4096
May
May
Mar
May
May
06
06
01
06
07
2010
2010
2010
2010
2010
13:34:49
13:40:59
16:07:27
13:42:53
12:26:04
activemq-data/
logs/
lost+found/
target/
test/

/admin#
Related Commands
Command
Description
dir
Displays a list of files on the CDA server.
rmdir
Removes an existing directory.
nslookup
To look up the hostname of a remote system on the CDA server, use the nslookup command in the EXEC
mode.
nslookup word
Syntax Description
nslookup
The command to search the IP Address or hostname of a remote system.
word
IPv4 address or hostname of a remote system. Supports up to 64

Defaults
Command Modes
EXEC
Usage Guidelines
None.
OL-26299-01
4-27
Chapter 4
EXEC Commands
Examples
Example 1
/admin# nslookup 1.2.3.4
Trying "4.3.2.1.in-addr.arpa"
Received 127 bytes from 171.70.168.183#53 in 1 ms
Host 4.3.2.1.in-addr.arpa. not found: 3(NXDOMAIN)
/admin#
Example 2
/admin# nslookup 209.165.200.225
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65283
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;225.200.165.209.in-addr.arpa. IN
PTR
;; ANSWER SECTION:
225.200.165.209.in-addr.arpa. 86400 IN PTR
;; AUTHORITY SECTION:
200.165.209.in-addr.arpa. 86400 IN
200.165.209.in-addr.arpa. 86400 IN
NS
NS
209-165-200-225.got.net.
ns1.got.net.
ns2.got.net.

/admin#
patch install
The patch install command installs a patch bundle of the application only on a specific node where you
run the patch install command from the CLI.
To install a patch bundle of the application, use the patch command in the EXEC mode.
patch install patch-bundle repository
Syntax Description
patch
The command to install System or Application patch.
install
The command that installs a specific patch bundle of the application.
patch-bundle
The patch bundle file name. Supports up to 255 alphanumeric characters.
repository
Repository name. Supports up to 255 alphanumeric characters.
Defaults
Command Modes
EXEC
Usage Guidelines
Installs a specific patch bundle of the application.
4-28
OL-26299-01
Chapter 4

EXEC Commands
If you attempt to install a patch that is an older version of the existing patch, then you receive the
following error message:
% Patch to be installed is an older version than currently installed version.
Note
Before attempting to use this patch install command to install a patch, you must read the patch
installation instructions in the release notes supplied with that patch. The release notes contains
important instructions updated for installing that patch, which must be followed.
Example 1
/admin# patch install cda-patchbundle-1.0.0.011-2.i386.tar.gz myrepository
Do you want to save the current configuration? (yes/no) [yes]? yes
Initiating Application Patch installation...
Patch successfully installed
/admin#
Example 2
/admin# patch install cda-patchbundle-1.0.0.011-2.i386.tar.gz myrepository
Do you want to save the current configuration? (yes/no) [yes]? no
Patch successfully installed
/admin#
Example 3
/admin# patch install cda-patchbundle-1.0.0.011-2.i386.tar.gz disk
% Patch to be installed is an older version than currently installed version.
/admin#
Related Commands
Command
Description
patch remove
The command that removes a specific patch bundle version of the

application.
show version
Displays information about the currently loaded software version,

along with hardware and device information.
patch remove
To remove a specific patch bundle version of the application, use the patch command in the EXEC mode.
patch remove word word
Syntax Description
patch
The command to install System or Application patch.
remove
The command that removes a specific patch bundle version of the application.
OL-26299-01
4-29
Chapter 4
EXEC Commands
word
The name of the application for which the patch is to be removed. Supports
up to 255 alphanumeric characters.
word
The patch version number to be removed. Supports up to 255 alphanumeric

characters.
Defaults
Command Modes
EXEC
Usage Guidelines
Removes a specific patch bundle of the application.

If you attempt to remove a patch that is not installed, then you receive the following error message:
% Patch is not installed
Note
Examples
Before attempting to use this patch remove command to rollback a patch, you must read the rollback
instructions of the patch in the release notes supplied with that patch. The release notes contains
important instructions updated for rolling back the previously installed patch, which must be followed.
Example 1
/admin# patch remove cda 2
Continue with application patch uninstall? [y/n] y
Application patch successfully uninstalled
/admin#
Example 2
/admin# patch remove cda 3
Continue with application patch uninstall? [y/n] y
% Patch is not installed
/admin#
Related Commands
Command
Description
patch install
The command that installs a specific patch bundle of the application.
show version
Displays information about the currently loaded software version,

along with hardware and device information.
ping
To diagnose the basic IPv4 network connectivity to a remote system, use the ping command in the EXEC
mode.
ping {ip-address | hostname} [df df] [packetsize packetsize] [pingcount pingcount]
4-30
OL-26299-01
Chapter 4

EXEC Commands
Syntax Description
ping
The command to ping a remote IP Address.
ip-address
IP Address of the system to ping. Supports up to 32 alphanumeric characters.
hostname
Hostname of the system to ping. Supports up to 32 alphanumeric characters.
df
Specification for packet fragmentation.
df
Specify the value as 1 to prohibit packet fragmentation, or 2 to fragment the

packets locally, or 3 to not set df.
packetsize
Size of the ping packet.
packetsize
Specify the size of the ping packet; the value can be between 0 and 65507.
pingcount
Number of ping echo requests.
pingcount
Specify the number of ping echo requests; the value can be between 1 and 10.
Defaults
Command Modes
EXEC
Usage Guidelines
The ping command sends an echo request packet to an address, then awaits a reply. The ping output can
help you evaluate path-to-host reliability, delays over the path, and whether you can reach a host.
Examples
/admin# ping 172.16.0.1 df 2 packetsize 10 pingcount 2

PING 172.16.0.1 (172.16.0.1) 10(38) bytes of data.
18 bytes from 172.16.0.1: icmp_seq=0 ttl=40 time=306 ms
18 bytes from 172.16.0.1: icmp_seq=1 ttl=40 time=300 ms
--- 172.16.0.1 ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 300.302/303.557/306.812/3.255 ms, pipe 2
/admin#
Related Commands
Command
Description
ping6
Ping a remote IPv6 address.
ping6
Similar to the IPv4 ping, use the IPv6 ping6 command in the EXEC mode.
ping6 {ip-address | hostname} [GigabitEthernet 0-3][packetsize packetsize] [pingcount
pingcount]
Syntax Description
ping
The command to ping a remote IPv6 address.
ip-address
IP Address of the system to ping. Supports up to 64 alphanumeric characters.
OL-26299-01
4-31
Chapter 4
EXEC Commands
hostname
Hostname of the system to ping. Supports up to 64 alphanumeric characters.
GigabitEthernet
Ethernet interface.
0-3
Select an Ethernet interface.
packetsize
Size of the ping packet.
packetsize
Specify the size of the ping packet; the value can be between 0 and 65507.
pingcount
Number of ping echo requests.
pingcount
Specify the number of ping echo requests; the value can be between 1 and 10.
Command Default
Command Modes
EXEC
Usage Guidelines
The IPv6 ping6 command sends an echo request packet to an address, then awaits a reply. The ping
output can help you evaluate path-to-host reliability, delays over the path, and whether you can reach a
host.
The IPv6 ping6 command is similar to the existing IPv4 ping command. The ping 6 command does not
support the IPv4 ping fragmentation (df in IPv4) options, but it allows an optional specification of an
interface. The interface option is primarily useful for pinning with link-local addresses that are
interface-specific. The packetsize and pingcount options work the same as they do with the IPv4
command.
Examples
Example 1
/admin# ping6 3ffe:302:11:2:20c:29ff:feaf:da05
PING 3ffe:302:11:2:20c:29ff:feaf:da05(3ffe:302:11:2:20c:29ff:feaf:da05) from
3ffe:302:11:2:20c:29ff:feaf:da05 eth0: 56 data bytes
64 bytes from 3ffe:302:11:2:20c:29ff:feaf:da05: icmp_seq=0 ttl=64 time=0.599
ms
ms
ms
ms
--- 3ffe:302:11:2:20c:29ff:feaf:da05 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3118ms
/admin#
Example 2
/admin# ping6 3ffe:302:11:2:20c:29ff:feaf:da05 GigabitEthernet 0 packetsize 10 pingcount 2
PING 3ffe:302:11:2:20c:29ff:feaf:da05(3ffe:302:11:2:20c:29ff:feaf:da05) from
3ffe:302:11:2:20c:29ff:feaf:da05 eth0: 10 data bytes
18 bytes from 3ffe:302:11:2:20c:29ff:feaf:da05: icmp_seq=0 ttl=64 time=0.073 ms
18 bytes from 3ffe:302:11:2:20c:29ff:feaf:da05: icmp_seq=1 ttl=64 time=0.073 ms
--- 3ffe:302:11:2:20c:29ff:feaf:da05 ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 1040ms
/admin#
4-32
OL-26299-01
Chapter 4

EXEC Commands
Related Commands
Command
Description
ping
Ping a remote ip address.
reload
To reload the CDA operating system, use the reload command in the EXEC mode.
reload
Syntax Description
Defaults
Command Modes
EXEC
Usage Guidelines
The reload command reboots the system. Use the reload command after you enter configuration
information into a file and save the running-configuration to the persistent startup-configuration on the
CLI and save any settings in the web Administration user interface session.
Before you issue the reload command, ensure that the CDA is not performing any backup, restore,
installation, upgrade, or remove operation. If the CDA performs any of these operations and you issue
the reload command, you will notice any of the following warning messages:
WARNING: A backup or restore is currently in progress! Continue with reload?
WARNING: An install/upgrade/remove is currently in progress! Continue with reload?
If you get any of these warnings, enter Yes to halt the operation, or enter No to cancel the halt.
If no processes are running when you use the reload command or you enter Yes in response to the
warning message displayed, the CDA asks you to respond to the following option:
Do you want to save the current configuration?
Enter Yes to save the existing CDA configuration. The CDA displays the following message:
Examples
/admin# reload
Continue with reboot? [y/n] y
Broadcast message from root (pts/0) (Fri Aug 7 13:26:46 2010):
The system is going down for reboot NOW!
/admin#
OL-26299-01
4-33
Chapter 4
EXEC Commands
Related Commands
Command
Description
halt
Disables the system.
restore
To perform a restore of a previous backup, use the restore command in the EXEC mode. A restore
operation restores data related to the CDA as well as the Cisco ADE OS. To perform a restore of a
previous backup of the application data of the CDA only, add the application command to the restore
command in the EXEC mode. To remove this function, use the no form of this command.
Use the following command to restore data related to the CDA application and Cisco ADE OS:
restore filename repository repository-name
Use the following command to restore data related only to the CDA application:
restore filename repository repository-name application application-name
Syntax Description
restore
The command to restore the system.
filename
Name of the backed-up file that resides in the repository. Supports up to 120
Note
You must add the .tar.gpg extension after the filename (for example,
myfile.tar.gpg).
repository
The repository command.
repository-name
Name of the repository you want to restore from backup.
application
The application command.
application name
The name of the application data to be restored. Supports up to 255

Defaults
Command Modes
EXEC
Usage Guidelines
When you use restore commands in CDA, the CDA server restarts automatically.
The encryption key is optional while restoring data. To support restoring earlier backups where you have
not provided encryption keys, you can use the restore command without the encryption key.
Examples
/admin# restore mybackup-100818-1502.tar.gpg repository myrepository application cda

Restore may require a restart of application services. Continue? (yes/no) [yes] ? yes
Initiating restore. Please wait...
CDA application restore is in progress.
This process could take several minutes. Please wait...
Stopping CDA Watchdog...
4-34
OL-26299-01
Chapter 4

EXEC Commands
Stopping CDA Application Server...

Stopping AD Context Manager...
Stopping AD Context Observer...
Stopping CDA Logger...
Starting CDA Watchdog...
Starting CDA Application Server...
Starting AD Context Manager...
Starting AD Context Observer...
Starting CDA Logger...
Note: CDA Processes are initializing. Use 'show application status cda'
CLI to verify all processes are in running state.
/admin#
Related Commands
Command
Description
backup
a repository.
backup-logs
Backs up system logs.
repository
show repository
show backup history
rmdir
To remove an existing directory, use the rmdir command in the EXEC mode.
rmdir word
Syntax Description
rmdir
The command to remove an existing directory.
word
Directory name. Supports up to 80 alphanumeric characters.
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# mkdir disk:/test

/admin# dir
Directory of disk:/
4096 May 06 2010 13:34:49 activemq-data/
4096 May 06 2010 13:40:59 logs/
OL-26299-01
4-35
Chapter 4
EXEC Commands
16384 Mar 01 2010 16:07:27 lost+found/

4096 May 06 2010 13:42:53 target/
4096 May 07 2010 12:26:04 test/
/admin#
/admin# rmdir disk:/test
/admin# dir
Directory of disk:/
4096
4096
16384
4096
May
May
Mar
May
06
06
01
06
2010
2010
2010
2010
13:34:49
13:40:59
16:07:27
13:42:53
activemq-data/
logs/
lost+found/
target/

/admin#
Related Commands
Command
Description
dir
Displays a list of files on the CDA server.
mkdir
Creates a new directory.
show
To show the running system information, use the show command in the EXEC mode. The show
commands are used to display the CDA settings and are among the most useful commands.
The commands in Table 4-3 require the show command to be followed by a keyword; for example, show
application status. Some show commands require an argument or variable after the keyword to
function; for example, show application version.
For detailed information on all the CDA show commands, see Show Commands, page 4-48.
show keyword
Syntax Description
Table 4-3 provides a summary of the show commands.

