ClearPass Policy Manager

6.10.x

CLI Reference Guide

 Copyright Information
© Copyright 2022 Hewlett Packard Enterprise Development LP.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General Public
License, and/or certain other open source licenses. A complete machine-readable copy of the source code
corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information
and shall expire three years following the date of the final distribution of this product version by Hewlett-
Packard Company. To obtain such source code, send a check or money order in the amount of US $10.00 to:
Hewlett-Packard Company
Attn: General Counsel
6280 America Center Drive
San Jose, CA 95002
USA
Please specify the product and version for which you are requesting source code.

Revision 01 | September 2021 ClearPass Policy Manager 6.10.x | CLI Reference Guide
 Chapter 1
Command Line Interface

Refer to the following sections to perform configuration tasks using the Policy Manager Command Line
Interface (CLI):
n Cluster Commands
n Select any command from the left navigation menu.
n Miscellaneous Commands
n Network Commands
n Service Commands
n Show Commands
n SSH Timed Account Lockout Commands
n System Commands

Cluster Commands
Select any command from the left navigation menu.

cluster diagnostics
cluster diagnostics
-s [-6]
-c [-6]
-p
-d
-r

Description
Use the cluster diagnostics command to run diagnostics on a Policy Manager cluster. This command supports
both IPv4 and IPv6 management port addresses and uses port number 7432 to collect diagnostics data.
Cluster diagnostics for both IPv4 and Ipv6 environments also include metrics for how much time was taken to
establish a database connection to the publisher, and how much time was taken for HTTPS API calls to the
publisher. These Publisher database connection check and HTTPS connection check to host duration metrics
are in hour:min:sec.microsec format.
The command syntax for an IPv4 management address is:
n On subscriber: appadmin# cluster diagnostics -c
n On publisher: appadmin# cluster diagnostics -s

Parameter Description

-s Starts server using management IPv4 address for cluster

diagnostics.

-c Starts client for cluster diagnostics with an IPv4 address..

ClearPass Policy Manager 6.10.x | CLI Reference Guide Command Line Interface | 3
 Parameter Description

-6 When used with the -s parameter, starts cluster diagnostics on a

server using a management IPv6 address. When used with the -c
parameter, starts cluster diagnostics on a client using a IPv6
address.

-p Runs pgmetrics.

-d Specifies the database on which to run pgmetrics or reset statistics.

-r Resets database statistics.

Example
[appadmin]# cluster diagnostics -c 192.0.2.21
Enter Cluster Password for 192.0.2.21

Throughput 130914.19 kbps/sec

Configured MTU: 1500
Ping Lagency : 0.323333333333 ms
Publisher database connection check: [OK]
Publisher database connection time (HH:MM:SS.μs): 0:00:00.018555
Verify HTTPS connection to host - 192.0.2.21
HTTPS connection check to host : [OK]
Publisher API connection time (HH:MM:SS.μs): 0:00:00.274626
MTU check for 1400 payload size : [OK]

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

cluster drop-subscriber
cluster drop-subscriber [-f] [-i <IP address>] -s

Description
Use the drop-subscriber command to remove a specific subscriber node from the cluster.

This command does not support Stateless Address Auto-configuration (SLAAC) IPv6 addresses.

Parameter Description

-f Enter the -f parameter to force Policy Manager to drop even the

nodes that are down.

4 | cluster drop-subscriber ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Parameter Description

-i <IP Address> Specify the Management IP address of the node. If this IP address is
not specified and the current node is a subscriber, Policy Manager
drops the current node.
NOTE: The IP address of the subscriber to be dropped must be
passed in the correct format. The IP address format depends on the
cluster communication mode: If the mode is ipv4, use the
subscriber's IPv4 address, otherwise if the mode is ipv6, use the
subscriber's IPv6 address. To verify which cluster communication
mode is configured, use the cluster list command.

-s Restricts resetting the database on the dropped node.

By default, Policy Manager drops the current node—if it's a
subscriber—from the cluster.

Example
The following example removes the IP address 192.0.2.1 from the cluster:

[appadmin]# cluster drop-subscriber -f -i 192.0.2.1 -s

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

cluster list
Use the cluster list command to list all the nodes in the cluster, and show whether cluster high availability is
enabled or disabled. The cluster list command also indicates the cluster communication mode (IPv4 or IPv6),
and indicates whether a standby publisher and failover wait time been defined.

Description
cluster list

Description
The following example lists all the nodes in a cluster:
[appadmin]# cluster list
[appadmin@v6-7152-6192]# cluster list
Cluster Commuication Mode: ipv4
Cluster high-availability : ENABLED, Failover wait-time : 8, Standby Publisher : 198.51.100.7
Publisher : Management port IP=198.51.100.3 IPv6=2001:DB8:200:7::150 Data port
IP=203.0.113.190 [local machine]
Subscriber : Management port IP=198.51.100.5 IPv6=2001:DB8:200:7::152 Data port
IP=203.0.113.192
Subscriber : Management port IP=198.51.100.7 IPv6=2001:DB8:200:7::153 Data port
IP=203.0.113.194

ClearPass Policy Manager 6.10.x | CLI Reference Guide cluster drop-subscriber | 5

 cluster make-publisher
Use the cluster make-publisher command to promote a specific subscriber to be the publisher in the same
cluster.

When running this command, do not close the shell or interrupt the command execution.

Description
The following example promotes a subscriber to publisher status:
[appadmin]# cluster make-publisher
********************************************************
* WARNING: Executing this command will promote the *
* current machine (which must be a subscriber in the *
* cluster) to the cluster publisher. Do not close the *
* shell or interrupt this command execution. *
********************************************************
Continue? [y|n]: y

To continue the make-publisher operation, enter y.

cluster make-subscriber
Run the cluster make-subscriber command on a standalone publisher to make the standalone node a
subscriber node and add it to the cluster.

This command does not support Stateless Address Auto-configuration (SLAAC) IPv6 addresses.

Description
cluster make-subscriber -i <IP-address> [-l] [-b] [-V]

The following table describes the required and optional parameters for the make-subscriber command:

Table 1: Cluster Make-Subscriber Command Parameter

Parameter Description

-b Instructs Policy Manager to skip making a backup of the publisher before you make it a
subscriber.

-i <IP-address> Specify the publisher's IP address.

NOTE: This parameter allows both IPv4 and IPv6 addresses.

-l Restores the local log database after this operation. This parameter is optional.

-V Instructs Policy Manager to not verify the publisher certificate.

Description
The following example converts the node with IP address 192.xxx.1.1 to a subscriber node and restores the
local log database:

6 | cluster drop-subscriber ClearPass Policy Manager 6.10.x | CLI Reference Guide

 [appadmin]# cluster make-subscriber –i 192.xxx.1.1 -l

cluster reset-database
Use the reset-database command to reset the local database and erase its configuration.

Running this command erases the Policy Manager configuration and resets the database to its default
configuration—all the configured data will be lost.

When running this command, do not close the shell or interrupt the command execution.

Description
cluster reset-database

Description
The following example reset the database:
[appadmin]# cluster reset-database
**********************************************************
* WARNING: Running this command will erase the Policy Manager *
* configuration and leave the database with default *
* configuration. You will lose all the configured data. *
* Do not close the shell or interrupt this command *
* execution. *
*********************************************************
Continue? [y|n]: y

To continue the reset-database operation, enter y.

cluster set-communication-mode
Click the drop-down list and select either ipv4 or ipv6 as the mode of commuication for all cluster operations.
If the value of this parameter is set to ipv6, all database and API calls will use IPv6 addresses for cluster
communication. If the value is set to ipv4, it will use IPv4 for database and API calls instead. The default value
of the cluster communication mode will depend on the IP address configured on the appliance during
installation or upgrade. If the appliance has only an IPv6 address, the default cluster communication mode will
be IPv6. If the appliance has both IPv4 and IPv6 addresses configured, or if only an IPv4 address is configured,
then the default cluster communication mode will be IPv4.
Whenever the cluster communication mode is changed, it performs the following validations:
n Configuration checks to verify an IP address in the correct format is configured for the interface.
n Certificate checks to verify the database certificates have the correct IP address in the SAN field.
n Certificate checks to verify the HTTPS certificates have the correct IP address in the SAN field.

ClearPass Policy Manager 6.10.x | CLI Reference Guide cluster drop-subscriber | 7

 Description
cluster set-communication-mode [ipv4/ipv6]

Description
The following example lists all the nodes in a cluster:
[appadmin]# cluster set-communication-mode ipv4
********************************************************
* *
* WARNING: Executing this command will change *
* the format of the IP address used for all *
* cluster communications and can cause *
* the cluster to go out of sync. *
* *
* Please reset certificates on all nodes *
* and reboot each node to ensure cluster is in sync. *
* *
* Do not close the shell or interrupt this command *
* execution. *
* *
********************************************************
Continue? [y|n]: y

cluster set-cluster-passwd
Use the cluster set-cluster-passwd command to change the cluster password on all nodes in the cluster.
You may only issue this command from the publisher.

Setting the cluster password changes the appadmin password for all the nodes in the cluster

Description
cluster set-cluster-passwd

Description
The following example changes the cluster password on the publisher:
[appadmin]# cluster set-cluster-passwd
cluster set-cluster-passwd

Continue? [y|n]: y

Enter Cluster Passwd: college.162

Re-enter Cluster Passwd: college.162

INFO - Password changed on local (publisher) node

Cluster password changed

8 | cluster drop-subscriber ClearPass Policy Manager 6.10.x | CLI Reference Guide

 cluster set-standby-publisher
Use the cluster set-standby-publisher command to set a standby publisher for cluster high availability. You
may only issue this command from the publisher.

Description
cluster set-standby-publisher [-i <IP Address>]|[-t <Failover wait time>]

Table 2: Cluster Make-Subscriber Command Parameters

Parameter Description

-i <IP Address> Management IP Address of the server to be configured as standby publisher.

NOTE: This parameter accepts both IPv4 and IPv6 addresses.

-t <Failover wait time> Specify the time (in minutes) that the standby publisher must wait before it assumes the
role of publisher after the primary publisher becomes unreachable. This parameter
prevents the standby publisher from taking over when the publisher is temporarily
unavailable during a restart. The default failover wait time is 10 minutes.

Description
The following example defines a standby publisher and sets the failover wait time to five minutes:
[appadmin]# cluster set-standby-publisher -i 10.21.4.33 -t 5
failover time = 5

cluster sync-cluster-passwd
Use the cluster sync-cluster-passwd command to synchronize the cluster (appadmin) password currently
set on the publisher with all the subscriber nodes in the cluster.

Synchronizing the cluster password changes the appadmin password for all the nodes in the
cluster

Description
cluster sync-cluster-passwd

Description
The following example synchronizes the cluster password:
[appadmin]# cluster sync-cluster-passwd
Continue? [y|n]: y

Enter Password: college.205

Re-enter Password: college.205

ClearPass Policy Manager 6.10.x | CLI Reference Guide cluster drop-subscriber | 9

 cluster list
cluster list

Description
Use the cluster list command to list all the nodes in the cluster, and show whether cluster high availability is
enabled or disabled. The cluster list command also indicates the cluster communication mode (IPv4 or IPv6),
and indicates whether a standby publisher and failover wait time been defined.

Example
The following example lists all the nodes in a cluster:

[appadmin]# cluster list

[appadmin@v6-7152-6192]# cluster list
Cluster Commuication Mode: ipv4
Cluster high-availability : ENABLED, Failover wait-time : 8, Standby Publisher :
198.51.100.7
Publisher : Management port IP=198.51.100.3 IPv6=2001:DB8:200:7::150 Data port
IP=203.0.113.190 [local machine]
Subscriber : Management port IP=198.51.100.5 IPv6=2001:DB8:200:7::152 Data port
IP=203.0.113.192
Subscriber : Management port IP=198.51.100.7 IPv6=2001:DB8:200:7::153 Data port
IP=203.0.113.194

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

cluster make-publisher
cluster make-publisher

Description
Use the cluster make-publisher command to promote a specific subscriber to be the publisher in the same
cluster.

Before you promote a subscriber to publisher, add the HTTPS server certificate of the subscriber to the Trust list and
ensure sure all the servers in the cluster have this certificate in the Trust list. This step is not required if the HTTPS
server certificates for all the servers in the cluster are signed by a certificate authority (CA)

When running this command, do not close the shell or interrupt the command execution.

10 | cluster list ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Example
The following example promotes a subscriber to publisher status:

[appadmin]# cluster make-publisher

********************************************************
* WARNING: Executing this command will promote the *
* current machine (which must be a subscriber in the *
* cluster) to the cluster publisher. Do not close the *
* shell or interrupt this command execution. *
********************************************************
Continue? [y|n]: y
To continue the make-publisher operation, enter y.

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

cluster make-subscriber
cluster make-subscriber -i <ip-address> [-l] [-b] [-V]

Description
Run the cluster make-subscriber command on a standalone publisher to make the standalone node a
subscriber node and add it to the cluster.

This command does not support Stateless Address Auto-configuration (SLAAC) IPv6 addresses.

Parameter Description

-b Instructs Policy Manager to skip making a backup of the publisher

before you make it a subscriber.

-i <ip-address> Specify the publisher's IP address.

NOTE: This parameter allows both IPv4 and IPv6 addresses.

-l Restores the local log database after this operation. This parameter
is optional.

-V Instructs Policy Manager to not verify the publisher certificate.

Example
The following example converts the node with IP address 192.0.2.1 to a subscriber node and restores the local
log database:

[appadmin]# cluster make-subscriber –i 192.0.2.1 -l

ClearPass Policy Manager 6.10.x | CLI Reference Guide cluster make-subscriber | 11

 Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

cluster reset-database
cluster reset-database

Description
Use the reset-database command to reset the local database and erase its configuration.

Running this command erases the Policy Manager configuration and resets the database to its default
configuration—all the configured data will be lost.

When running this command, do not close the shell or interrupt the command execution.

Example
The following example resets the database:

[appadmin]# cluster reset-database

**********************************************************
* WARNING: Running this command will erase the Policy Manager *
* configuration and leave the database with default *
* configuration. You will lose all the configured data. *
* Do not close the shell or interrupt this command *
* execution. *
*********************************************************
Continue? [y|n]: y
To continue the reset-database operation, enter y.