Table 4-3
Summary of show Commands
Command1
Description
application
(requires keyword)
backup
Displays information about the installed application; for example, status or

version.
Displays information about the backup.
(requires keyword)
4-36
OL-26299-01
Chapter 4

EXEC Commands
Table 4-3
Summary of show Commands (continued)
Command1
Description
cdp
Displays information about the enabled Cisco Discovery Protocol interfaces.
(requires keyword)
clock
Displays the day, date, time, time zone, and year of the system clock.
cpu
Displays CPU information.
disks
Displays file-system information of the disks.
interface
Displays statistics for all the interfaces configured on the Cisco ADE OS.
logging
Displays system logging information.
(requires keyword)
logins
Displays login history.
(requires keyword)
memory
Displays memory usage by all running processes.
ntp
Displays the status of the Network Time Protocol (NTP).
ports
Displays all the processes listening on the active ports.
process
Displays information about the active processes of the CDA server.
repository
Displays the file contents of a specific repository.
(requires keyword)
restore
Displays restore history on the CDA server.
(requires keyword)
running-config
Displays the contents of the currently running configuration file on the CDA
server.
startup-config
Displays the contents of the startup configuration on the CDA server.
tech-support
Displays system and configuration information that you can provide to the TAC
when you report a problem.
terminal
Displays information about the terminal configuration parameter settings for the
current terminal line.
timezone
Displays the time zone of the CDA server.
timezones
Displays all the time zones available for use on the CDA server.
udi
Displays information about the unique device identifier (UDI) of the CDA.
uptime
Displays how long the system you are logged in to has been up and running.
users
Displays information for currently logged in users.
version
Displays information about the installed application version.
1. The commands in this table require that the show command precedes a keyword; for example, show application.
2. Some show commands require an argument or variable after the keyword to function; for example, show application version.
This show command displays the version of the application installed on the system (see show application, page 4-48).
Defaults
OL-26299-01
4-37
Chapter 4
EXEC Commands
Command Modes
EXEC
Usage Guidelines
All show commands require at least one keyword to function.
Examples

<name>
<Description>
CDA
/admin#
ssh
To start an encrypted session with a remote system, use the ssh command in the EXEC mode.
ssh [ip-address | hostname] username port [number] version [1 | 2] delete hostkey word
Syntax Description
ssh
The command to start an encrypted session with a remote system.
ip-address
IP Address of the remote system. Supports up to 64 alphanumeric characters.
hostname
Hostname of the remote system. Supports up to 64 alphanumeric characters.
username
Username of the user logging in through SSH.
port [number]
(Optional) Indicates the port number of the remote host. From 0 to 65,535.
Default 22.
version [1 | 2]
(Optional) Indicates the version number. Default 2.
delete hostkey
Deletes the SSH fingerprint of a specific host.
word
IPv4 address or hostname of a remote system. Supports up to 64

Defaults
Disabled.
Command Modes
EXEC (Admin or Operator)
Usage Guidelines
The ssh command enables a system to make a secure, encrypted connection to another remote system or
server. This connection provides functionality similar to that of an outbound Telnet connection except
that the connection is encrypted. With authentication and encryption, the SSH client allows for secure
communication over an insecure network.
Examples
Example 1
/admin# ssh cda1 admin
admin@cda1's password:
Last login: Wed Jul 11 05:53:20 2008 from cda.cisco.com
4-38
OL-26299-01
Chapter 4

EXEC Commands
cda1/admin#
Example 2
/admin# ssh delete host cda
/admin#
tech
To dump traffic on a selected network interface, use the tech command in the EXEC mode.
tech dumptcp <0-3> count <package count>
Syntax Description
tech
TAC commands.
dumptcp
The command to dump a TCP package to the console.
0-3
Gigabit Ethernet interface number (0 to 3).
count
Specifies a maximum package count, and default is continuous (no limit).
package count
Supports 110000.
Defaults
Disabled.
Command Modes
EXEC
Usage Guidelines
If you see bad udp cksum warnings in the tech dumptcp output, it may not be a cause for concern. The
tech dumptcp command examines outgoing packets before they exit through the Ethernet
microprocessor. Most modern Ethernet chips calculate checksums on outgoing packets, and so the
operating system software stack does not. Hence, it is normal to see outgoing packets declared as bad
udp cksum.
Examples
cd-pos-dev17/admin# tech dumptcp 0 count 30

Invoking tcpdump. Press Control-C to interrupt.
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:27:32.923319 IP (tos 0x10, ttl 64, id 1377, offset 0, flags [DF], proto: TCP (6),
length: 92) 10.77.122.201.22 > 10.77.204.132.3142: P 165
9025089:1659025141(52) ack 793752673 win 12144
length: 156) 10.77.122.201.22 > 10.77.204.132.3142: P 52
:168(116) ack 1 win 12144
10:27:32.940203 IP (tos 0x0, ttl 55, id 12075, offset 0, flags [none], proto: UDP (17),
length: 123) 72.163.128.140.53 > 10.77.122.201.43876:
13150 NXDomain* q: AAAA? cda-201.cisco.com. 0/1/0 ns: cisco.com. SOA[|domain]
length: 40) 10.77.204.132.3142 > 10.77.122.201.22: ., ck
sum 0x4ed3 (correct), 1:1(0) ack 168 win 64192
10:27:33.201646 IP (tos 0x0, ttl 64, id 39209, offset 0, flags [DF], proto: UDP (17),
length: 63) 10.77.122.201.50340 > 72.163.128.140.53: [b
ad udp cksum b8a2!] 49140+ AAAA? cda-201.cisco.com. (35)
OL-26299-01
4-39
Chapter 4
EXEC Commands
length: 123) 72.163.128.140.53 > 10.77.122.201.50340:
length: 63) 10.77.122.201.56578 > 72.163.128.140.53: [b
ad udp cksum 8854!] 62918+ AAAA? cda-201.cisco.com. (35)
length: 123) 72.163.128.140.53 > 10.77.122.201.56578:
10:27:33.579551 arp who-has 10.77.122.120 tell 10.77.122.250
length: 306) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHC
P, Request from e4:1f:13:77:13:34, length: 278, xid:0x1377f72b, flags: [Broadcast]
(0x8000)
Client Ethernet Address: e4:1f:13:77:13:34 [|bootp]
length: 63) 10.77.122.201.43779 > 72.163.128.140.53: [b
ad udp cksum 2ffc!] 32798+ AAAA? cda-201.cisco.com. (35)
length: 123) 72.163.128.140.53 > 10.77.122.201.43779:
length: 63) 10.77.122.201.23267 > 72.163.128.140.53: [b
ad udp cksum 2e85!] 18240+ AAAA? cda-201.cisco.com. (35)
length: 123) 72.163.128.140.53 > 10.77.122.201.23267:
10:27:34.579054 arp who-has 10.77.122.120 tell 10.77.122.250
10:27:34.927369 arp who-has 10.77.122.42 tell 10.77.122.40
length: 317) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/D
HCP, Request from 3c:df:1e:58:0f:c0, length: 289, xid:0x161504, flags: [Broadcast]
(0x8000)
Client Ethernet Address: 3c:df:1e:58:0f:c0 [|bootp]
10:27:36.190658 CDPv2, ttl: 180s, checksum: 692 (unverified), length 384
Device-ID (0x01), length: 12 bytes: 'hyd04-lab-SW'[|cdp]
30 packets captured
30 packets received by filter
0 packets dropped by kernel
cda-201/admin#
telnet
To log in to a host that supports Telnet, use the telnet command in Operator (user) or EXEC mode.
telnet [ip-address | hostname] port number
Syntax Description
Defaults
telnet
The command to log in to a host that supports Telnet.
ip-address
hostname
port number
(Optional) Indicates the port number of the remote host. From 0 to 65,535.
4-40
OL-26299-01
Chapter 4

EXEC Commands
Command Modes
Operator
EXEC
Usage Guidelines
None.
Examples
/admin# telnet 172.16.0.11 port 23

cda.cisco.com login: admin
password:
Last login: Mon Jul 2 08:45:24 on ttyS0
/admin#
terminal length
To set the number of lines on the current terminal screen for the current session, use the terminal length
terminal length integer
Syntax Description
terminal
The command to set the terminal line parameters.
length
The command that sets the number of lines on the current terminal screen for
the current session.
integer
Number of lines on the screen. Contains between 0 to 511 lines, inclusive. A

value of zero (0) disables pausing between screens of output.
Defaults
24 lines
Command Modes
EXEC
Usage Guidelines
The system uses the length value to determine when to pause during multiple-screen output.
Examples
/admin# terminal length 0

/admin#
OL-26299-01
4-41
Chapter 4
EXEC Commands
To set the inactivity timeout for all sessions, use the terminal session-timeout command in the EXEC
mode.
terminal session-timeout minutes
Syntax Description
terminal
session-timeout
The command that sets the inactivity time out of all the sessions.
minutes
Sets the number of minutes for the inactivity timeout. From 0 to 525,600.
Zero (0) disables the timeout.
Defaults
30 minutes
Command Modes
EXEC
Usage Guidelines
Setting the terminal session-timeout command to zero (0) results in no timeout being set.
Examples
/admin# terminal session-timeout 40

/admin#
Related Commands
Command
Description
Sets a welcome message on the system for all users who log in to the
system.
To set a welcome message on the system for all users who log in to the system, use the terminal
session-welcome command in EXEC mode.
terminal session-welcome string
Syntax Description
Defaults
terminal
session-welcome
The command that sets a welcome message on the system for all users
who log in to the system.
string
Welcome message. Supports up to 2,048 alphanumeric characters.
4-42
OL-26299-01
Chapter 4

EXEC Commands
Command Modes
EXEC
Usage Guidelines
Specify a message using up to 2,048 characters.
Examples
/admin# terminal session-welcome Welcome

/admin#
Related Commands
Command
Description
Sets the inactivity timeout for all sessions.
To specify the type of terminal connected to the current line for the current session, use the terminal
terminal-type command in EXEC mode.
terminal terminal-type type
Syntax Description
terminal
terminal-type
The command that specifies the type of terminal connected. The default
terminal type is VT100.
type
Defines the terminal name and type, and permits terminal negotiation
by hosts that provide that type of service. Supports up to 80
Defaults
VT100
Command Modes
EXEC
Usage Guidelines
Indicate the terminal type if it is different from the default of VT100.
Examples
/admin# terminal terminal-type vt220

/admin#
OL-26299-01
4-43
Chapter 4
EXEC Commands
traceroute
To discover the routes that packets take when traveling to their destination address, use the traceroute
command in EXEC mode.
traceroute [ip-address | hostname]
Syntax Description
traceroute
The command to discover the routes of the packets to their destination

address.
ip-address
hostname
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# traceroute 172.16.0.11

traceroute to 172.16.0.11 (172.16.0.11), 30 hops max, 38 byte packets
1 172.16.0.11 0.067 ms 0.036 ms 0.032 ms
/admin#
undebug
To disable debugging functions, use the undebug command in EXEC mode.
undebug {all | application | backup-restore | cdp | config | copy | icmp | locks | logging | snmp |
system | transfer | user | utils}
Syntax Description
undebug
The command to disable identifying various failures with the CDA server.
all
Disables all debugging.
application
Application files.
allDisables all application debug output.
installDisables application install debug output.
operationDisables application operation debug output.
uninstallDisables application uninstall debug output.
4-44
OL-26299-01
Chapter 4

EXEC Commands
backup-restore
cdp
config
Backs up and restores files.
allDisables all debug output for backup-restore.
backupDisables backup debug output for backup-restore.
backup-logsDisables backup-logs debug output for backup-restore.
historyDisables history debug output for backup-restore.
restoreDisables restore debug output for backup-restore.
Cisco Discovery Protocol configuration files.
allDisables all Cisco Discovery Protocol configuration debug output.
configDisables configuration debug output for Cisco Discovery

Protocol.
infraDisables infrastructure debug output for Cisco Discovery

Protocol.
Configuration files.
allDisables all configuration debug output.
backupDisables backup configuration debug output.
clockDisables clock configuration debug output.
infraDisables configuration infrastructure debug output.
kronDisables command scheduler configuration debug output.
networkDisables network configuration debug output.
repositoryDisables repository configuration debug output.
serviceDisables service configuration debug output.
copy
Copy commands.
icmp
ICMP echo response configuration.

allDisable all debug output for ICMP echo response configuration. Set
locks
logging
Resource locking.
allDisables all resource locking debug output.
fileDisables file locking debug output.
Logging configuration files.

allDisables all debug output for logging configuration.
snmp
SNMP configuration files.

allDisables all debug output for SNMP configuration.
system
transfer
System files.
allDisables all system files debug output.
idDisables system ID debug output.
infoDisables system info debug output.
initDisables system init debug output.
File transfer.
OL-26299-01
4-45
Chapter 4
EXEC Commands
user
utils
User management.
allDisables all user management debug output.
password-policyDisables user management debug output for

password-policy.
Utilities configuration files.

allDisables all utilities configuration debug output.
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# undebug all

/admin#
Related Commands
Command
Description
debug
Displays errors or events for command situations.
write
To copy, display, or erase CDA server configurations, use the write command with the appropriate
argument in the EXEC mode.
write {erase | memory | terminal}
Syntax Description
write
The command to write running system information.
erase
Erases the startup configuration. This option is disabled in CDA.
memory
Copies the running configuration to the startup configuration.
terminal
Copies the running configuration to console.
Defaults
Command Modes
EXEC
4-46
OL-26299-01
Chapter 4

EXEC Commands
Usage Guidelines
Using this write command with the erase option is disabled in CDA.
If you use the write command with the erase option, CDA displays the following error message:
% Warning: 'write erase' functionality has been disabled by application: cda
Examples
Example 1
/admin# write memory
/admin#
Example 2
/admin# write terminal
!
hostname cda
!
ip domain-name cisco.com
!
interface GigabitEthernet 0
ip address 10.201.2.121 255.255.255.0
ipv6 address autoconfig
!
shutdown
!
shutdown
!
shutdown
!
ip name-server 171.68.226.120
!
ip default-gateway 10.201.2.1
!
clock timezone UTC
!
ntp server clock.cisco.com
!
username admin password hash $1$6yQQaFXM$UBgbp7ggD1bG3kpExywwZ0 role admin
!
service sshd
!
repository myrepository
url disk:
user admin password hash 2b50ca94445f240f491e077b5f49fa0375942f38
!
password-policy
lower-case-required
upper-case-required
digit-required
no-username
disable-cisco-passwords
min-password-length 6
!
logging localhost
logging loglevel 6
!
cdp timer 60
OL-26299-01
4-47
Chapter 4
Show Commands
cdp holdtime 180

cdp run GigabitEthernet 0
!
icmp echo on
!
/admin#
Show Commands
This section lists each show command and includes a brief description of its use, command syntax, usage
guidelines, and sample output.
Table 4-4 lists the show commands in the EXEC mode that this section describes.
Table 4-4
List of EXEC show Commands
show application
show logins
show tech-support
show backup history
show memory
show terminal
show cdp
show ntp
show timezone
show clock
show ports
show timezones
show cpu
show process
show udi
show disks
show repository
show uptime
show icmp-status
show restore
show users
show interface
show running-config
show version
show inventory
show startup-config
show logging
show application
To show application information of the installed application packages on the system, use the show
application command in the EXEC mode.
show application [status | version [app_name]]
Syntax Description
show application
The command to display the CDA application information.
status
Displays the status of the installed application.
version
Displays the application version for an installed applicationthe CDA.
app_name
Name of the installed application.
4-48
OL-26299-01
Chapter 4