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

cluster set-cluster-passwd
cluster set-cluster-passwd <password>

12 | cluster reset-database ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Description
Use the cluster set-cluster-passwd command to change the cluster password on all nodes in the cluster.
You may only issue this command from the publisher.

Setting the cluster password changes the appadmin password for all the nodes in the cluster

Parameter Description

<password> New password for the cluster.

Example
The following example changes the cluster password on the publisher:

[appadmin]# cluster set-cluster-passwd

cluster set-cluster-passwdContinue? [y|n]: y
Enter Cluster Passwd: newpassword.123
Re-enter Cluster Passwd: newpassword.123
INFO - Password changed on local (publisher) node
Cluster password changed

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

cluster set-standby-publisher
cluster set-standby-publisher [-i <IP Address>]|[-t <Failover wait time>]

Description
Use the cluster set-standby-publisher command to set a standby publisher for cluster high availability. You
may only issue this command from the publisher.

If a cluster is configured with a standby publisher, add the HTTPS server certificate of the standby publisher to the
Trust list and ensure sure all the servers in the cluster have this certificate in the Trust list. This step is not required if
the HTTPS server certificates for all the servers in the cluster are signed by a certificate authority (CA)

Parameter Description

-i <IP Address> Management IP Address of the server to be configured as standby

publisher.
NOTE: This parameter accepts both IPv4 and IPv6 addresses.

ClearPass Policy Manager 6.10.x | CLI Reference Guide cluster set-standby-publisher | 13

 Parameter Description

-t <Failover wait time> Specify the time (in minutes) that the standby publisher must wait
before it assumes the role of publisher after the primary publisher
becomes unreachable. This parameter prevents the standby
publisher from taking over when the publisher is temporarily
unavailable during a restart. The default failover wait time is 10
minutes.

Example
The following example defines a standby publisher and sets the failover wait time to five minutes:

[appadmin]# cluster set-standby-publisher -i 10.21.4.33 -t 5

failover time = 5

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

cluster sync-cluster-passwd
cluster sync-cluster-passwd

Description
Use the cluster sync-cluster-passwd command to synchronize the cluster (appadmin) password currently
set on the publisher with all the subscriber nodes in the cluster.

Synchronizing the cluster password changes the appadmin password for all the nodes in the
cluster

Example
The following example synchronizes the cluster password:

[appadmin]# cluster sync-cluster-passwd

Continue? [y|n]: y
Enter Password: password.123
Re-enter Password: password.123

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

14 | cluster sync-cluster-passwd ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Configure Commands
Select any command from the left navigation menu.

configure date
configure date -p <ntp_server1> [-a <key-index> -v <key-value> -t <encryption-type>] [-s <ntp_
server2> [-a <key-index> -v <key-value> -t <encryption-type>]] [-z <timezone>]

Description
Use the configure date command to specify the cluster's primary and secondary NTP (Network Time
Protocol) servers, the key index, key value, encryption type, and optionally, the time zone for the publisher.

The Audit Viewer (Monitoring > Audit Viewer) tracks NTP configuration changes.

The following table describes the parameters for the configure date command:

Parameter Description

-p <ntp_server1> Specify the primary NTP server name or IP address. Policy Manager
can support up to five NTP servers; one primary server, and up to
four secondary servers. Users should be aware that ClearPass can
time sync with any of the configured NTP servers in any order. It
does not need to prefer the primary NTP server first and then the
secondary as per configuration.
NOTE: You can specify a destination node with an IPv6 address
enabled.

-s <ntp_server2> Use this parameter create a list of up to four secondary NTP

servers. For example, configure date -p us.pool.ntp.org -s ntp-
b.nist.gov -s ntp-c.colorado.edu
When Policy Manager is in CC mode, you must configure a primary
server and at least two secondary servers. Failure to define at least
two secondary servers will trigger a warning message.
NOTE: Do not use the -A and -s parameters together in a single
command, as this can trigger an Invalid Syntax error message.

-A <ntp_server3> Add an additional NTP server name or IP address to an existing list

of secondary NTP servers.
NOTE: Do not use the -A and -s parameters together in a single
command, as this can trigger an Invalid Syntax error message.

-a <key-index> The Key Index (also referred to as the Key ID) is a number that
specifies the index for key values.
The key-index value can be from 1 to 65534 inclusive.
Typically an NTP client and server have to trust the same key index
and key value pair for authentication to succeed.

-v <key-value> The Key Value is a form of shared secret, which both the client and
server use for authenticating NTP messages. The Key Value can be:
n Up to 20-character printable ASCII string
n Up to 40-character hex value

ClearPass Policy Manager 6.10.x | CLI Reference Guide configure date | 15

 Parameter Description

When entering an ASCII string for the Key Value, note that it cannot
contain the following characters:
n & (ampersand)
n ; (semicolon)
n `(grave accent)
n | (pipe)
n < (left angle bracket)
n > (right angle bracket)
n ( (left parenthesis)
n ) (right parenthesis)
Finally, the Key Value ASCII string must start and end with one of
the following characters:
n - (hyphen)
n ' (apostrophe)
n " (quote)

-t <encryption-type> Select one of the two options for Encryption Type:

n SHA
n SHA1
NOTE: In FIPS mode, SHA is not a supported encryption type.

-z <timezone> Specify the time zone on the publisher.

To view the list of supported time zones, enter show all-timezones.
This field is optional.

Examples
The following example configures the key-index, key-value, and encryption type for the primary and secondary
NTP servers:

[appadmin]# configure date -p ntp1.cppm.main -a 24 -v cp1234567890 -t SHA -s

ntp2.cppm.main -a 16 -v cp53.56 -t SHA1

This example synchronizes with the primary NTP server. Note that in this example, the key-value is a hex code.
Using a hex code for the key-value is supported only in the CLI, not in the user interface.

[appadmin]# configure date -p ntp1.cppm.main -a 96 -v

6bf60ca1876b57248311aa07c7783d391be95d6c -t SHA1

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

configure dns
configure dns -p <dnsserver> [-s <dnsserver>] [-t <dnsserver>] [-n <attempts>] [-o <timeout>]

16 | configure dns ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Description
Use the configure dns command to configure DNS servers. You must specify a minimum of one DNS server;
you can specify a maximum of three DNS servers.

Parameter Description
-p <dnsserver> Define the primary DNS server, where <dnsserver> is the IPv4 or
IPv6 address of a DNS server.

-s <dnsserver> (Optional) Define the second DNS server, where <dnsserver> is the
IPv4 or IPv6 address of a DNS server.

-t <dnsserver> (Optional) Define the third DNS server, where <dnsserver> is the
IPv4 or IPv6 address of a DNS server.

-n <attempts> (Optional) Specify the maximum number of attempts. The value can
be from 1 to 5, and the default is 2.

-o <timeout> (Optional Specify the timeout duration in seconds. Value can be

from 1 to 30. Default is 5 seconds.

Examples
The following example configures a single primary DNS server.

[appadmin]# configure dns -p 192.168.14.1

The following example configures the primary and secondary DNS servers with the maximum number of
attempts set at 5, and with a 30 second timeout. You can configure an IPv6 address as described in this
example.

[appadmin]# configure dns -p 192.168.14.1 -s 2001:4860:4860::8888 -n 5 -o 30

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

configure fips-mode
configure fips-mode [0|1]

Running this command erases the ClearPass Policy Manager configuration settings and returns the database to the
default configuration. All configured data will be lost. This command also shuts down all running applications and
reboots the system.