Show Commands
Output modifier variables:
beginMatched pattern. Supports up to 80 alphanumeric characters.
countCount the number of lines in the output. Add number after the
word count.
|Output modifier variables (see Table 4-5).
endEnd with line that matches. Supports up to 80 alphanumeric

characters.
excludeExclude lines that match. Supports up to 80 alphanumeric

characters.
includeInclude lines that match. Supports up to 80 alphanumeric

characters.
lastDisplay last few lines of output. Add number after the word last.
Supports up to 80 lines to display. Default 10.
Table 4-5
Output Modifier Variables for Count or Last
word count.
|Output modifier variables.

characters.

characters.

characters.
Defaults
Command Modes
EXEC
Usage Guidelines
None.
OL-26299-01
4-49
Chapter 4
Show Commands
Examples
Example 1
<name>
<Description>
cda
/admin#
Example 2
/admin# show application version cda
--------------------------------------------Version
: 1.0.0.11
Build Date
: Sun Apr 8 14:04:41 2012
Install Date : Sun Apr 8 14:11:45 2012
/admin#
Example 3
CDA application server is running PID:2840
/admin#
Related Commands
Command
Description
application install
application install
application remove
application start
application stop
application upgrade
show backup history

To display the backup history of the system, use the show backup history command in the EXEC mode.
show backup history
Syntax Description
Defaults
show backup
The command to display the CDA backup information.
history
Displays history information about any backups on the system.
4-50
OL-26299-01
Chapter 4

Show Commands
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
/admin# show backup history
Wed Aug 18 12:55:21 UTC 2010: backup logs logs-0718.tar.gz to repository fileserver007:
success
Wed Aug 18 12:55:53 UTC 2010: backup full-0718.tar.gpg to repository fileserver007:
success
/admin#
Example 2
/admin# show backup history
backup history is empty
/admin#
Related Commands
Command
Description
backup
Performs a backup (CDA and Cisco ADE OS) and places the backup
in a repository.
restore
repository
show repository
show cdp
To display information about the enabled Cisco Discovery Protocol interfaces, use the show cdp
show cdp {all | neighbors}
Syntax Description
show cdp
The command to display Cisco Discovery Protocol show commands.
all
Shows all the enabled Cisco Discovery Protocol interfaces.
neighbors
Shows the Cisco Discovery Protocol neighbors.
Defaults
Command Modes
EXEC
OL-26299-01
4-51
Chapter 4
Show Commands
Usage Guidelines
None.
Examples
Example 1
/admin# show cdp all
CDP protocol is enabled...
broadcasting interval is every 60 seconds.
time-to-live of cdp packets is 180 seconds.
CDP is enabled on port GigabitEthernet0.
/admin#
Example 2
/admin# show cdp neighbors
CDP Neighbor : pmbu-ibf-sw-ins
Local Interface
: GigabitEthernet0
Device Type
: E-24TDWS-C3750
Port
: GigabitEthernet1/0/17
Address
: 192.168.100.254
/admin#
Related Commands
Command
Description
cdp holdtime
Specifies the length of time that the receiving device should hold a
Cisco Discovery Protocol packet from your router before discarding it.
cdp run
Enables the Cisco Discovery Protocol.
cdp timer
Specifies how often the CDA server sends Cisco Discovery Protocol
updates.
show clock
To display the day, month, date, time, time zone, and year of the system software clock, use the show
clock command in the EXEC mode.
show clock
Syntax Description
Defaults
Command Modes
EXEC
Usage Guidelines
None.
4-52
OL-26299-01
Chapter 4

Show Commands
Examples
/admin# show clock

Tue May 8 08:33:50 IDT 2012
/admin#
The show clock output in the previous example includes Coordinated Universal Time (UTC) or
Greenwich Mean Time (GMT), Great Britain, or Zulu time (see Tables 4-13, 4-14, and 4-15 on
pages A-84 and A-85 for sample time zones).
Note
Related Commands
Command
Description
clock
Sets the system clock for display purposes.
show cpu
To display CPU information, use the show cpu command in the EXEC mode.
show cpu [statistics] [|] [|]
Syntax Description
show cpu
The command to display CPU information.
statistics
Displays CPU statistics.
word count.

characters.

characters.

characters.
OL-26299-01
4-53
Chapter 4
Show Commands
Table 4-6
word count.

characters.

characters.

characters.
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
/admin# show cpu
processor :
model
:
speed(MHz):
cache size:
0
Intel(R) Core(TM)2 CPU
1596.000
2048 KB
processor :
model
:
speed(MHz):
cache size:
1
Intel(R) Core(TM)2 CPU
1596.000
2048 KB
6400
@ 2.13GHz
6400
@ 2.13GHz
/admin#
Example 2
/admin# show cpu statistics
user time:
265175
kernel time:
166835
idle time:
5356204
i/o wait time:
162676
irq time:
4055
4-54
OL-26299-01
Chapter 4

Show Commands
/admin#
Related Commands
Command
Description
show disks
Displays the system information of all disks.
show memory
Displays the amount of system memory that each system process uses.
show disks
To display the disks file-system information, use the show disks command in the EXEC mode.
show disks [|] [|]
Syntax Description
show disks
The command to display the disks and the file-system information
word count.

characters.

characters.

characters.
OL-26299-01
4-55
Chapter 4
Show Commands
Table 4-7
word count.

characters.

characters.

characters.
Defaults
Command Modes
EXEC
Usage Guidelines
Only platforms that have a disk file system support the show disks command.
Examples
/admin# show disks

temp. space 2% used (36460 of 1984044)
disk: 2% used (208816 of 14877060)
Internal filesystems:
all internal filesystems have sufficient free space
/admin#
Related Commands
Command
Description
show cpu
Displays CPU information.
show memory
Displays the amount of system memory that each system process uses.
4-56
OL-26299-01
Chapter 4

Show Commands
show icmp-status
To display the Internet Control Message Protocol echo response configuration information, use the show
icmp_status command in EXEC mode.
show icmp_status {> file | |}
Syntax Description
show icmp_status
The command to display the Internet Control Message Protocol echo

response configuration information.
>
Output direction.
file
Name of file to redirect standard output (stdout).
Output modifier commands:
word count.
|Output modifier commands (see Table 4-8).

characters.

characters.

characters.
|Output modifier commands (see Table 4-8).
Table 4-8
word count.

characters.

characters.

characters.
OL-26299-01
4-57
Chapter 4
Show Commands
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
/admin# show icmp_status
icmp echo response is turned on
/admin#
Example 2
/admin# show icmp_status
icmp echo response is turned off
/admin#
Related Commands
Command
Description
icmp echo
Configures the Internet Control Message Protocol (ICMP) echo

requests.
show interface
To display the usability status of interfaces configured for IP, use the show interface command in the
EXEC mode.
show interface [GigabitEthernet] |
Syntax Description
show interface
The command to display interface information.
GigabitEthernet
Shows the Gigabit Ethernet interface. Enter <0-3>.
word count.

characters.

characters.

characters.
4-58
OL-26299-01
Chapter 4

Show Commands
Defaults
Command Modes
EXEC
Usage Guidelines
In the show interface GigabitEthernet 0 output, you can find that the interface has three IPv6
addresses. The first internet address (starting with 3ffe) is the result of using stateless autoconfiguration.
For this to work, you need to have IPv6 route advertisement enabled on that subnet. The next address
(starting with fe80) is a link local address that does not have any scope outside the host. You always see
a link local address regardless of the IPv6 autoconfiguration or DHCPv6 configuration. The last address
(starting with 2001) is the result obtained from a IPv6 DHCP server.
Examples
Example 1
/admin# show interface
eth0
Link encap:Ethernet HWaddr 00:0C:29:6A:88:C4
inet addr:172.23.90.113 Bcast:172.23.90.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe6a:88c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48536 errors:0 dropped:0 overruns:0 frame:0
TX packets:14152 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6507290 (6.2 MiB) TX bytes:12443568 (11.8 MiB)
Interrupt:59 Base address:0x2000
lo
Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
sit0
Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
/admin#
Example 2
/admin# show interface GigabitEthernet 0
eth0
Link encap:Ethernet HWaddr 00:0C:29:AF:DA:05
inet6 addr: 3ffe:302:11:2:20c:29ff:feaf:da05/64 Scope:Global
inet6 addr: fe80::20c:29ff:feaf:da05/64 Scope:Link
inet6 addr: 2001:558:ff10:870:8000:29ff:fe36:200/64 Scope:Global
/admin#
OL-26299-01
4-59
Chapter 4
Show Commands
Related Commands
Command
Description
interface
Configures an interface type and enters the interface configuration

submode.
Enables IPv6 stateless autoconfiguration on an interface.
ipv6 address dhcp
Enables IPv6 address DHCP on an interface.
show inventory
To display information about the hardware inventory, including the CDA appliance model and serial
number, use the show inventory command in the EXEC mode.
show inventory |
Syntax Description
show inventory
The command to display hardware inventory information.
word count.

characters.

characters.

characters.
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# show inventory

NAME: "CSACS-1121-K9
chassis", DESCR: "CSACS-1121-K9
chassis"
PID: CSACS-1121-K9
, VID: V01 , SN: LAB11122278
Total RAM Memory: 4017680 kB
CPU Core Count: 2
CPU 0: Model Info: Intel(R) Core(TM)2 CPU
6400 @ 2.13GHz
CPU 1: Model Info: Intel(R) Core(TM)2 CPU
6400 @ 2.13GHz
Hard Disk Count(*): 2
4-60
OL-26299-01
Chapter 4

Show Commands
Disk 0: Device Name: /dev/sda

Disk 0: Capacity: 250.00 GB
Disk 0: Geometry: 255 heads 63 sectors/track 30401 cylinders
Disk 1: Device Name: /dev/sdb
Disk 1: Capacity: 250.00 GB
Disk 1: Geometry: 255 heads 63 sectors/track 30401 cylinders
NIC Count: 2
NIC 0: Device Name: eth0
NIC 0: HW Address: 00:15:17:29:68:A2
NIC 0: Driver Descr: Intel(R) PRO/1000 Network Driver
NIC 1: Device Name: eth1
NIC 1: HW Address: 00:15:17:29:68:A3
NIC 1: Driver Descr: Intel(R) PRO/1000 Network Driver
(*) Hard Disk Count may be Logical.
/admin#
show logging
To display the state of system logging (syslog) and the contents of the standard system logging buffer,
use the show logging command in the EXEC mode.
show logging {application [application-name]} {internal} {system} |
Syntax Description
show logging
The command to display system logging information.
application
Displays application logs.

application-nameApplication name. Supports up to 255 alphanumeric
characters.
tailTail system syslog messages.
countTail last count messages. From 0 to 4,294,967,295.
|Output modifier variables (see below).

internal
Displays the syslogs configuration.
system
Displays the system syslogs.
word count.

characters.

characters.

characters.
OL-26299-01
4-61
Chapter 4
Show Commands
Defaults
Command Modes
EXEC
Usage Guidelines
This command displays the state of syslog error and event logging, including host addresses, and for
which, logging destinations (console, monitor, buffer, or host) logging is enabled.
Examples
Example 1
/admin# show logging system
ADEOS Platform log:
----------------Apr 18 11:03:57 localhost debugd[1756]: [2170]: config:network: main.c[252] [setup]: Setup
is complete
Apr 18 14:04:13 localhost debugd[1756]: [3005]: application:install cars_install.c[245]
[setup]: Install initiated with bundle - cda.tar.gz, r
epo - SystemDefaultPkgRepos
[setup]: Stage area - /storeddata/Installing/.13347470
53
[setup]: Getting bundle to local machine
Apr 18 14:04:13 localhost debugd[1756]: [3005]: transfer: cars_xfer.c[58] [setup]: local
copy in of cda.tar.gz requested
[setup]: Got bundle at - /storeddata/Installing/.13347
47053/cda.tar.gz
[setup]: Unbundling package cda.tar.gz
[setup]: Unbundling done. Verifying input parameters..
.
[setup]: Manifest file is at - /storeddata/Installing/
.1334747053/manifest.xml
[setup]: Manifest file appname - cda
[setup]: Manifest file pkgtype - CARS
[setup]: Verify dependency list Apr 18 14:04:22 localhost debugd[1756]: [3005]: application:install cars_install.c[413]
[setup]: Verify app license Apr 18 14:04:22 localhost debugd[1756]: [3005]: application:install cars_install.c[423]
[setup]: Verify app RPM's
[setup]: No of RPM's - 1
[setup]: Disk - 50
Apr 18 14:04:22 localhost debugd[1756]: [3005]: application:install ci_util.c[325]
[setup]: Disk requested = 51200 KB
Apr 18 14:04:22 localhost debugd[1756]: [3005]: application:install ci_util.c[345]
[setup]: More disk found Free = 211595264, req_disk = 51200
[setup]: Mem requested by app - 100
4-62
OL-26299-01
Chapter 4

Show Commands
Apr 18 14:04:22 localhost debugd[1756]:

[setup]: Mem requested = 102400
[setup]: Found MemFree = MemFree:
[setup]: Found MemFree value = 1284664
[setup]: Found Inactive = Inactive:
[setup]: Found Inactive MemFree value =
[setup]: Sufficient mem found
[setup]: Done checking memory...
[setup]: Verifying RPM's...
--More-(press Spacebar to continue)
[3005]: application:install ci_util.c[369]

1284664 kB
1361456 kB
1361456
[3005]: application:install cars_install.c[475]
/admin#
Example 2
/admin# show logging internal
log server:
Global loglevel:
Status:
/admin#
localhost
6
Enabled
Example 3
/admin# show logging internal
log server:
Global loglevel:
Status:
/admin#
localhost
6
Disabled
show logins
To display the state of system logins, use the show logins command in the EXEC mode.
show logins cli
Syntax Description
show logins
The command to display system login history.
cli
Lists the cli login history.
Defaults
Command Modes
EXEC
OL-26299-01
4-63
Chapter 4
Show Commands
Usage Guidelines
Requires the cli keyword; otherwise, an error occurs.
Examples
/admin# show logins cli

admin
pts/1
10.77.203.182
admin
pts/1
10.77.203.182
admin
pts/1
10.77.203.182
root
pts/0
64.103.124.254
root
ttyS0
admin
ttyS0
admin
ttyS0
admin
ttyS0
admin
ttyS0
admin
ttyS0
Tue
Mon
Mon
Mon
Thu
Thu
Thu
Thu
Wed
Wed
May
May
May
Apr
Apr
Apr
Apr
Apr
Apr
Apr
8
7
7
23
19
19
19
19
18
18
08:32
14:05
12:23
11:54
17:57
17:57
17:23
18:28
20:43
14:58
still logged in
- 14:58 (00:53)
- 13:29 (01:06)
still logged in
still logged in
- 17:57 (00:00)
- 17:56 (00:32)
- 15:59 (-2:-29)
- 21:16 (00:32)
- 15:28 (00:30)
wtmp begins Wed Apr 18 13:59:32 2012

/admin#
show memory
To display the memory usage of all the running processes, use the show memory command in the EXEC
mode.
show memory
Syntax Description
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# show memory

total memory:
1035164
free memory:
27128
cached:
358888
swap-cached:
142164
kB
kB
kB
kB
/admin#
4-64
OL-26299-01
Chapter 4

Show Commands
show ntp
To show the status of the NTP associations, use the show ntp command in the EXEC mode.
show ntp
Syntax Description
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example:1
/admin# show ntp
Primary NTP
: cd-acs-ntp.cisco.com
synchronised to NTP server (10.56.60.29) at stratum 3
time correct to within 64 ms
polling server every 1024 s
remote
refid
st t when poll reach
delay
offset jitter
==============================================================================
127.127.1.0
.LOCL.
10 l
5
64 377
0.000
0.000
0.001
*10.56.60.29
64.103.34.15
2 u
98 1024 377
0.001
0.205
0.054
Warning: Output results may conflict during periods of changing synchronization.

/admin#
Example:2
/admin# show ntp
% no NTP servers configured
/admin#
Related Commands
Command
Description
ntp
Allows you to configure NTP configuration up to three NTP servers.
ntp server
Allows synchronization of the software clock by the NTP server for the
system.
OL-26299-01
4-65
Chapter 4
Show Commands
show ports
To display information about all the processes listening on active ports, use the show ports command in
the EXEC mode.
show ports [|] [|]
Syntax Description
show ports The command to display all the processes listening on open ports in the CDA.
|
countCount the number of lines in the output. Add number after the word count.
endEnd with line that matches. Supports up to 80 alphanumeric characters.
excludeExclude lines that match. Supports up to 80 alphanumeric characters.
includeInclude lines that match. Supports up to 80 alphanumeric characters.
lastDisplay last few lines of output. Add number after the word last. Supports up
to 80 lines to display. Default 10.
Table 4-9
countCount the number of lines in the output. Add number after the word count.
endEnd with line that matches. Supports up to 80 alphanumeric characters.
excludeExclude lines that match. Supports up to 80 alphanumeric characters.
includeInclude lines that match. Supports up to 80 alphanumeric characters.
lastDisplay last few lines of output. Add number after the word last. Supports up
to 80 lines to display. Default 10.
Defaults
Command Modes
EXEC
Usage Guidelines
When you run the show ports command, the port must have an associated active session.
4-66
OL-26299-01
Chapter 4

Show Commands
Examples
/admin# show ports

Process : portmap (2560)
tcp: 0.0.0.0:111
udp: 0.0.0.0:111
Process : sshd (3312)
tcp: 0.0.0.0:22, :::22
Process : rpc.statd (2600)
tcp: 0.0.0.0:662
udp: 0.0.0.0:656, 0.0.0.0:659
Process : java (18838)
tcp: ::ffff:127.0.0.1:8005, :::8009, :::80, :::443, :::8092
tcp: :::54826, :::8091
tcp: :::8020, :::8090
udp: :::1812, :::1813, :::1645, :::1646, :::50672
tcp: :::8093
Process : ntpd (4213)
udp: 192.168.100.156:123, 10.56.14.156:123, 127.0.0.1:123, 0.0.0.0:123,
fe80::215:17ff:fe29:123, fd00:1234:5678:abcd:123, 2001:420:44ff:1
4:21:123, fe80::215:17ff:fe29:123, ::1:123, :::123
/admin#
show process
To display information about active processes, use the show process command in the EXEC mode.
show process |
Syntax Description
show process
The command to display system processes.
(Optional) Output modifier variables:
word count.

characters.

characters.

characters.
Defaults
Command Modes
EXEC
OL-26299-01
4-67
Chapter 4
Show Commands
Usage Guidelines
None.
Examples
See Table 4-10 for process field descriptions.

/admin# show process
USER
PID
TIME TT
COMMAND
root
1 00:00:00 ?
init
root
2 00:00:00 ?
migration/0
root
3 00:00:00 ?
ksoftirqd/0
root
4 00:00:00 ?
watchdog/0
root
5 00:00:00 ?
migration/1
root
6 00:00:01 ?
ksoftirqd/1
root
7 00:00:00 ?
watchdog/1
root
8 00:00:00 ?
events/0
root
9 00:00:00 ?
events/1
root
10 00:00:00 ?
khelper
root
11 00:00:00 ?
kthread
root
15 00:00:00 ?
kblockd/0
root
16 00:00:01 ?
kblockd/1
root
17 00:00:00 ?
kacpid
root
113 00:00:00 ?
cqueue/0
root
114 00:00:00 ?
cqueue/1
root
117 00:00:00 ?
khubd
root
119 00:00:00 ?
kseriod
root
186 00:00:00 ?
pdflush
root
187 00:00:02 ?
pdflush
root
188 00:00:02 ?
kswapd0
root
189 00:00:00 ?
aio/0
root
190 00:00:00 ?
aio/1
root
351 00:00:00 ?
kpsmoused
root
382 00:00:00 ?
ata/0
root
383 00:00:00 ?
ata/1
root
384 00:00:00 ?
ata_aux
root
388 00:00:00 ?
scsi_eh_0
root
389 00:00:00 ?
scsi_eh_1
root
396 00:00:00 ?
kstriped
root
409 00:00:36 ?
kjournald
root
436 00:00:00 ?
kauditd
root
469 00:00:00 ?
udevd
root
1011 00:00:00 ?
kedac
--More-/admin#
4-68
OL-26299-01
Chapter 4

Show Commands
Table 4-10
Show Process Field Descriptions
Field
Description
USER
Logged-in user
PID
Process ID
TIME
The time the command was last used
TT
Terminal that controls the process
COMMAND
Type of process or command used
show repository
To display the file contents of the repository, use the show repository command in the EXEC mode.
show repository repository-name
Syntax Description
show repository
The command to display the repository contents.
repository-name
Name of the repository whose contents you want to view. Supports up to 30

Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# show repository myrepository

back1.tar.gpg
back2.tar.gpg
/admin#
Related Commands
Command
Description
backup
a repository.
restore
repository
show backup history
OL-26299-01
4-69
Chapter 4
Show Commands
show restore
To display the restore history, use the show restore command in the EXEC mode.
show restore {history}
Syntax Description
show restore
The command to display the restore information.
history
Displays the restore history.
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
/admin# show restore history
/admin#
Example 2
/admin# show restore history
restore history is empty
/admin#
Related Commands
Command
Description
backup
a repository.
restore
repository
show backup history
show running-config
To display the contents of the currently running configuration file or the configuration, use the show
running-config command in the EXEC mode.
show running-config
4-70
OL-26299-01
Chapter 4

Show Commands
Syntax Description
Defaults
The show running-config command displays all of the configuration information.
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# show running-config

!
hostname pmbu-ibf-pip06
!
!
ip address 192.168.100.156 255.255.255.0
!
ip address 10.56.14.156 255.255.255.0
!
ip name-server 192.168.100.100 10.56.60.150
!
!
ip route 192.168.209.0 255.255.255.0 gateway 192.168.100.1
ip route 192.180.209.0 255.255.255.0 gateway 192.168.100.1
ip route 192.168.218.0 255.255.255.0 gateway 192.168.100.1
ip route 192.168.204.0 255.255.255.0 gateway 192.168.100.1
!
clock timezone Asia/Jerusalem
!
ntp server cd-acs-ntp.cisco.com
!
username admin password hash $1$00jG7EQh$gDjDJKlSZWx5ImaUEqZAO1 role admin
!
service sshd
!
repository rp
url ftp://10.56.61.75/ACS_AUTO_VMS/OLD-ACS.5.0.FCS/
user anonymous password hash 37f90f7eb86fb8e00895b133c6de3278ff545c54
repository tftp
url tftp://192.168.100.153
!
password-policy
lower-case-required
upper-case-required
digit-required
no-username
!
OL-26299-01
4-71
Chapter 4
Show Commands
logging localhost
logging loglevel 6
!
cdp timer 60
cdp holdtime 180
!
icmp echo on
!
/admin#
Related Commands
Command
Description
configure
Enters the Configuration mode.
show startup-config
Displays the contents of the startup configuration file or the

configuration.
show startup-config
To display the contents of the startup configuration file or the configuration, use the show
startup-config command in the EXEC mode.
show startup-config
Syntax Description
Defaults
The show startup-config command displays all of the startup configuration information.
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# show startup-config

!
hostname pmbu-ibf-pip06
!
!
ip address 192.168.100.156 255.255.255.0
!
ip address 10.56.14.156 255.255.255.0
!
ip name-server 192.168.100.100 10.56.60.150
!
4-72
OL-26299-01
Chapter 4

Show Commands
!
ip route 192.168.209.0 255.255.255.0 gateway 192.168.100.1
ip route 192.180.209.0 255.255.255.0 gateway 192.168.100.1
ip route 192.168.218.0 255.255.255.0 gateway 192.168.100.1
ip route 192.168.204.0 255.255.255.0 gateway 192.168.100.1
!
clock timezone Asia/Jerusalem
!
ntp server cd-acs-ntp.cisco.com
!
username admin password hash $1$00jG7EQh$gDjDJKlSZWx5ImaUEqZAO1 role admin
!
service sshd
!
repository rp
url ftp://10.56.61.75/ACS_AUTO_VMS/OLD-ACS.5.0.FCS/
user anonymous password hash 37f90f7eb86fb8e00895b133c6de3278ff545c54
repository tftp
url tftp://192.168.100.153
!
password-policy
lower-case-required
upper-case-required
digit-required
no-username
!
logging localhost
logging loglevel 6
!
cdp timer 60
cdp holdtime 180
!
icmp echo on
!
/admin#
Related Commands
Command
Description
configure
Enters the Configuration mode.
show running-config

configuration.
show tech-support
To display technical support information, including email, use the show tech-support command in the
EXEC mode.
show tech-support file [word]
Syntax Description
show tech-support
The command to display the technical support information.
OL-26299-01
4-73
Chapter 4
Show Commands
file
Save any technical support data as a file in the local disk.
word
Filename to save. Supports up to 80 alphanumeric characters.
Defaults
Passwords and other security information do not appear in the output.
Command Modes
EXEC
Usage Guidelines
The show tech-support command is useful for collecting a large amount of information about your CDA
server for troubleshooting purposes. You can then provide output to technical support representatives
when reporting a problem.
Examples
/admin# show tech-support

###################################################
Application Deployment Engine(ADE) - 2.0.2.057
Technical Support Debug Info follows...
###################################################
*****************************************
Checking dmidecode Serial Number(s)
*****************************************
None
VMware-56 4d 14 cb 54 3d 44 5d-49 ee c4 ad a5 6a 88 c4
*****************************************
Displaying System Uptime...
*****************************************
12:54:34 up 18:37, 1 user, load average: 0.14, 0.13, 0.12
*****************************************
Display Memory Usage(KB)
*****************************************
total
used
free
Mem:
1035164
1006180
28984
-/+ buffers/cache:
649932
385232
Swap:
2040244
572700
1467544
shared
0
buffers
10784
cached
345464
*****************************************
Displaying Processes(ax --forest)...
*****************************************
PID TTY
STAT
TIME COMMAND
1 ?
Ss
0:02 init [3]
2 ?
S<
0:00 [migration/0]
3 ?
SN
0:00 [ksoftirqd/0]
4 ?
S<
0:00 [watchdog/0]
5 ?
S<
0:00 [events/0]
/admin#
4-74
OL-26299-01
Chapter 4

Show Commands
Related Commands
Command
Description
show interface
Displays the usability status of the interfaces.
show process
Displays information about active processes.
show running-config
Displays the contents of the current running configuration.
show terminal
To obtain information about the terminal configuration parameter settings, use the show terminal
show terminal
Syntax Description
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# show terminal

TTY: /dev/pts/0 Type: "vt100"
Length: 27 lines, Width: 80 columns
Session Timeout: 30 minutes
/admin#
Table 4-11 describes the fields of the show terminal output.

Table 4-11
Show Terminal Field Descriptions
Field
Description
TTY: /dev/pts/0
Displays standard output to type of terminal.
Type: vt100
Type of current terminal used.
Length: 24 lines
Length of the terminal display.
Width: 80 columns
Width of the terminal display, in character columns.
Session Timeout: 30 minutes Length of time, in minutes, for a session, after which the connection
closes.
OL-26299-01
4-75
Chapter 4
Show Commands
show timezone
To display the time zone as set on the system, use the show timezone command in the EXEC mode.
show timezone
Syntax Description
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# show timezone

UTC
/admin#
Related Commands
Command
Description
clock timezone
Sets the time zone on the system.
show timezones
Displays the time zones available on the system.
show timezones
To obtain a list of time zones from which you can select, use the show timezones command in the EXEC
mode.
show timezones
Syntax Description
Defaults
Command Modes
EXEC
4-76
OL-26299-01
Chapter 4

Show Commands
Usage Guidelines
See the clock timezone section on page 4-85, for examples of the time zones available for the CDA
server.
Examples
/admin# show timezones

Africa/Blantyre
Africa/Dar_es_Salaam
Africa/Dakar
Africa/Asmara
Africa/Timbuktu
Africa/Maputo
Africa/Accra
Africa/Kigali
Africa/Tunis
Africa/Nouakchott
Africa/Ouagadougou
Africa/Windhoek
Africa/Douala
Africa/Johannesburg
Africa/Luanda
Africa/Lagos
Africa/Djibouti
Africa/Khartoum
Africa/Monrovia
Africa/Bujumbura
Africa/Porto-Novo
Africa/Malabo
Africa/Ceuta
Africa/Banjul
Africa/Cairo
Africa/Mogadishu
Africa/Brazzaville
Africa/Kampala
Africa/Sao_Tome
Africa/Algiers
Africa/Addis_Ababa
Africa/Ndjamena
Africa/Gaborone
Africa/Bamako
Africa/Freetown
/admin#
Related Commands
Command
Description
show timezone
Displays the time zone set on the system.
clock timezone
Sets the time zone on the system.
OL-26299-01
4-77
Chapter 4
Show Commands
show udi
To display information about the UDI of the CDA appliance, use the show udi command in the EXEC
mode.
show udi
Syntax Description
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
Example 1
/admin# show udi
SPID: CSACS-1121-K9
VPID: V01
Serial: LAB11122278
/admin#
The following output appears when you run the show udi command on VMware servers.
Example 2
/admin# show udi
SPID: CDA-VM-K9
VPID: V01
Serial: 5C79C84ML9H
/admin#
show uptime
To display the length of time that you have been logged in to the CDA server, use the show uptime
show uptime |
4-78
OL-26299-01
Chapter 4