ClearPass Policy Manager 6.10.x | CLI Reference Guide configure fips-mode | 17

 Description
Use the configure fips-mode command to enable or disable FIPS (Federal Information Processing Standard)
mode.

Parameter Description

0 To disable FIPS mode, enter 0.

Read the caution message carefully before enabling or disabling
FIPS mode.

1 To enable FIPS mode, enter 1.

Example
The following example disables FIPS mode:

[appadmin]# configure fips-mode 0

******************************************************************
* *
* WARNING: Running this command will erase the Policy Manager *
* configuration and leave the database with default *
* configuration. You will lose all the configured data. *
* *
* This command will also shutdown all applications and reboot *
* the system. *
* *
* Do not close the shell or interrupt this command execution. *
* *
******************************************************************
Continue? [y|n]: y
Clicking y in this example disables FIPS mode.

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

configure hostname
configure hostname <hostname>

Description
Use the configure hostname command to configure the host name of the Policy Manager server. When
configuring a host name that includes a period character ( . ), the substring before the first period character
must be unique for each device. This is because a hostname field that includes a period character is interpreted
to be a Fully Qualified Domain Name (FQDN), in which case the substring before the first period character is the
hostname.
Valid hostname configurations:

18 | configure hostname ClearPass Policy Manager 6.10.x | CLI Reference Guide

 n cppm1.arubanetworks.com
n cppm2.arubanetworks.com
Invalid hostname configurations:
n cppm1.santaclara.arubanetworks.com
n cppm1.bangalore.arubanetworks.com

Parameter Description

<hostname> Host name of the Policy Manager server

Example
The following example configures a hostname:

[appadmin]# configure hostname sun.us.arubanetworks.com

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

configure ip
configure ip <mgmt|data> <ip_address> netmask <netmask address> gateway <gateway address>

Description
Use the configure ip command to configure the IPv4 address of the management interface or the data
interface, netmask, and gateway address.

Parameter Description

ip <mgmt|data> <IP address> Specify the network interface type: management port interface or
data point interface.
<ip address> specifies the IPv4 address of the host.

netmask <netmask> Specify the netmask for the IPv4 address.

gateway <gateway address> Specify the IP address for the network gateway.

Example
The following example configures the IP address for the data interface, the netmask for that address, and the
gateway address:

[appadmin]# configure ip data 192.168.xx.12 netmask 255.255.255.0 gateway 192.168.xx.1

ClearPass Policy Manager 6.10.x | CLI Reference Guide configure ip | 19

 Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

configure ip6
configure ip6 <mgmt|data> <IPv6 address>/<PrefixLen> gateway <gateway address>

Description
Use the configure ip6 command to configure the IPv6 management or data interface, IPv6
address/PrefixLength, and the gateway address.
Policy Manager uses Stateless Address Auto-Configuration (SLAAC) to obtain IPv6 addresses when IPv6 router-
advertisements are enabled. If a Policy Manager instance is configured with an IPv4 and an IPv6 address (dual-
stack), then after upgrade the static IPv6 address is retained and, if IPv6 router-advertisements are enabled, a
SLAAC IPv6 address will also be obtained. If no static IPv6 is configured, addresses obtained by SLAAC are
shown in the server details on the Administration > Server Manager > Server Configuration page.
If a Policy Manager sever's network settings are configured to have only an IPv6 address for the management
port, the Admin Server service and Async network service service connect to an IPv6 address for an
external server's hostname, even if that hostname resolves to both an IPv4 and IPv6 address (dual-stack). If
the Policy Manager management port has a IPv4 address, then the IPv4 address of the external server will be
preferred for connectivity by the Admin server and Async network service services.

During bootstrap configuration, anycast, multicast, and site-local addresses (Unique Local Addresses) are not
allowed as management or data port interface address.

Parameter Description

<mgmt|data> Specify the network interface type:

n mgmt: management interface
n data: data interface

<IP address> Enter the IPv6 IP address for the interface.

<prefixLen> Enter the prefix length. The prefix length in IPv6 is the equivalent of the subnet
mask in IPv4.

gateway <gateway address> Specify the gateway (IPv4 or IPv6) address .

Example
The following example configures the IPv6 management or data interface, IPv6 address/PrefixLength, and
gateway address:

[appadmin]# configure ip6 mgmt 2001:100:200:128::157/64 gateway 2001:100:200:128::129

20 | configure ip6 ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

configure mtu
configure mtu <mgmt|data> <mtu-value>

Description
Use the configure mtu command to set the MTU (Maximum Transmission Unit) for the management and
data port interfaces.

Running this command can cause the Policy Manager server to lose network connectivity.

Parameter Description

<mgmt|data> Specify the network interface type:

n mgmt: management interface
n data: data interface

<MTU value> Specify the MTU value in bytes. The default value is 1500 bytes.

Examples
The following example configures the MTU management interface:

[appadmin] # configure mtu mgmt 1498

********************************************************
* *
* WARNING: Running this command might cause system *
* to lose network connectivity and may require relogin.*
* *
********************************************************
Continue? [y|n]: y
INFO: Restarting network services
INFO: Successfully applied MTU settings

The following example configures the MTU data port value:

[appadmin]# configure mtu data 1498

********************************************************
* *
* WARNING: Running this command might cause system *
* to lose network connectivity and may require relogin.*
* *
********************************************************
Continue? [y|n]: y

ClearPass Policy Manager 6.10.x | CLI Reference Guide configure mtu | 21

 INFO: Restarting network services
INFO: Successfully applied MTU settings

Use the show ip command to display the settings of the MTU management and data port interfaces:

[appadmin]# show ip
===========================================
Device Type : Management Port
-------------------------------------------
IPv4 Address : 10.2.xx.86

Subnet Mask : 255.255.255.0

Gateway : 10.2.xx.1

IPv6 Address : 2607:f0d0:1002:0011:0000:0000:0000:0002

Subnet Mask : ffff:ffff:ffff:ffff:0000:0000:0000:0000
Gateway : 2607:f0d0:1002:0011:0000:0000:0000:0001
Hardware Address : 00:0C:29:70:27:40
MTU : 1499
===========================================
Device Type : Data Port
-------------------------------------------
IPv4 Address : <not configured>
Subnet Mask : <not configured>
Gateway : <not configured>
IPv6 Address : fe80:0000:0000:0000:020c:29ff:fe70:274a
Subnet Mask : ffff:ffff:ffff:ffff:0000:0000:0000:0000
Gateway : fe80:0000:0000:0000:020c:29ff:fe70:2741
Hardware Address : 00:0C:29:70:27:4A
MTU : 1498
===========================================
DNS Information
-------------------------------------------
Primary DNS : 10.2.xx.3

Secondary DNS : 10.1.xx.50

Tertiary DNS : 10.1.xx.200

===========================================

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

configure port
configure port <direction> <protocol> <port> <action>

22 | configure port ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Description
This command is used to filter inbound or outbound traffic on a selected port.

Parameter Description

<direction> Specify the access control rule direction. Allowed values are:
n input
n output

<protocol> Specify the access protocol. Allowed values are:

n tcp
n udp

<port>
Specify the port number (1-65535)

<action>
Select filtering action
Allowed values are:
n accept
n reject

Example
The following example configures the Policy Manager server to block SSH conection requests to the Policy
Manager server by rejecting SSH connections to port 22.

[appadmin]# configure port input tcp 22 reject

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

configure timezone
configure timezone

Description
Use the configure timezone command to interactively configure the time zone. The Policy Manager
command-line interface prompts you to enter a continent or ocean, a country, and for countries with more
than one time zone, also the region where your Policy Manager server is located.

Example
The following example interactively configures the time zone for a Policy Manager server in the United
States/Pacific time zone:

ClearPass Policy Manager 6.10.x | CLI Reference Guide configure timezone | 23

 [appadmin]# configure timezone
******************************************************************
* *
* WARNING: When the command is completed Policy Manager services *
* are restarted to reflect the changes. *
* *
******************************************************************
Continue? [y|n]: y
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
11) quit
#? 2
Please select a country.
1) Anguilla 19) Dominican Republic 37) Peru
2) Antigua & Barbuda 20) Ecuador 38) Puerto Rico
3) Argentina 21) El Salvador 39) St Barthelemy
4) Aruba 22) French Guiana 40) St Kitts & Nevis
5) Bahamas 23) Greenland 41) St Lucia
6) Barbados 24) Grenada 42) St Maarten (Dutch)
7) Belize 25) Guadeloupe 43) St Martin (French)
8) Bolivia 26) Guatemala 44) St Pierre & Miquelon
9) Brazil 27) Guyana 45) St Vincent
10) Canada 28) Haiti 46) Suriname
11) Caribbean NL 29) Honduras 47) Trinidad & Tobago
12) Cayman Islands 30) Jamaica 48) Turks & Caicos Is
13) Chile 31) Martinique 49) United States
14) Colombia 32) Mexico 50) Uruguay
15) Costa Rica 33) Montserrat 51) Venezuela
16) Cuba 34) Nicaragua 52) Virgin Islands (UK)
17) Curaçao 35) Panama 53) Virgin Islands (US)
18) Dominica 36) Paraguay
#? 49
Please select one of the following time zone regions.
1) Eastern (most areas) 16) Central - ND (Morton rural)
2) Eastern - MI (most areas) 17) Central - ND (Mercer)
3) Eastern - KY (Louisville area) 18) Mountain (most areas)
4) Eastern - KY (Wayne) 19) Mountain - ID (south); OR (east)
5) Eastern - IN (most areas) 20) MST - Arizona (except Navajo)
6) Eastern - IN (Da, Du, K, Mn) 21) Pacific
7) Eastern - IN (Pulaski) 22) Alaska (most areas)
8) Eastern - IN (Crawford) 23) Alaska - Juneau area
9) Eastern - IN (Pike) 24) Alaska - Sitka area
10) Eastern - IN (Switzerland) 25) Alaska - Annette Island
11) Central (most areas) 26) Alaska - Yakutat
12) Central - IN (Perry) 27) Alaska (west)
13) Central - IN (Starke) 28) Aleutian Islands
14) Central - MI (Wisconsin border) 29) Hawaii
15) Central - ND (Oliver)
#? 21
The following information has been given:

24 | configure timezone ClearPass Policy Manager 6.10.x | CLI Reference Guide

 United States
Pacific
Therefore TimeZone='America/Los_Angeles' will be used.
Local time is now: Tue Jun 8 15:19:12 PDT 2021.
Universal Time is now: Tue Jun 8 22:19:12 UTC 2021.
Is the above information OK?
1) Yes
2) No
#?1

Related Commands

Command Description

show all-timezones View all available time zones.

show timezone Interactively configure the time zone.

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

Network Commands
Select any command from the left navigation menu.

network ip
network ip
add <mgmt|data|greN|vlanN> [-i <id>] <[-s <SrcAddr>] [-d <DestAddr>]> [-g <ViaAddr>]
del [-i <id>]
list
reset

Description
Use the network ip command to add, delete, or list custom routes to the data or management interface
routing table for IPv4 networks. Note that network IP routing commands are disabled for ClearPass cloud
deployments (such as deployments hosted in Azure or AWS) because:
n The network IP assignments are managed by the cloud networking vendor.
n The process through which the cloud deployment DHCP and IP assignments are not managed by ClearPass,
so there is no way to define static IP addresses
n The routing configuration defined in the cloud deployment will no longer be valid if the system renews its IP
address in the next DHCP refresh cycle.

ClearPass Policy Manager 6.10.x | CLI Reference Guide network ip | 25

 Parameter Description

add <mgmt | data| greN |vlanN> Add a custom route by specifying the management interface, data
interface, the name of the GRE tunnel, or the VLAN number.
n <greN>: N identifies the GRE tunnel number ranging from
1,2,3...N.
n <vlanN>: N identifies the VLAN number.

-i <id> Specify the ID of the network IP rule. If this ID is not specified, the
system generates an ID automatically.
NOTE: This ID determines the priority in the ordered list of rules in
the routing table.

-s <SrcAddr> Specify the IPv4 address or network. For example, 192.168.xx.0/24

or 0/0 (for all traffic) of traffic originator. You must specify only one
source IP address. This parameter is optional.

-d <DestAddr> Specify the destination IPv4 address or network. For example,

192.168.xx.0/24 or 0/0 (for all traffic). You must specify only one
destination IP address. This parameter is optional.

-g <ViaAddr> Specify the via or gateway IPv4 address through which the network
traffic should flow. A valid IP address is allowed. This parameter is
optional.

del -i <id> Delete the network IPv4 route with the specified route ID.

list Display a list of all routing rules.

reset Reset the routing table to the factory default settings. All custom
routes are removed.

Example:
The following example adds a custom route:

[appadmin]# network ip add data -s 192.0.20/24

INFO - New ip rule created with the id = 20066

The following example lists all custom routes:

[appadmin]# network ip list

===============================================
IP Rule Information
-----------------------------------------------
0: from all lookup local
10020: from all to 10.xx.4.0/24 lookup mgmt
10040: from 10.xx.4.200 lookup mgmt
10060: from 10.xx.5.200 lookup data
32766: from all lookup main
32767: from all lookup default
===============================================

26 | network ip ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Related Commands

Command Description

network ip6 Add, delete, or list custom routes to the data or management
interface routing table for IPv6 networks.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

network ip6
network ip6
add <mgmt|data|greN|vlanN> [-i <id>] <[-s <SrcAddr>] [-d <DestAddr>]> [-g <ViaAddr>]
del [-i <id>]
list
reset

Description
Add, delete, or list custom routes to the data or management interface routing table for IPv6 networks. Note
that network IP routing commands are disabled for ClearPass cloud deployments (such as deployments hosted
in Azure or AWS) because:
n The network IP assignments are managed by the cloud networking vendor.
n The process through which the cloud deployment DHCP and IP assignments are not managed by ClearPass,
so there is no way to define static IP addresses
n The routing configuration defined in the cloud deployment will no longer be valid if the system renews its IP
address in the next DHCP refresh cycle.

Parameter Description

add <mgmt | data| greN |vlanN> Add a custom route by specifying the management interface, data
interface, the name of the GRE tunnel, or the VLAN number.
n <greN>: N identifies the GRE tunnel number ranging from
1,2,3...N.
n <vlanN>: N identifies the VLAN number.