Show Commands
Syntax Description
show uptime
The command to display the period that you have been logged into the CDA
server.
word count.

characters.

characters.

characters.
Defaults
Command Modes
EXEC
Usage Guidelines
None.
Examples
/admin# show uptime

3 day(s), 18:55:02
/admin#
show users
To display the list of users logged in to the CDA server, use the show users command in the EXEC mode.
show users
Syntax Description
Defaults
Command Modes
EXEC
OL-26299-01
4-79
Chapter 4
Show Commands
Usage Guidelines
None.
Examples
/admin# show users

USERNAME
ROLE
HOST
TTY
LOGIN DATETIME
admin
10.77.137.60
pts/0
Fri Aug
Admin
6 09:45:47 2010
/admin#
show version
To display information about the software version of the system, use the show version command in the
EXEC mode.
show version
Syntax Description
Defaults
Command Modes
EXEC
Usage Guidelines
This command displays version information about the Cisco ADE-OS software running on the CDA
server, and displays the CDA version.
Examples
/admin# show version

Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.2.057
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: pmbu-ibf-pip06
Version information of installed applications

--------------------------------------------Cisco Context Directory Agent
--------------------------------------------Version
: 3.0.0.11
Build Date
: Tue Apr 10 13:05:05 2012
Install Date : Mon May 7 12:06:23 2012
/admin#
4-80
OL-26299-01
Chapter 4

Configuration Commands
This section list each Configuration command and includes a brief description of its use, command
syntax, usage guidelines, and sample output.
Configuration commands include interface and repository.
Note
Some of the Configuration commands require you to enter the configuration submode to complete the
command configuration.
To access the Configuration mode, you must use the configure command in the EXEC mode.
Table 4-12 lists the Configuration commands that this section describes.
Table 4-12
List of Configuration Commands
backup-staging-url
kron occurrence
cdp holdtime
kron policy-list
cdp run
logging
cdp timer
ntp
clock timezone
ntp authenticate
do
ntp authentication-key
end
ntp server
exit
ntp trusted-key
hostname
password-policy
icmp echo
repository
interface
service
shutdown
ipv6 address dhcp
snmp-server community
ip address
snmp-server contact
ip default-gateway
snmp-server host
ip domain-name
snmp-server location
ip name-server
username
ip route
OL-26299-01
4-81
Chapter 4
backup-staging-url
To allow you to configure a Network File System (NFS) location that the backup and restore operations
will use as a staging area to package and unpackage backup files, use the backup-staging-url command
in Configuration mode.
backup-staging-url word
Syntax Description
backup-staging-url
The command to configure a Network File System (NFS) location as a

staging area that the backup and restore operations use.
word
NFS URL for staging area. Supports up to 2048 alphanumeric characters. Use
nfs://server:path1.
1. Server is the server name and path refers to /subdir/subsubdir. Remember that a colon (:) is required after the server.
Defaults
Command Modes
Configuration
Usage Guidelines
The URL is NFS only. The format of the command is backup-staging-url nfs://server:path.
Warning
Examples
Ensure that you secure your NFS server in such a way that the directory can be accessed only by the
IP Address of the CDA server.
/admin(config)# backup-staging-url nfs://loc-filer02a:/vol/local1/private1/jdoe

/admin(config)#
cdp holdtime
To specify the amount of time for which the receiving device should hold a Cisco Discovery Protocol
packet from the CDA server before discarding it, use the cdp holdtime command in the Configuration
mode. To revert to the default setting, use the no form of this command.
cdp holdtime seconds
Syntax Description
Defaults
cdp
The command to configure the Cisco Discovery Protocol parameters.
holdtime
The Cisco Discovery Protocol hold time specified.
seconds
Specifies the hold time, in seconds. Value from 10 to 255 seconds.
180 seconds
4-82
OL-26299-01
Chapter 4

Command Modes
Configuration
Usage Guidelines
Cisco Discovery Protocol packets transmit with a time to live, or hold time, value. The receiving device
will discard the Cisco Discovery Protocol information in the Cisco Discovery Protocol packet after the
hold time has elapsed.
The cdp holdtime command takes only one argument; otherwise, an error occurs.
Examples
/admin(config)# cdp holdtime 60

/admin(config)#
Related Commands
Command
Description
cdp timer
updates.
cdp run
cdp run
To enable the Cisco Discovery Protocol, use the cdp run command in Configuration mode. To disable
the Cisco Discovery Protocol, use the no form of this command.
cdp run [GigabitEthernet]
Syntax Description
cdp
run
The command to enable or disable the Cisco Discovery Protocol.
GigabitEthernet
Specifies the GigabitEthernet interface on which to enable the Cisco

Discovery Protocol.
Defaults
Command Modes
Configuration
Usage Guidelines
The command has one optional argument, which is an interface name. Without an optional interface
name, the command enables the Cisco Discovery Protocol on all interfaces.
Note
The default for this command is on interfaces that are already up and running. When you are
bringing up an interface, stop the Cisco Discovery Protocol first; then, start the Cisco Discovery
Protocol again.
OL-26299-01
4-83
Chapter 4
Examples
/admin(config)# cdp run GigabitEthernet 0

/admin(config)#
Related Commands
Command
Description
cdp holdtime
Specifies the length of time that the receiving device should hold a
Cisco Discovery Protocol packet from the CDA server before
discarding it.
cdp timer
updates.
cdp timer
To specify how often the CDA server sends Cisco Discovery Protocol updates, use the cdp timer
command in Configuration mode. To revert to the default setting, use the no form of this command.
cdp timer seconds
Syntax Description
cdp
timer
The command that refreshes the time interval of the Cisco Discovery
Protocol.
seconds
Specifies how often, in seconds, the CDA server sends Cisco Discovery
Protocol updates. Value from 5 to 254 seconds.
Defaults
60 seconds
Command Modes
Configuration
Usage Guidelines
Cisco Discovery Protocol packets transmit with a time to live, or hold time, value. The receiving device
will discard the Cisco Discovery Protocol information in the Cisco Discovery Protocol packet after the
hold time has elapsed.
The cdp timer command takes only one argument; otherwise, an error occurs.
Examples
/admin(config)# cdp timer 60

/admin(config)#
4-84
OL-26299-01
Chapter 4

Related Commands
Command
Description
cdp holdtime
Specifies the amount of time that the receiving device should hold a
Cisco Discovery Protocol packet from the CDA server before
discarding it.
cdp run
clock timezone
To set the time zone, use the clock timezone command in Configuration mode. To disable this function,
clock timezone timezone
Syntax Description
clock
The command to configure time zone.
timezone
The command to configure system timezone.
timezone
Name of the time zone visible when in standard time. Supports up to 64

Defaults
UTC
Command Modes
Configuration
Usage Guidelines
The system internally keeps time in UTC. If you do not know your specific time zone, you can enter the
region, country, and city (see Tables 4-13, 4-14, and 4-15 for sample time zones to enter on your system).
Table 4-13
Common Time Zones
Acronym or name
Time Zone Name
Europe
GMT, GMT0, GMT-0, Greenwich Mean Time, as UTC

GMT+0, UTC,
Greenwich, Universal,
Zulu
GB
British
GB-Eire, Eire
Irish
WET
Western Europe Time, as UTC
CET
Central Europe Time, as UTC + 1 hour
EET
Eastern Europe Time, as UTC + 2 hours
United States and Canada
EST, EST5EDT
Eastern Standard Time, as UTC -5 hours
OL-26299-01
4-85
Chapter 4
Table 4-13
Common Time Zones (continued)
Acronym or name
Time Zone Name
CST, CST6CDT
Central Standard Time, as UTC -6 hours
MST, MST7MDT
Mountain Standard Time, as UTC -7 hours
PST, PST8PDT
Pacific Standard Time, as UTC -8 hours
HST
Hawaiian Standard Time, as UTC -10 hours
Table 4-14
Australia Time Zones
Australia1
ACT2
Adelaide
Brisbane
Broken_Hill
Canberra
Currie
Darwin
Hobart
Lord_Howe
Lindeman
4
North
NSW
South
Sydney
West
Yancowinna
LHI
Melbourne
Perth
Queensland
Tasmania
Victoria
1. Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie.
2. ACT = Australian Capital Territory
3. LHI = Lord Howe Island
4. NSW = New South Wales
Table 4-15
Asia Time Zones
Asia1
Aden2
Almaty
Amman
Anadyr
Aqtau
Aqtobe
Ashgabat
Ashkhabad
Baghdad
Bahrain
Baku
Bangkok
Beirut
Bishkek
Brunei
Calcutta
Choibalsan
Chongqing
Columbo
Damascus
Dhakar
Dili
Dubai
Dushanbe
Gaza
Harbin
Hong_Kong
Hovd
Irkutsk
Istanbul
Jakarta
Jayapura
Jerusalem
Kabul
Kamchatka
Karachi
Kashgar
Katmandu
Kuala_Lumpur
Kuching
Kuwait
Krasnoyarsk
1. The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia.
2. Enter the region and city or country together separated by a forward slash (/); for example, Asia/Aden.
4-86
OL-26299-01
Chapter 4

Note
Several more time zones are available to you. On your CDA server, enter show timezones. A list of all
the time zones available in the CDA server appears. Choose the most appropriate one for your time zone.
Warning
Changing the time zone on a CDA appliance after installation causes the CDA application on that node
to be unusable. However, the preferred time zone (default UTC) can be configured during the
installation when the initial setup wizard prompts you for the time zone.
Examples
/admin(config)# clock timezone EST

/admin(config)# exit
/admin# show timezone
EST
/admin#
Related Commands
Command
Description
show timezones
Displays a list of available time zones on the system.
show timezone
Displays the current time zone set on the system.
do
To execute an EXEC-level command from Configuration mode or any configuration submode, use the
do command in any configuration mode.
do arguments
Syntax Description
do
The EXEC command to execute an EXEC-level command from

Configuration mode or any configuration submode
arguments
The EXEC command to execute an EXEC-level command (see Table 4-16).
Table 4-16
Command Options for Do Command
Command
Description
application configure
Configures a specific application.
application install
Installs a specific application.
application remove
Removes a specific application.
application start
Starts or enables a specific application
application stop
Stops or disables a specific application.
application upgrade
Upgrades a specific application.
backup
Performs a backup (CDA and Cisco ADE OS) and places the backup in a
repository.
OL-26299-01
4-87
Chapter 4
Table 4-16
Command Options for Do Command (continued)
Command
Description
backup-logs
Performs a backup of all the logs on the CDA server to a remote location.
clock
Sets the system clock on the CDA server.
configure
Enters Configuration mode.
copy
Copies any file from a source to a destination.
debug
Displays any errors or events for various command situations; for

example, backup and restore, configuration, copy, resource locking, file
transfer, and user management.
delete
Deletes a file on the CDA server.
dir
Lists files on the CDA server.
forceout
Forces the logout of all the sessions of a specific CDA node user.
halt
Disables or shuts down the CDA server.
mkdir
Creates a new directory.
nslookup
Queries the IPv4 address or hostname of a remote system.
patch
Installs System or Application patch.
pep
Configures the Inline Posture node.
ping
Determines the IPv4 network activity on a remote system.
ping6
Determines the IPv6 network activity on a IPv6 remote system.
reload
Reboots the CDA server.
restore
Performs a restore and retrieves the backup out of a repository.
rmdir
Removes an existing directory.
show
Provides information about the CDA server.
ssh
Starts an encrypted session with a remote system.
tech
Provides Technical Assistance Center (TAC) commands.
telnet
Establishes a Telnet connection to a remote system.
terminal length
Sets terminal line parameters.
Sets the inactivity timeout for all terminal sessions.
terminal session-welcome Sets the welcome message on the system for all terminal sessions.
Specifies the type of terminal connected to the current line of the current
session.
traceroute
Traces the route of a remote IP Address.
undebug
Disables the output (display of errors or events) of the debug command

for various command situations; for example, backup and restore,
configuration, copy, resource locking, file transfer, and user management.
write
Erases the startup configuration that forces to run the setup utility and
prompt the network configuration, copies the running configuration to the
startup configuration, displays the running configuration on the console.
4-88
OL-26299-01
Chapter 4

Command Default
Command Modes
Configuration or any configuration submode
Usage Guidelines
Use this command to execute EXEC commands (such as show, clear, and debug commands) while
configuring your server. After the EXEC command executes, the system will return to the configuration
mode you were using.
Examples
/admin(config)# do show run

!
hostname cda
!
!
ip address 172.23.90.113 255.255.255.0
!
!
!
clock timezone EST
!
ntp server time.nist.gov
!
username admin password hash $1$JbbHvKVG$xMZ/XL4tH15Knf.FfcZZr. role admin
!
service sshd
!
backup-staging-url nfs://loc-filer02a:/vol/local1/private1/jdoe
!
password-policy
lower-case-required
upper-case-required
digit-required
no-username
!
logging localhost
logging loglevel 6
!
--More-/admin(config)#
OL-26299-01
4-89
Chapter 4
end
To end the current configuration session and return to the EXEC mode, use the end command in
Configuration mode.
end
Syntax Description
Defaults
Command Modes
Configuration
Usage Guidelines
This command brings you back to EXEC mode regardless of what configuration mode or submode you
are in.
Use this command when you finish configuring the system and you want to return to EXEC mode to
perform verification steps.
Examples
/admin(config)# end
/admin#
Related Commands
Command
Description
exit
Exits Configuration mode.
exit (EXEC)
Closes the active terminal session by logging out of the CDA server.
exit
To exit any configuration mode to the next-highest mode in the CLI mode hierarchy, use the exit
command in Configuration mode.
exit
Syntax Description
Defaults
Command Modes
Configuration
4-90
OL-26299-01
Chapter 4

Usage Guidelines
The exit command is used in the CDA server to exit the current command mode to the next highest
command mode in the CLI mode hierarchy.
For example, use the exit command in Configuration mode to return to the EXEC mode. Use the exit
command in the configuration submodes to return to Configuration mode. At the highest level, EXEC
mode, the exit command exits the EXEC mode and disconnects from the CDA server (see the exit
section on page 4-23, for a description of the exit (EXEC) command).
Examples
/admin#
Related Commands
Command
Description
end
Exits Configuration mode.
exit (EXEC)
Closes the active terminal session by logging out of the CDA server.
hostname
To set the hostname of the system, use the hostname command in Configuration mode. To delete the
hostname from the system, use the no form of this command, which resets the system to localhost.
hostname word
Syntax Description
hostname
The command to configure the hostname.
word
Name of the host. Contains at least 2 to 64 alphanumeric characters and an

underscore ( _ ). The hostname must begin with a character that is not a space.
Defaults
Command Modes
Configuration
Usage Guidelines
A single instance type of command, hostname only occurs once in the configuration of the system. The
hostname must contain one argument; otherwise, an error occurs.
Examples
/admin(config)# hostname cda-1

Changing the hostname or IP may result in undesired side effects,
such as installed application(s) being restarted.
Are you sure you want to proceed? [y/n] y
.
.
.
cda-1/admin#
OL-26299-01
4-91
Chapter 4
icmp echo
To configure the Internet Control Message Protocol (ICMP) echo responses, use the icmp echo
command in Configuration mode.
icmp echo {off | on}
Syntax Description
icmp
The command to configure Internet Control Message Protocol echo requests.
echo
Configures ICMP echo response.
off
Disables ICMP echo response
on
Enables ICMP echo response.
Defaults
The system behaves as if the ICMP echo response is on (enabled).
Command Modes
Configuration
Usage Guidelines
None.
Examples
/admin(config)# icmp echo off

/admin(config)#
Related Commands
Command
Description
show icmp-status
Display ICMP echo response configuration information.
interface
To configure an interface type and enter the interface configuration mode, use the interface command
in Configuration mode. This command does not have a no form.
Note
VMware virtual machine may have a number of interfaces available that depends on how many network
interfaces (NIC) are added to the virtual machine.
interface GigabitEthernet [0 | 1| 2 | 3]
Syntax Description
interface
The command to configure an interface.
GigabitEthernet
Configures the Gigabit Ethernet interface.
0-3
Number of the Gigabit Ethernet port to configure.
4-92
OL-26299-01
Chapter 4

Note
After you enter the Gigabit Ethernet port number in the interface command, you enter the
config-GigabitEthernet configuration submode (see the following Syntax Description).
do
EXEC command. Allows you to perform any EXEC commands in this mode
(see the do section on page 4-87).
end
Exits the config-GigabitEthernet submode and returns you to the EXEC

mode.
exit
Exits the config-GigabitEthernet configuration submode.
ip
Sets the IP Address and netmask for the Ethernet interface (see the ip
address section on page 4-97).
ipv6
Configures IPv6 autoconfiguration address and IPv6 address from DHCPv6

server. (see the ipv6 address autoconfig section on page 4-93 and the ipv6
address dhcp section on page 4-95)
no
Negates the command in this mode. Two keywords are available:
shutdown
ipSets the IP Address and netmask for the interface.
shutdownShuts down the interface.
Shuts down the interface (see the shutdown section on page 4-115).
Defaults
Command Modes
Configuration
Usage Guidelines
You can use the interface command to configure subinterfaces to support various requirements.
Examples
/admin(config)# interface GigabitEthernet 0

/admin(config-GigabitEthernet)#
Related Commands
Command
Description
show interface
Displays information about the system interfaces.
ip address (interface
configuration mode)
Sets the IP Address and netmask for the interface.
shutdown (interface
configuration mode)
Shuts down the interface (see shutdown section on page 4-115).

To enable IPv6 stateless autoconfiguration, use the interface GigabitEthernet 0 command in
Configuration mode. This command does not have a no form.
OL-26299-01
4-93
Chapter 4
IPv6 address autoconfiguration is enabled by default in Linux. Cisco ADE 2.0 shows the IPv6 address
autoconfiguration in the running configuration for any interface that is enabled.
Syntax Description
interface
GigabitEthernet
<0 - 3>
Number of the Gigabit Ethernet port to configure.
Defaults
Command Modes
Configuration
Usage Guidelines
IPv6 stateless autoconfiguration has the security downfall of having predictable IP Addresses. This
downfall is resolved with privacy extensions. You can verify that the privacy extensions feature is
enabled using the show command.
Example 1
/admin(config)# (config-GigabitEthernet)# ipv6 address autoconfig
/admin(config)# (config-GigabitEthernet)# end
/admin#
When IPv6 autoconfiguration is enabled, the running configuration shows the interface settings similar
to the following:
!
ip address 172.23.90.116 255.255.255.0
!
You can use the show interface GigabitEthernet 0 command to display the interface settings. In
example 2, you can see that the interface has three IPv6 addresses. The first address (starting with 3ffe)
is obtained using the stateless autoconfiguration. For the stateless autoconfiguration to work, you must
have IPv6 route advertisement enabled on that subnet. The next address (starting with fe80) is a
link-local address that does not have any scope outside the host. You will always see a link local address
regardless of the IPv6 autoconfiguration or DHCPv6 configuration. The last address (starting with 2001)
is obtained from a IPv6 DHCP server.
Example 2
eth0
inet6 addr: 2001:558:ff10:870:8000:29ff:fe36:200/64 Scope:Global
4-94
OL-26299-01
Chapter 4


/admin#
The following RFC provides the IPv6 stateless autoconfiguration privacy extensions:
http://www.ietf.org/rfc/rfc3041.txt
To verify that the privacy extensions feature is enabled, you can use the show interface
GigabitEthernet 0 command. You can see two autoconfiguration addresses: one address is without the
privacy extensions, and the other is with the privacy extensions.
In the example 3 below, the MAC is 3ffe:302:11:2:20c:29ff:feaf:da05/64 and the non-RFC3041 address
contains the MAC, and the privacy-extension address is 302:11:2:9d65:e608:59a9:d4b9/64.
The output appears similar to the following:
Example 3
eth0
inet6 addr: 3ffe:302:11:2:9d65:e608:59a9:d4b9/64 Scope:Global
RX bytes:9430102 (8.9 MiB) TX bytes:466204 (455.2 KiB)
/admin#
Related Commands
Command
Description
show interface
configuration mode)
shutdown (interface
configuration mode)
ipv6 address dhcp
Enables IPv6 address DHCP on an interface.
show running-config

configuration.
ipv6 address dhcp

To enable IPv6 address DHCP, use the interface GigabitEthernet 0 command in Configuration mode.
This command does not have a no form.
OL-26299-01
4-95
Chapter 4
Syntax Description
interface
GigabitEthernet
Gigabit Ethernet port number to be configured.
Defaults
Command Modes
Configuration
Usage Guidelines
None.
Examples

/admin(config-GigabitEthernet)# ipv6 address dhcp
/admin(config-GigabitEthernet)# end
/admin#
When IPv6 DHCPv6 is enabled, the running configuration shows the interface settings similar to the
following:
!
ip address 172.23.90.116 255.255.255.0
ipv6 address dhcp
!
Note
The IPv6 stateless autoconfiguration and IPv6 address DHCP are not mutually exclusive. It is possible
to have both IPv6 stateless autoconfiguration and IPv6 address DHCP on the same interface. You can
use the show interface to display what IPv6 addresses are in use for a particular interface.
When both the IPv6 stateless autoconfiguration and IPv6 address DHCP are enabled, the running
configuration shows the interface settings similar to the following:
!
ip address 172.23.90.116 255.255.255.0
ipv6 address dhcp
!
Related Commands
Command
Description
show interface
configuration mode)
shutdown (interface
configuration mode)
4-96
OL-26299-01
Chapter 4

Command
Description
Enables IPv6 stateless autoconfiguration on an interface.
show running-config

configuration.
ip address
To set the IP Address and netmask for the Ethernet interface, use the ip address command in interface
Configuration mode. To remove an IP Address or disable IP processing, use the no form of this
command.
ip address ip-address network mask
Note
Syntax Description
You can configure the same IP Address on multiple interfaces. You might want to do this to limit the
configuration steps that are needed to switch from using one interface to another.
ip address
The command to configure IP Address and netmask for the GigabitEthernet

interface.
ip-address
IPv4 version IP Address.
network mask
Mask of the associated IP subnet.
Defaults
Enabled.
Command Modes
Interface configuration
Usage Guidelines
Requires exactly one address and one netmask; otherwise, an error occurs.
Examples

/admin(config-GigabitEthernet)# ip address 209.165.200.227 255.255.255.224
Changing the hostname or IP may result in undesired side effects,
such as installed application(s) being restarted.
........
To verify that CDA processes are running, use the
'show application status cda' command.
/admin(config-GigabitEthernet)#
OL-26299-01
4-97
Chapter 4
Related Commands
Command
Description
shutdown (interface
configuration mode)
Disables an interface (see shutdown section on page 4-115).
ip default-gateway
Sets the IP Address of the default gateway of an interface.
show interface
Displays information about the system IP interfaces.
interface
Configures an interface type and enters the interface mode.
ip default-gateway
To define or set a default gateway with an IP Address, use the ip default-gateway command in
Configuration mode. To disable this function, use the no form of this command.
ip default-gateway ip-address
Syntax Description
ip default-gateway
The command to define a default gateway with an IP Address.
ip-address
IP Address of the default gateway.
Defaults
Disabled.
Command Modes
Configuration
Usage Guidelines
If you enter more than one argument or no arguments at all, an error occurs.
Examples
/admin(config)# ip default-gateway 209.165.202.129

/admin(config)#
Related Commands
Command
Description
configuration mode)
Sets the IP Address and netmask for the Ethernet interface.
ip domain-name
To define a default domain name that the CDA server uses to complete hostnames, use the ip
domain-name command in Configuration mode. To disable this function, use the no form of this
command.
ip domain-name word
4-98
OL-26299-01
Chapter 4

Syntax Description
ip domain-name
The command to define a default domain name.
word
Default domain name used to complete the hostnames. Contains at least 2 to

Defaults
Enabled.
Command Modes
Configuration
Usage Guidelines
If you enter more or fewer arguments, an error occurs.
Examples
/admin(config)# ip domain-name cisco.com

/admin(config)#
Related Commands
Command
Description
ip name-server
Sets the DNS servers for use during a DNS query.
ip name-server
To set the Domain Name Server (DNS) servers for use during a DNS query, use the ip name-server
command in Configuration mode. You can configure one to three DNS servers. To disable this function,
Note
Using the no form of this command removes all the name servers from the configuration. Using the no
form of this command and one of the IP names removes only that name server.
ip name-server ip-address [ip-address*]
Syntax Description
ip name-server
The command to configure IP Addresses of name server(s) to use.
ip-address
Address of a name server.
ip-address*
(Optional) IP Addresses of additional name servers.

Note
Defaults
Command Modes
Configuration
You can configure a maximum of three name servers.
OL-26299-01
4-99
Chapter 4
Usage Guidelines
The first name server that is added with the ip name-server command occupies the first position and the
system uses that server first to resolve the IP Addresses.
You can add name servers to the system one at a time or all at once, until you reach the maximum (3).
If you already configured the system with three name servers, you must remove at least one server to add
additional name servers.
To place a name server in the first position so that the subsystem uses it first, you must remove all name
servers with the no form of this command before you proceed.
Examples
/admin(config)# ip name-server 209.165.201.1
To verify that CDA processes are running, use the

'show application status cda' command.
/admin(config)#
You can choose not to restart the CDA server; nevertheless, the changes will take effect.
Related Commands
Command
Description
ip domain-name
Defines a default domain name that the server uses to complete

hostnames.
ip route
To configure the static routes, use the ip route command in Configuration mode. To remove static routes,
Static routes are manually configured, which makes them inflexible (they cannot dynamically adapt to
network topology changes), but extremely stable. Static routes optimize bandwidth utilization, because
no routing updates need to be sent to maintain them. They also make it easy to enforce routing policy.
ip route prefix mask gateway ip-address
no ip route prefix mask
Syntax Description
ip route
The command to configure IP routes.
prefix
IP route prefix for the destination.
mask
Prefix mask for the destination.
ip-address
IP Address of the next hop that can be used to reach that network.
Defaults
Command Modes
Configuration
4-100
OL-26299-01
Chapter 4

Examples
/admin(config)# ip route 192.168.0.0 255.255.0.0 gateway 172.23.90.2

/admin(config)#
kron occurrence
To schedule one or more Command Scheduler commands to run at a specific date and time or a recurring
level, use the kron occurrence command in Configuration mode. To delete this schedule, use the no
form of this command.
kron {occurrence} occurrence-name
Syntax Description
Note
kron
The command to schedule the Command Scheduler commands.
occurrence
Schedules Command Scheduler commands.
occurrence-name
Name of the occurrence. Supports up to 80 alphanumeric characters. (See the

following note and Syntax Description.)
After you enter the occurrence-name in the kron occurrence command, you enter the config-occurrence
configuration submode (see the following Syntax Description).
at
Identifies that the occurrence is to run at a specified calendar date and time.
Usage: at [hh:mm] [day-of-week | day-of-month | month day-of-month].
do
(see the do section on page 4-87).
end
Exits the kron-occurrence configuration submode and returns you to the

EXEC mode.
exit
Exits the kron-occurrence configuration mode.
no
Negates the command in this mode.