-i <id> Specify the ID of the network IP rule. If this ID is not specified, the
system generates an ID automatically.
NOTE: This ID determines the priority in the ordered list of rules in
the routing table.

ClearPass Policy Manager 6.10.x | CLI Reference Guide network ip6 | 27

 Parameter Description

-s <SrcAddr> Specify the IPv6 address or network. For example,

2001:DB8:441:1020::0/32 or 0/0 (for all traffic) of traffic originator.
You must specify only one source IP address. This parameter is
optional.

-d <DestAddr> Specify the destination IPv6 address or network. For example,

2001:DB8:441:1020::0/32 or 0/0 (for all traffic). You must specify
only one destination IP address. This parameter is optional.

-g <ViaAddr> Specify the via or gateway IPv6 address through which the network
traffic should flow. A valid IP address is allowed. This parameter is
optional.

del -i <id> Delete the network IPv6 route with the specified route ID.

list Display a list of all routing rules.

reset Reset the routing table to the factory default settings. All custom
routes are removed.

Example:
The following example adds a custom route:

[appadmin]# network ip6 add mgmt -i 20067 -s 2001:DB8:441:1020::0/32

INFO - New ip rule created with the id = 20067

The following example lists all custom routes:

[appadmin]# network ip6 list

===============================================
IP Rule Information
-----------------------------------------------
0: from all lookup local
220: from all lookup 220
20020: from all to 2001:DB8:441:13a0::5:8/64 lookup mgmt
20040: from 2001:DB8:441:13a0::5:8 lookup mgmt
20060: from 2001:DB8:441:13e1::1:a1 lookup data
20067: from 2001:DB8:441:1020::/32 lookup mgmt
20099: from all lookup data
32766: from all lookup main
===============================================

Related Commands

Command Description

network ip Add, delete, or list custom routes to the data or management

interface routing table for IPv4 networks.

28 | network ip6 ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Command History

Version Modification

Policy Manager 6.10 Command Introduced

network ping
network ping [-i <SrcIPv6Addr>] [-t] <host>

Description
Test the reachability of the host on an IPv4 network

Parameter Description

-i <SrcIPv6Addr> The originating IPv4 address for the ping. This parameter is optional.

-t Use this parameter to ping indefinitely. This parameter is optional.

<host> The host to be pinged.

Example
The following example pings an IPv4 network host to test its reachability:
[appadmin]# network ping6 –i 192.0.2.11 –t or.us.example.com

Related Commands

Command Description

network ping6 Test the reachability of the host on an IPv6 network

Command History

Version Modification

Policy Manager 6.10 Command Introduced

network ping6
network ping6 [-i <SrcIPv6Addr>] [-t] <host>

ClearPass Policy Manager 6.10.x | CLI Reference Guide network ping | 29

 Description
Test the reachability of the host on an IPv6 network

Parameter Description

-i <SrcIPv6Addr> The originating IPv6 address for the ping. This parameter is optional.

-t Use this parameter to ping indefinitely. This parameter is optional.

<host> The host to be pinged.

Example
The following example pings an IPv6 network host to test its reachability:
[appadmin]# network ping6 –i f2001:db8:: –t ca.us.example.com

Related Commands

Command Description

network ping Test the reachability of the host on an IPv4 network

Command History

Version Modification

Policy Manager 6.10 Command Introduced

network reset
network reset data|mgmt [v4|v6]

Description
Use the network reset command to reset the network data and management ports. You can use this
command to reset both IPv4 and IPv6 addresses. Before resetting an IPv4 address for the port, ensure than an
IPv6 address is set for the port and that the cluster communication mode is set to IPv6. Conversely, before
resetting an IPv6 address for the port, ensure that an IPv4 address is set for it and that the cluster
communication mode is set to IPv4. Before Policy Manager resets an IPv4 or IPv6 address, it displays the
warning message "This command erases network management port configuration and reconfigures the
network. This might cause the system to lose network connectivity and require you to log in again."

Parameter Description

data Reset the network data port.

30 | network reset ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Parameter Description

mgmt Reset the network management port.

[v4|v6] Indicate whether the port has an IPv4 or IPv6 address.

Examples
The following example resets the IPv4 network data port.

[appadmin]# network reset data v4

The following example resets the IPv6 network management port.

[appadmin]# network reset mgmt v6

Command History

Version Modification

Policy Manager 6.10 Command Introduced

network traceroute
network traceroute <host>

Description
Print the route taken to reach the IPv6 network host.

Table 3: Network Traceroute Command Parameters

Parameter Description

<host> The IPv4 address or FQDN of the network host.

Example
The following example prints the route taken to reach the network host:

[appadmin]# network traceroute6 ca.us.example.com

Related Commands

Command Description

network traceroute6 Print the route taken to reach the IPv6 network host.

ClearPass Policy Manager 6.10.x | CLI Reference Guide network traceroute | 31

 Command History

Version Modification

Policy Manager 6.10 Command Introduced

network traceroute6
network traceroute6 <host>

Description
Print the route taken to reach the IPv6 network host.

Table 4: Network Traceroute Command Parameters

Parameter Description

<host> The IPv6 address of the network host.

Example
The following example prints the route taken to reach the network host:

[appadmin]# network traceroute6 2001:DB8:441:1020::3

Related Commands

Command Description

network traceroute Print the route taken to reach the IPv4 network host.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

network nslookup
network nslookup [-q <query-option>] <host>

Description
Use the network nslookup command to get the IP address of the host using DNS.

32 | network traceroute6 ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Parameter Description

-q <query-option> The <query-option> parameter specifies a type of DNS record. The

supported record types are:
n A: Address record
n AAAA: IPv6 address record
n CNAME: Canonical name record
n PTR: Pointer resource record
n SRV: Service Locator

<host> The host or domain name to be queried.

Examples
The following example obtains the IPv4 address of the host or domain using DNS:

[appadmin]# network nslookup ca.us.example.com

The following examples perform network nslookups for a destination with an IPv6 address:

[appadmin]# network nslookup 2001:db8::

Server: 2001:db8::
Address: 2001:db8::#53
3.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.ip6.arpa name = ipv6test-
n1.cppmipv6.com

[appadmin]# network nslookup -q AAAA ipv6test-n1.cppmipv6.com

Server: 2001:db8::
Address: 22001:db8::#53
ipv6test-n1.cppmipv6.com has AAAA address 2001:db8::

Command History

Version Modification

Policy Manager 6.10 Command Introduced

Miscellaneous Commands
Select any command from the left navigation menu.

ad auth
ad auth -u <username> -n <NetBIOS domain name>

ClearPass Policy Manager 6.10.x | CLI Reference Guide ad auth | 33

 Description
Use the ad auth command to authenticate the user against Active Directory. This command manually checks
against Active Directory to indicate whether or not a username and password are valid.

Parameter Description

-u <username> Specifies the username of the authenticating user. This is a

mandatory parameter.

-n <domain NetBIOS name> Specifies the domain name. This field is optional.

Description
[appadmin]# ad auth -u jbrown -n sanfranedu

You are prompted to enter the password. If the username and password you provide in this command are
correct, the following message is displayed:

INFO – NT_STATUS_OK: Success (0x0)

This message indicates that NT LAN Manager (NTLM) authentication (NTLM being the mechanism that
Policy Manager uses to authenticate users) has succeeded.