Three keywords are available:
atUsage: at [hh:mm] [day-of-week | day-of-month | month

day-of-month].
policy-listSpecifies a policy list to be run by the occurrence. Supports

recurringExecution of the policy lists should be repeated.
policy-list
Specifies a Command Scheduler policy list to be run by the occurrence.
recurring
Identifies that the occurrences run on a recurring basis.
Note
Defaults
If kron occurrence is not recurring, then the kron occurrence

configuration for the scheduled backup is removed after it has run.
OL-26299-01
4-101
Chapter 4
Command Modes
Configuration
Usage Guidelines
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the
same time or interval.
Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler
policy that contains the EXEC CLI commands to be scheduled to run on the CDA server at a specified
time. See the kron policy-list section on page 4-102.
Examples
When you run the kron command, backup bundles are created with a unique name (by adding a
time stamp) to ensure that the files do not overwrite each other.
Note
Example 1: Weekly Backup

/admin(config)# kron occurrence WeeklyBackup
/admin(config-Occurrence)# at 14:35 Monday
/admin(config-Occurrence)# policy-list SchedBackupPolicy
/admin(config-Occurrence)# recurring
/admin(config-Occurrence)# exit
/admin(config)#
Example 2: Daily Backup

/admin(config)# kron occurrence DailyBackup
/admin(config-Occurrence)# at 02:00
/admin(config)#
Example 3: Weekly Backup

/admin(config)# kron occurrence WeeklyBackup
/admin(config-Occurrence)# at 14:35 Monday
/admin(config-Occurrence)# policy-list SchedBackupPolicy
/admin(config-Occurrence)# no recurring
/admin(config)#
Related Commands
Command
Description
kron policy-list
Specifies a name for a Command Scheduler policy.
kron policy-list
To specify a name for a Command Scheduler policy and enter the kron-Policy List configuration
submode, use the kron policy-list command in Configuration mode. To delete a Command Scheduler
policy, use the no form of this command.
kron {policy-list} list-name
Syntax Description
kron
The command to schedule the Command Scheduler commands.
4-102
OL-26299-01
Chapter 4

Note
policy-list
Specifies a name for Command Scheduler policies.
list-name
Name of the policy list. Supports up to 80 alphanumeric characters.
After you enter the list-name in the kron policy-list command, you enter the config-Policy List
configuration submode (see the following Syntax Description).
cli
Command to be executed by the scheduler. Supports up to 80 alphanumeric

characters.
do
(see do section on page 4-87).
end
Exits from the config-Policy List configuration submode and returns you to
the EXEC mode.
exit
Exits this submode.
no
Negates the command in this mode. One keyword is available:
cliCommand to be executed by the scheduler.
Defaults
Command Modes
Configuration
Usage Guidelines
Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler
policy that contains the EXEC CLI commands to be scheduled to run on the CDA server at a specified
time. Use the kron occurrence and policy list commands to schedule one or more policy lists to run at
the same time or interval. See the ip route section on page 4-100.
Examples
/admin(config)# kron policy-list SchedBackupMonday

/admin(config-Policy List)# cli backup SchedBackupMonday repository SchedBackupRepo
/admin(config-Policy List)# exit
/admin(config)#
Related Commands
Command
Description
ip route
Specifies schedule parameters for a Command Scheduler occurrence

and enters the config-Occurrence configuration mode.
logging
To enable the system to forward logs to a remote system or to configure the log level, use the logging
command in Configuration mode. To disable this function, use the no form of this command.
OL-26299-01
4-103
Chapter 4
logging {ip-address | hostname} {loglevel level}
Syntax Description
logging
The command to configure system logging.
ip-address
IP Address of remote system to which you forward logs. Supports up to 32

hostname
Hostname of remote system to which you forward logs. Supports up to 32

loglevel
The command to configure the log level for the logging command.
level
Number of the desired priority level at which you set the log messages.
Priority levels are (enter the number for the keyword):
0-emergEmergencies: System unusable.
1-alertAlerts: Immediate action needed.
2-critCritical: Critical conditions.
3-errError: Error conditions.
4-warnWarning: Warning conditions.
5-notifNotifications: Normal but significant conditions.
6-inform(Default) Informational messages.
7-debugDebugging messages.
Defaults
Command Modes
Configuration
Usage Guidelines
This command requires an IP Address or hostname or the loglevel keyword; an error occurs if you enter
two or more of these arguments.
Examples
Example 1
/admin(config)# logging 209.165.200.225
/admin(config)#
Example 2
/admin(config)# logging loglevel 0
/admin(config)#
Related Commands
Command
Description
show logging
Displays list of logs for the system.
4-104
OL-26299-01
Chapter 4

ntp
To specify an NTP configuration, use the ntp command in configuration mode with authenticate,
authentication-key, server, and trusted-key commands.
ntp authenticate
ntp authentication-key <key id> md5 hash | plain <key value>
ntp server {ip-address | hostname} key <peer key number>
ntp trusted-key <key>
Syntax Description
ntp
Defaults
None
Command Modes
Configuration.
Usage Guidelines
Use the ntp command to specify an NTP configuration.
The command to specify an NTP configuration.
To terminate NTP service on a device, you must enter the no ntp command with keywords or arguments
such as authenticate, authentication-key, server, and trusted-key. For example, if you previously
issued the ntp server command, use the no ntp command with server.
For more information on how to configure an NTP server, see ntp server, page 4-108.
Examples
/admin(config)# ntp ?
authenticate
Authenticate time sources
authentication-key Authentication key for trusted time sources
server
Specify NTP server to use
trusted-key
Key numbers for trusted time sources
/admin(config)#
/admin(config)# no ntp server
/admin(config)# do show ntp
% no NTP servers configured
/admin(config)#
Related Commands
Command
Description
ntp authenticate
Enables authentication of all time sources.
Configures authentication keys for trusted time sources.
ntp server
system.
OL-26299-01
4-105
Chapter 4
Command
Description
ntp trusted-key
Specifies key numbers for trusted time sources that needs to be defined
as NTP authentication keys.
show ntp
Displays the status information about the NTP associations.
ntp authenticate
To enable authentication of all time sources, use the ntp authenticate command. Time sources without
the NTP authentication keys will not be synchronized.
To disable this capability, use the no form of this command.
ntp authenticate
Syntax Description
ntp
The command to specify NTP configuration.
authenticate
Defaults
None
Command Modes
Configuration.
Usage Guidelines
Use the ntp authenticate command to enable authentication of all time sources. This command is
optional and authentication will work even without this command.
If you want to authenticate in a mixed mode where only some servers require authentication, that is, only
some servers need to have keys configured for authentication, then this command should not be executed.
Examples
/admin(config)# ntp ?
authenticate
authentication-key
server
trusted-key
/admin(config)#
Authenticate time sources

Authentication key for trusted time sources
Specify NTP server to use
Key numbers for trusted time sources
/admin(config)# ntp authenticate

/admin(config)#
Related Commands
Command
Description
ntp
ntp server
system.
4-106
OL-26299-01
Chapter 4

Command
Description
ntp trusted-key
show ntp
To specify an authentication key for a time source, use the ntp authentication-key command in
configuration command with a unique identifier and a key value.
To disable this capability, use the no form of this command.
ntp authentication-key <key id> md5 hash | plain <key value>
Syntax Description
ntp
authentication-key
key id
The identifier that you want to assign to this key. Supports numeric values
from 165535.
md5
The encryption type for the authentication key.
hash <word>
Hashed key for authentication. Specifies an encrypted (hashed) key that

follows the encryption type. Supports up to 40 characters.
plain <word>
Plaintext key for authentication. Specifies an unencrypted plaintext key

that follows the encryption type. Supports up to 15 characters.
<key value>
The key value in the format matching either md5 plain | hash, above.
Defaults
None
Command Modes
Configuration.
Usage Guidelines
Use the ntp authentication-key command to set up a time source with an authentication key for NTP
authentication and specify its pertinent key identifier, key encryption type, and key value settings. Add
this key to the trusted list before you add this key to the ntp server command.
Time sources without the NTP authentication keys that are added to the trusted list will not be
synchronized.
Examples
/admin# configure
/admin(config)#
/admin(config)# ntp authentication-key 1 md5 plain SharedWithServe
/admin(config)# ntp authentication-key 2 md5 plain SharedWithServ
/admin(config)# ntp authentication-key 3 md5 plain SharedWithSer
OL-26299-01
4-107
Chapter 4
The show running-config command will always show keys that are entered in Message Digest
5 (MD5) plain format converted into hash format for security. For example, ntp
authentication-key 1 md5 hash ee18afc7608ac7ecdbeefc5351ad118bc9ce1ef3.
Note
/admin(config)# no ntp authentication-key 3
(Removes authentication key 3.)

/admin(config)# no ntp authentication-key
(Removes all authentication keys.)
Related Commands
Command
Description
ntp
ntp authenticate
ntp server
system.
ntp trusted-key
show ntp
ntp server
To allow for software clock synchronization by the NTP server for the system, use the ntp server
command in Configuration mode. Allows up to three servers each with a key in a separate line. The key
is an optional parameter but the key is required for NTP authentication. The CDA always requires a valid
and reachable NTP server.
Although key is an optional parameter, it must be configured if you need to authenticate an NTP server.
To disable this capability, use the no form of this command only when you want to remove an NTP server
and add another one.
ntp server {ip-address | hostname} key <peer key number>
Syntax Description
Defaults
ntp
server
Allows the system to synchronize with a specified server.
ip-address | hostname
IP Address or hostname of the server providing the clock synchronization.

Arguments are limited to 255 alphanumeric characters.
key
(Optional) Peer key number. Supports up to 65535 numeric characters. This

key needs to be defined with a key value, by using the ntp
authentication-key command, and also needs to be added as a trusted-key by
using the ntp trusted-key command. For authentication to work, the key and
the key value should be the same as that which is defined on the actual NTP
server.
No servers are configured by default.
4-108
OL-26299-01
Chapter 4

Command Modes
Configuration.
Usage Guidelines
Use this ntp server command with a trusted key if you want to allow the system to synchronize with a
specified server.
The key is optional, but it is required for NTP authentication. Define this key in the ntp
authentication-key command first and add this key to the ntp trusted-key command before you can
add it to the ntp server command.
The show ntp command displays the status of synchronization. If none of the configured NTP servers
are reachable or not authenticated (if NTP authentication is configured), then this command displays
synchronization to local with the least stratum. If an NTP server is not reachable or is not properly
authenticated, then its reach as per this command statistics will be 0.
To define an NTP server configuration and authentication in the CDA admin user interface, see the
System Time and NTP Server Settings section in the Cisco Identity Services Engine User Guide, Release
1.1.1.
Note
Examples
This command gives conflicting information during the synchronization process. The synchronization
process can take up to 20 minutes to complete.
Example 1
/admin(config)# ntp server ntp.esl.cisco.com key 1
% WARNING: Key 1 needs to be defined as a ntp trusted-key.
/admin(config)#
/admin(config)# ntp trusted-key 1
% WARNING: Key 1 needs to be defined as a ntp authentication-key.
/admin(config)#
/admin(config)# ntp authentication-key 1 md5 plain SharedWithServe
/admin(config)#
/admin(config)# ntp server ntp.esl.cisco.com 1
/admin(config)# ntp server 171.68.10.80 2
/admin(config)# ntp server 171.68.10.150 3
/admin(config)#
/admin(config)# do show running-config
!
hostname cda
!
!
ip address 172.21.79.246 255.255.255.0
!
!
!
clock timezone UTC
!
ntp authentication-key 1 md5 hash ee18afc7608ac7ecdbeefc5351ad118bc9ce1ef3
ntp authentication-key 2 md5 hash f1ef7b05c0d1cd4c18c8b70e8c76f37f33c33b59
ntp authentication-key 3 md5 hash ee18afc7608ac7ec2d7ac6d09226111dce07da37
ntp trusted-key 1
OL-26299-01
4-109
Chapter 4
ntp trusted-key 2
ntp trusted-key 3
ntp authenticate
ntp server ntp.esl.cisco.com key 1
ntp server 171.68.10.80 key 2
ntp server 171.68.10.150 key 3
!
--More-/admin# show ntp
Primary NTP
: cd-acs-ntp.cisco.com
synchronised to local net at stratum 11
time correct to within 448 ms
polling server every 64 s
remote
refid
st t when poll reach
delay
offset jitter
==============================================================================
*127.127.1.0
.LOCL.
10 l
46
64
37
0.000
0.000
0.001
171.68.10.80
.RMOT.
16 u
46
64
0
0.000
0.000
0.000
171.68.10.150
.INIT.
16 u
47
64
0
0.000
0.000
0.000
Warning: Output results may conflict during periods of changing synchronization.
/admin#
Related Commands
Command
Description
ntp
ntp authenticate
ntp trusted-key
show ntp
ntp trusted-key
To add a time source to the trusted list, use the ntp trusted-key command with a unique identifier. To
disable this capability, use the no form of this command.
ntp trusted-key <key>
Syntax Description
ntp
trusted-key
The identifier that you want to assign to this key.
key
Specifies key numbers for trusted time sources that needs to be defined as
NTP authentication keys. Supports up to 65535 numeric characters.
Defaults
None
Command Modes
Configuration.
4-110
OL-26299-01
Chapter 4

Usage Guidelines
Define this key as an NTP authentication key and then add this key to the trusted list before you add this
key to an NTP server. Keys that are added to the trusted list can only be used that allows synchronization
by the NTP server with the system.
Examples
/admin# configure
/admin(config)#
/admin(config)# no ntp trusted-key 2
(Removes key 2 from the trusted list.)

/admin(config)# no ntp trusted-key
(Removes all keys from the trusted list.)
Related Commands
Command
Description
ntp
ntp authenticate
ntp server
system.
show ntp
password-policy
To enable or configure the passwords on the system, use the password-policy command in
Configuration mode. To disable this function, use the no form of this command.
password-policy option
Note
Syntax Description
The password-policy command requires a policy option (see Syntax Description). You must enter the
password-expiration-enabled command before the other password-expiration commands.
password-policy
Note
The command to configure the password policy.
After you enter the password-policy command, you can enter the config-password-policy
configuration submode.
digit-required
Requires a digit in the password.
disable-repeat-characters
Disables the ability of the password to contain more than four identical
characters.
OL-26299-01
4-111
Chapter 4
disable-cisco-password
Disables the ability to use the word Cisco or any combination as the
password.
do
Exec command.
end
Exit from configure mode.
exit
Exit from this submode.
lower-case-required
Requires a lowercase letter in the password.
min-password-length
Specifies a minimum number of characters for a valid password.

Integer length from 0 to 4,294,967,295.
no
Negate a command or set its defaults.
no-previous-password
Prevents users from reusing a part of their previous password.
no-username
Prohibits users from reusing their username as a part of a password.
password-expiration-days
Number of days until a password expires. Integer length from 0 to 80.
password-expiration-enabled
Enables password expiration.

Note
You must enter the password-expiration-enabled command

before the other password-expiration commands.
password-expiration-warning Number of days before expiration that warnings of impending

expiration begin. Integer length from 0 to 4,294,967,295.
password-lock-enabled
Locks a password after several failures.
password-lock-retry-count
Number of failed attempts before password locks. Integer length from

0 to 4,294,967,295.
upper-case-required
Requires an uppercase letter in the password.
special-required
Requires a special character in the password.
Defaults
Command Modes
Configuration
Usage Guidelines
None.
Examples
/admin(config)# password-policy
/admin(config-password-policy)# password-expiration-days 30
/admin(config-password-policy)# exit
/admin(config)#
repository
To enter the repository submode for configuration of backups, use the repository command in
Configuration mode.
repository repository-name
4-112
OL-26299-01
Chapter 4

Syntax Description
Note
repository
The command to configure the repository.
repository-name
Name of repository. Supports up to 80 alphanumeric characters.
After you enter the name of the repository in the repository command, you enter the config-Repository
configuration submode (see the Syntax Description).
do
EXEC command. Allows you to perform any of the EXEC commands in this
mode (see the do section on page 4-87).
end
Exits the config-Repository submode and returns you to the EXEC mode.
exit
Exits this mode.
no
Negates the command in this mode.

Two keywords are available:
urlRepository URL.
userRepository username and password for access.
url
URL of the repository. Supports up to 80 alphanumeric characters (see

Table 4-17).
user
Configure the username and password for access. Supports up to 30

Table 4-17
URL Keywords
Keyword
Source of Destination
word
Enter the repository URL, including server and path information. Supports up to 80
cdrom:
Local CD-ROM drive (read only).
disk:
Local storage.
You can run the show repository repository_name to view all the files in the local
repository.
Note
All local repositories are created on the /localdisk partition. When you
specify disk:// in the repository URL, the system creates directories in a
path that is relative to /localdisk. For example, if you entered
disk://backup, the directory is created at /localdisk/backup.
ftp:
Source or destination URL for an FTP network server. Use url ftp://server/path1.
nfs:
Source or destination URL for an NFS network server. Use url nfs://server:path1.
tftp:
Source or destination URL for an TFTP network server. Use url nfs://server:path1.
Note
You cannot use a TFTP repository for performing CDA upgrade.
1. Server is the server name and path refers to /subdir/subsubdir. Remember that a colon (:) is required after the server for an
NFS network server.
Defaults
OL-26299-01
4-113
Chapter 4
Command Modes
Configuration
Usage Guidelines
When configuring url sftp: in the submode, you must provide the host-key under repository
configuration through CLI and the RSA fingerprint is added to the list of SSH known hosts.
To disable this function, use the no form of host-key host command in the submode.
CDA displays the following warning when you configure a secure ftp repository in the administration
user interface in Administration > System > Maintenance > Repository > Add Repository.
The host key of the SFTP server must be added through the CLI by using the host-key option before this
repository can be used.
A corresponding error is thrown in the Cisco ADE logs when you try to back up into a secure FTP
repository without configuring the host-key.
Example 1
/admin# configure termainal
/admin(config)# repository myrepository
/admin(config-Repository)# url sftp://cda
/admin(config-Repository)# host-key host cda
host key fingerprint added
# Host cda found: line 1 type RSA
2048 f2:e0:95:d7:58:f2:02:ba:d0:b8:cf:d5:42:76:1f:c6 cda (RSA)
/admin(config-Repository)# exit
/admin#
Related Commands
Command
Description
backup
a repository.
restore
Performs a restore and takes the backup out of a repository.
show backup history
show repository
service
To specify a service to manage, use the service command in Configuration mode. To disable this
service sshd
Syntax Description
Defaults
service
The command to specify a service to be managed.
sshd
Secure Shell Daemon. The daemon program for SSH.
4-114
OL-26299-01
Chapter 4

Command Modes
Configuration
Usage Guidelines
None.
Examples
/admin(config)# service sshd

/admin(config)#
shutdown
To shut down an interface, use the shutdown command in the interface configuration mode. To disable
this function, use the no form of this command.
Syntax Description
Defaults
Command Modes
Interface Configuration
Usage Guidelines
When you shut down an interface using this command, you lose connectivity to the CDA appliance
through that interface (even though the appliance is still powered on). However, if you have configured
the second interface on the appliance with a different IP and have not shut down that interface, you can
access the appliance through that second interface.
To shut down an interface, you can also modify the ifcfg-eth[0,1] file, which is located at
/etc/sysconfig/network-scripts, using the ONBOOT parameter:
Disable an interface: set ONBOOT="no
Enable an interface: set ONBOOT="yes"
You can also use the no shutdown command to enable an interface.
Examples

/admin(config-GigabitEthernet)# shutdown
Related Commands
Command
Description
interface
Configures an interface type and enters the interface mode.
configuration mode)
Sets the IP Address and netmask for the Ethernet interface.
show interface
Displays information about the system IP interfaces.
ip default-gateway
Sets the IP Address of the default gateway of an interface.
OL-26299-01
4-115
Chapter 4
To set up the community access string to permit access to the Simple Network Management Protocol
(SNMP), use the snmp-server community command in Configuration mode. To disable this function,
snmp-server community word ro
Syntax Description
snmp-server community The command to configure the SNMP server.

word
Accessing string that functions much like a password and allows access to
SNMP. No blank spaces allowed. Supports up to 255 alphanumeric
characters.
ro
Specifies read-only access.
Defaults
Command Modes
Configuration
Usage Guidelines
The snmp-server community command requires a community string and the ro argument; otherwise,
an error occurs.
The SNMP Agent on the CDA provides read-only SNMP v1 and SNMP v2c access to the following
MIBs:
SNMPv2-MIB
RFC1213-MIB
IF-MIB
IP-MIB
IP-FORWARD-MIB
TCP-MIB
UDP-MIB
HOST-RESOURCES-MIB
ENTITY-MIBOnly 3 MIB variables are supported on the ENTITY-MIB:

Product ID: entPhysicalModelName
Version ID: entPhysicalHardwareRev
Serial Number: entPhysicalSerialNumber
DISMAN-EVENT-MIB
NOTIFICATION-LOG-MIB
CISCO-CDP-MIB
4-116
OL-26299-01
Chapter 4

Examples
/admin(config)# snmp-server community new ro

/admin(config)#
Related Commands
Command
Description
snmp-server host
Sends traps to a remote system.
Configures the SNMP location MIB value on the system.
snmp-server contact
Configures the SNMP contact MIB value on the system.
snmp-server contact
To configure the SNMP contact Management Information Base (MIB) value on the system, use the
snmp-server contact command in Configuration mode. To remove the system contact information, use
the no form of this command.
snmp-server contact word
Syntax Description
snmp-server contact
The command to identify the contact person for this managed node. Supports
word
String that describes the system contact information of the node. Supports up
to 255 alphanumeric characters.
Defaults
Command Modes
Configuration
Usage Guidelines
None.
Examples
/admin(config)# snmp-server contact Luke

/admin(config)#
Related Commands
Command
Description
snmp-server host
Sets up the community access string to permit access to the SNMP.
OL-26299-01
4-117
Chapter 4
snmp-server host
To send SNMP traps to a remote user, use the snmp-server host command in Configuration mode. To
remove trap forwarding, use the no form of this command.
snmp-server host {ip-address | hostname} version {1 | 2c} community
Syntax Description
snmp-server host
The command to configure hosts to receive SNMP notifications.
ip-address
IP Address of the SNMP notification host. Supports up to 32 alphanumeric

characters.
hostname
Name of the SNMP notification host. Supports up to 32 alphanumeric

characters.
version {1 | 2c}
(Optional) Version of the SNMP used to send the traps. Default = 1.

If you use the version keyword, specify one of the following keywords:
community
1SNMPv1.
2cSNMPv2C.
Password-like community string that is sent with the notification operation.
Defaults
Disabled.
Command Modes
Configuration
Usage Guidelines
The command takes arguments as listed; otherwise, an error occurs. SNMP traps are not supported.
Examples
/admin(config)# snmp-server community new ro

/admin(config)# snmp-server host 209.165.202.129 version 1 password
/admin(config)#
Related Commands
Command
Description
Sets up the community access string to permit access to SNMP.
snmp-server contact
Configures the SNMP contact MIB value on the system.
To configure the SNMP location MIB value on the system, use the snmp-server location command in
Configuration mode. To remove the system location information, use the no form of this command.
snmp-server location word
4-118
OL-26299-01
Chapter 4

Syntax Description
The command to configure the physical location of this managed node.

Supports up to 255 alphanumeric characters.
word
String that describes the physical location information of the system.

Supports up to 255 alphanumeric characters.
Defaults
Command Modes
Configuration
Usage Guidelines
Cisco recommends that you use underscores (_) or hyphens (-) between the terms within the word string.
If you use spaces between terms within the word string, you must enclose the string in quotation marks
().
Examples
Example 1
/admin(config)# snmp-server location Building_3/Room_214
/admin(config)#
Example 2
/admin(config)# snmp-server location Building 3/Room 214
/admin(config)#
Related Commands
Command
Description
snmp-server host
Sets up the community access string to permit access to SNMP.
snmp-server contact
username
To add a user who can access the CDA appliance using SSH, use the username command in
Configuration mode. If the user already exists, the password, the privilege level, or both change with this
command. To delete the user from the system, use the no form of this command.
username username password {hash | plain} password role {admin | user] [disabled [email
email-address]] [email email-address]
For an existing user, use the following command option:
username username password role {admin | user} password
OL-26299-01
4-119
Chapter 4
Syntax Description
username
The command to create a user to access the CDA appliance using SSH.
username
Only one word for the username argument. Blank spaces and quotation marks
() are not allowed. Supports up to 31 alphanumeric characters.
password
The command to use specify password and user role.
password
Password character length up to 40 alphanumeric characters. You must

specify the password for all new users.
hash | plain
Type of password. Supports up to 34 alphanumeric characters.
role admin | user
Sets the privilege level for the user.
disabled
Disables the user according to the users email address.
email email-address
The users email address. For example, user1@mydomain.com.
Defaults
The initial user during setup.
Command Modes
Configuration
Usage Guidelines
The username command requires that the username and password keywords precede the hash | plain and
the admin | user options.
Examples
Example 1
/admin(config)# username admin password hash ###### role admin
/admin(config)#
Example 2
/admin(config)# username admin password plain Secr3tp@swd role admin
/admin(config)#
Example 3
/admin(config)# username admin password plain Secr3tp@swd role admin email
admin123@mydomain.com
/admin(config)#
Related Commands
Command
Description
password-policy
Enables and configures the password policy.
show users
Displays a list of users and their privilege level. It also displays a list
of logged-in users.
4-120
OL-26299-01
INDEX
ip name-server
ip route
add, edit active directory servers
add, edit consumer device
add, edit syslog servers
adding administrator
AD machines
3-4
3-13
4-100
ipv6 autoconfig
ipv6 dhcp
4-93
4-95
kron occurrence
3-23
4-101
kron policy-list
1-4
AD requirements
3-7
4-99
logging
2-4
4-102
4-103
ntp authenticate
4-106
ntp authentication
4-105
ntp server
browser support
4-108
ntp trusted-key
3-1
4-110
password-policy
repository
service
description
4-114
4-115
i-x
snmp-server contact
commands
snmp-server host
configuration
backup-staging-url
cdp holdtime
cdp run
4-82
4-118
4-118
4-119
EXEC
application install
4-84
clock timezone
4-85
4-2
application remove
4-3
4-87
end
4-90
exit
4-90
application start
4-7
application stop
4-8
hostname
icmp echo
interface
ip address
4-91
application upgrade
4-92
backup
4-92
ip default-gateway
4-98
4-98
clock
4-4
4-6
4-9
4-10
backup-logs
4-97
ip domain-name
4-116
4-117
username
4-82
4-83
cdp timer
do
4-111
4-112
shutdown
cautions
4-107
4-11
4-12
configure
4-13
OL-26299-01
IN-1
Index
copy
show memory
4-14
debug
4-17
show ntp
delete
4-20
show process
dir
4-65
4-67
show repository
4-21
exit
4-64
show restore
4-23
forceout
4-69
4-70
show running-configuration
4-24
halt
4-24
show startup-configuration
help
4-25
show tech-support
mkdir
show terminal
4-26
nslookup
patch install
patch remove
show udi
4-29
4-31
show uptime
reload
4-33
show users
restore
4-34
show version
4-78
4-79
4-80
rmdir
4-35
configuration commands
show
4-36, 4-48
configure
connectivity requirements
4-39
telnet
consumer device
4-40
terminal length
4-42
traceroute
write
3-15
2-3
1-3
4-41
undebug
4-81
ISE to forward user login events
4-38
tech
4-76
4-78
ping6
ssh
4-73
4-76
show timezones
4-28
4-72
4-75
show timezone
4-27
4-70
4-42
4-43
D
dashboard
3-3
4-44
4-44
4-46
show
EXEC commands
show application
show backup history

show cdp
show cpu
4-52
hardware requirements
2-2
4-53
show disks
4-55
show icmp-status
show interface
show inventory
show logging
show logins
4-50
4-51
show clock
4-2
4-48
4-57
4-58
4-60
4-61
I
import active directory server
installing CDA
3-9
2-13
IP-to-User identity mapping
3-19
4-63
IN-2
OL-26299-01
Index
L
live logs
3-25
logging in
3-2
log level settings
3-19
M
mapping filters
3-22
N
note, description of
i-xi
O
overview
1-2
P
password policy
3-24
performance and scalability
1-6
S
session timeout
show commands
3-25
4-36, 4-48
supported operating systems

syslog servers
2-1
1-5
T
timesaver, description of
i-xi
OL-26299-01
IN-3
Index
IN-4
OL-26299-01

Cda 10

Uploaded by

Copyright:

Available Formats

Cda 10

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cda 10

Uploaded by

Copyright:

Available Formats

Installation and Configuration Guide for

Cisco Context Directory Agent, Release 1.0

Cisco Systems, Inc.

Text Part Number: OL-26299-01

Document Organization Map

Related Documentation xii

Obtaining Documentation and Submitting a Service Request

Context Directory Agent Overview

Functional Overview 1-2

CDA Deployment Recommendations

Installing the Cisco Context Directory Agent

Installing Context Directory Agent Patches

Working with Context Directory Agent

Understanding the CDA User Interface 3-1

CDA Command Reference

EXEC Commands 4-2

icmp echo 4-92

Document Organization Map

Other Related Documentation

Obtaining Documentation and Submitting a Service Request

Document Organization Map

Whats New in Cisco CDA

Provides a brief summary of the new features introduced in

Chapter 1, Context Directory Agent

Provides an overview of the Cisco Context Directory Agent.

Provides step-by-step procedure on how to work with and

Commands and keywords are in boldface font.

Arguments for which you supply values are in italic font.

Elements in square brackets ([ ]) are optional.

Examples use these conventions:

Information you enter is in boldface screen font.

Nonprinting characters, such as passwords, are in angle brackets (< >).

Default responses to system prompts are in square brackets ([]).

An exclamation point (!) at the beginning of a line indicates a comment line.

Added and updated the following sections:

Jan 15, 2014

Connectivity Requirements, page 3

Active Directory Servers, page 7

Exporting Active Directory Servers, page 10

Sending and Receiving Syslog Messages, page 13

Adding and Editing Syslog Servers/Clients, page 13

Added and updated the following sections:

Supported Active Directory Versions, page 2

Active Directory Requirements for Successful Connection with CDA, page 4

Permissions Required when an Active Directory User is a Member of the

Permissions Required when an Active Directory User is Not a Member of the

Configuring a Default Domain Name, page 17

Live Logs, page 25

Added and updated the following sections:

Receiving Network Login Information from ISE and ACS, page 4

List of Open Ports, page 3

Importing Active Directory Servers, page 9

Adding and Editing Syslog Servers/Clients, page 13

Sending and Receiving Syslog Messages, page 13

Configuring ISE to Forward User Login Events to CDA, page 15

Updated the following sections:

Active Directory Domain Controller Machines, page 4

Supported Active Directory Versions, page 2

Active Directory Requirements for Successful Connection with CDA, page 4