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

ad netjoin
ad netjoin <domain-controller.domain-name> [domain NetBIOS name] [domain REALM name]
[ou=<object container>]

Description
Use the ad netjoin command to join the host to the domain.

Parameter Description

<domain-controller. domain-name> Specify the complete Fully Qualified Domain Name (FQDN) of the
domain controller, including its hostname.
For example, if atlas.org is the Domain FQDN and DC01.atlas.org is
one of its domain controllers, then this argument would be correctly
expressed as DC01.atlas.org
This field is mandatory.

[domain NetBIOS name] Specify the NetBIOS name of the domain (optional argument).

34 | ad netjoin ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Parameter Description

You can specify this argument if the derived NetBIOS name is

different from the actual name. This is an optional argument.

[domain REALM name] You can specify this argument if the derived REALM is different from
the actual. This is an optional argument.

[ou=<object container>] If the computer account must be created in a different OU, this
argument specifies the Object Container .
For example 'ou=Domain Computer' OR 'ou=Domain
Computer+Linux Hosts'.
Note the usage of the separator '+' to specify the OU hierarchy.

Example
The following example joins the host to the domain:

[appadmin]# ad netjoin DC01.atlas.org.arubanetworks.com

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

ad netleave
ad netleave <domain NetBIOS name> [-f]

Description
Use the ad netleave command to remove the host from the domain.

Parameter Description

<domain NetBIOS name> Specifies the host to be joined to the domain. This field is
mandatory.

-f Forces the removal of Active Directory domain membership even if

the operation fails.

Example
The following example removes the host from the domain examplecollege.edu.

[appadmin]# ad netleave examplecollege.edu -f

ClearPass Policy Manager 6.10.x | CLI Reference Guide ad netleave | 35

 Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

ad passwd-server
ad passwd-server

set -n <domain NETBIOS name> -s <Server1> [Server2 Server3 Server4 ...]

list -n <domain NETBIOS name>
reset -n <domain NETBIOS name>

Description
Use the ad passwd-server command to do the following tasks:
n Set the Active Directory password servers.
n List the configured Active Directory password servers.
n Reset the Active Directory password servers.

When an Active Directory password server is updated in the domain server configuration, the RADIUS service is
restarted.

Parameter Description

set Set the password server(s).

-n <domain NetBIOS name> The -n parameter specifies the domain name.
-s <Server1> [Server2 Server3 Server4 ...] The -s parameter specifies one or more password server
names.

list -n <domain NetBIOS name> List the configured password servers for the specified
domain name.

reset -n <domain NetBIOS name> Reset the password servers for the specified domain name.

Example
The following example sets a password server for the domain examplecollege.edu.

[appadmin]# ad passwd-server set -n examplecollege.edu -s cppm.campus1

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

36 | ad passwd-server ClearPass Policy Manager 6.10.x | CLI Reference Guide

 ad testjoin
ad testjoin <domain NetBIOS name>

Description
Use the ad testjoin command to test if the ad netjoin command succeeded. This command also tests
whether Policy Manager is a member of the Active Directory domain.

Parameter Description

<domain NetBIOS name> Specifies the host to be joined to the domain. This field is
mandatory.

Example
The following example tests if the ad testjoin command succeeded:

[appadmin]# ad testjoin balsamcollege.edu

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

alias
alias <name>=<command>

Description
Use the alias command to create or remove aliases.

Parameter Description

<name>=<command> Sets <name> as the alias for <command>.

<name>= Removes the association.

Examples
This example set the alias sh for the show command:

[appadmin]# alias sh=show

This example removes the alias "sh":

ClearPass Policy Manager 6.10.x | CLI Reference Guide ad testjoin | 37

 [appadmin]# alias sh=show

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

backup
backup [-f <filename>] [-c] [-l] [-r] [-w] [-P]

Description
Use the backup command to create a backup of Policy Manager configuration data. If no arguments are
entered, the system automatically generates a filename and backs up the configuration to this file.

Parameter Description

[-f <filename>] Specify the backup target by defining a file name. If not specified,
Policy Manager automatically generates a file name.

-c Back up Policy Manager configuration data.

-l Back up Policy Manager session log data.

-r Back up Insight data.

-P Do not include password fields from the configuration database in

the backup.

-w Back up only the most recent records from the log database (the
last one week).

Example
[appadmin]# backup -f PolicyManager-data.tar.gz
Continue? [y|Y]: y

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

38 | backup ClearPass Policy Manager 6.10.x | CLI Reference Guide

 dump certchain
dump certchain <hostname:port-number>

Description
Use the dump certchain command to remove the certificate chain of any SSL-secured server.

Parameter Description

<hostname:port-number> Specifies the hostname and SSL port number.

Example
The following example dumps the certificate chain of an SSL-secured server:

[appadmin]# dump certchain ldap.acme.com:636

Command History

Version Modification

Policy Manager 6.10 Command Introduced

dump logs
dump logs
-f <output-file-name> [-s yyyy-mm-dd] [-e yyyy-mm-dd] [-n <days>] [-t <log-type>
[<filter>]]
-o [-r] [-v] [-q "yyyy-mm-dd HH:MM"] [-u HH:MM] [-i <tac-case-id>] [-m "<policy-manager-
service>"] [-n <days>] [-h]
-f <output-file-name> -b <scp|sftp> --user=<username> --password=<password> --
host=<hostname> --remote_dir=<directory>
-h

Description
Use the dump logs command to remove Policy Manager application log files. If you are working with Aruba
technical support, you can use the dump logs command to tag a .tar file of log messages with a date, and
server and company information, then upload that file to an Aruba log server.
If you use the dump logs command to schedule the collection of log files, be aware of the following caveats:
n When you schedule log collection, Policy Manager services collects logs in DEBUG mode. After the log files
are collected, the collected services reset from DEBUG mode to their default logging level.
n You can schedule log collection without specifying the debug duration and list of services names. This result
in directly collecting the logs at specified date and time.
n If log levels are not yet changed, you can delete the log collection schedule without using the -z force delete
option.

ClearPass Policy Manager 6.10.x | CLI Reference Guide dump certchain | 39

 n You can delete the schedule using the -z force delete option only when log levels are changed to DEBUG
mode but the log collection has not yet started. Once log collection started, you can't delete the schedule to
delete it using the -z force delete option, and must wait until log collection completes.

Parameter Description

-f <output-file-name> Output file to generate with the collected logs

-s Start date for the date range (default is today)

-e End date for the date range (default is today)

-n Define the date range as number of days from today

-o Schedule log collection with other options

-t Type of logs to collect (can be specified multiple times)

-b <scp|sftp> Send collected logs to backup server using the specified protocol:
n scp: send logs using Secure Copy Protocol (SCP)
n sftp: Send logs using Secure File Transfer Protocol (SFTP)

-r Delete the schedule for log collection, use -z option with -r to try force
delete

-v View the schedule for log collection and status of last log collection

-q Start date and time to set Policy Manager services log level to DEBUG
mode

-u Duration to set Policy Manager services log level in DEBUG mode

-i Aruba TAC Case ID. The case ID is typically 10 digits long.

-m ["<policy-manager-service>"] Policy Manager service name to set log level to DEBUG mode
Use the following Policy Manager service names with the<policy-
manager-service> parameter. Note that the service names need to be
entered inside quotation marks, for example, "ClearPass Network
Services"
n ClearPass network services
n Syslog client service
n TACACS+ server
n Admin serve r
n Micros Fidelio FIAS
n AirGroup notification service
n DB change notification server
n Async network services
n Radius server
n RadSec service
n Zone cache
n Policy server
n DB replication service

--user=<username> Specify a user name to authenticate to a remote directory and upload log
files.

--password=<password> Specify a password to authenticate to a remote directory and upload log

files.

40 | dump logs ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Parameter Description

--host=<hostname> Specify the host name or IP address of a the server where the log files
will be uploaded

--remote_dir=<directory> Specify the name of the remote directory where the log files will be
uploaded.

<log-type> [<filter>] Specify one of the following log types:

n SystemLogs: Collects system logs
n PerformanceMetricsLogs: Collects performance metrics logs
n AirGroupLogs: Collects logs from AirGroup notification service
n ClearPassGuestLogs: Collects logs from ClearPass Guest
application
n ConfigBackup: Collects configuration backup (without passwords)
n DiagnosticDumps: Collects diagnostic dumps from ClearPass
services
n PacketCapture : Capture packets for a fixed duration. Default is 60
seconds (set using -d 60).
Filter Options
n -a: Sets Source Port
n -A: Sets Destination Port
n -b: Sets Source IP
n -B: Sets Destination IP
n -d: Sets number of seconds for packet capture. Default is 60
seconds
n -p: Sets Protocol for packet capture
n -c: Sets number of packets to be captured
n -C:Sets size limit of log file

-h =
print help with the types of logs available

To collect logs for a give date range (in days)

dump logs -f <output-file-name> [-s yyyy-mm-dd] [-e yyyy-mm-dd] [-n <days>] [-t <log-type>] [-
o <schedule-log-collection>] [-b <file-copy-settings>] [-h]
where,
-f = the output file to generate with the logs collected
-s = the start date for the date range (default is today)
-e = the end date for the date range (default is today)
-n = use to define the date range as number of days from today
-o = use to schedule log collection with other options
-t = the type of logs to collect (can be specified multiple times)
-b = collect logs to backup server
-h = print help with the types of logs available

To schedule log collection

dump logs -o [-r] [-v] [-q "yyyy-mm-dd HH:MM"] [-u HH:MM] [-i <tac-case-id>] [-m "<policy-
manager-service>"] [-n <days>] [-h]
where:
-r = delete the schedule for log collection, use -z option with -r to try force delete
-v = view the schedule for log collection and status of last log collection
-q = start date and time to set Policy Manager services log level to DEBUG mode
-u = duration to set Policy Manager services log level in DEBUG mode
-i = Aruba TAC Case Id. Should be 10 digits long
-m = Policy Manager service name to set log level to DEBUG mode
-h = Display help information

ClearPass Policy Manager 6.10.x | CLI Reference Guide dump logs | 41

 Use the following Policy Manager service names with the [-m "<policy-manager-service>"] parameter
described in the syntax above.
n ClearPass network services
n Syslog client service
n TACACS+ server
n Admin serve r
n Micros Fidelio FIAS
n AirGroup notification service
n DB change notification server
n Async network se rvices
n Radius server
n RadSec service
n Zone cache
n Policy server
n DB replication service

To upload log files to an Aruba log server to assist with a technical support issue.
[appadmin]#dump logs -f <output-file-name> -b <scp|sftp> --user=username --password=password -
-host=hostname --remote_dir=directory
where:
-b <scp|sftp> : Specify protocol to copy logs archive to remote server
--host = Hostname or IP address of the remote server
--user = Username allowed to copy the file to remote server
--password = Password configured for the Username, allowed on the remote server
--remote_dir = Remote directory to which logs archive will be copied into tmp folder

n This command sends the following log types:

n System logs
n Performance metrics logs
n AirGroup notification service
n Logs from ClearPass Guest application
n Configuration backup (without passwords)
n Diagnostic dumps from ClearPass services
n Logs from all PolicyManager services
n PacketCapture

Examples
The following example uploads log files to an Aruba log server to assist with a technical support issue.

[appadmin]#dump logs -f tips-policy-manager-logs.tgz -t PolicyManagerLogs -b SCP --

user=arubasupport --password=mypassword --host=192.0.2.112 --remote_dir=testCase_tgz

The following example dumps Policy Manager application log files:

[appadmin]# dump logs –f tips-system-logs.tgz -s 2007-10-06 –e 2007-10-17 –t SystemLogs

The following example prints help for the available log types:

42 | dump logs ClearPass Policy Manager 6.10.x | CLI Reference Guide

 [appadmin]# dump logs -h

Command History

Version Modification

Policy Manager 6.10 Command Introduced

dump servercert
dump servercert <hostname:port-number>

Description
[appadmin]# dump servercert ldap.acme.com:636

Use the dump servercert command to remove the server certificate of an SSL-secured server.

Parameter Description

<hostname:port-number> Specify the hostname and an SSL port number, separated by a

colon. For example, example.com:636.

Example
The following example removes the server certificate of the specified SSL-secured server:

[appadmin]#dump servercert ldap.acme.com:636

Command History

Version Modification

Policy Manager 6.10 Command Introduced

exit
exit

Description
Use the exit command to exit the Policy Manager shell.

Example
The following example exits the shell:

ClearPass Policy Manager 6.10.x | CLI Reference Guide dump servercert | 43

 [appadmin]# exit

Command History

Version Modification

Policy Manager 6.10 Command Introduced

help
help

Description
Use the help command to display the list of supported Policy Manager commands:

Example
The following example displays the list of supported commands:

[appadmin]# help
ad Domain Controller set of commands
alias Create aliases
backup Backup Policy Manager data
cluster Policy Manager cluster related commands
configure Configure the system parameters
dump Dump Policy Manager information
exit Exit the shell
help Display the list of supported commands
krb Kerberos authentication commands
ldapsearch Search entries in the LDAP repository
network Network troubleshooting commands
quit Exit the shell
restore Restore Policy Manager database
service Control Policy Manager services
show Show configuration details
ssh SSH Lockout related commands
system System commands

Command History

Version Modification

Policy Manager 6.10 Command Introduced

krb auth
krb auth <user@domain>

44 | help ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Description
Use the krb auth command to perform a Kerberos authentication against a Kerberos server (such as
Microsoft Active Directory).

Parameter Description

<user@domain> Specify the user name and domain in the format

username@domain.

Example
The following example performs a kerberos authentication against a kerberos server:

[appadmin]# krb auth mike@example.com

Command History

Version Modification

Policy Manager 6.10 Command Introduced

krb list
krb list

Description
Use the krb list command to list the cached Kerberos tickets.

Example
The following example lists the cached Kerberos tickets:

[appadmin]# krb list

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: laura@EXAMPLE.EDU

Valid starting Expires Service principal

11/06/20 09:07:51 11/06/20 19:07:59 krbtgt/EXAMPLE.EDU@EXAMPLE.EDU
renew until 11/07/20 09:07:51

Command History

Version Modification

Policy Manager 6.10 Command Introduced

ClearPass Policy Manager 6.10.x | CLI Reference Guide krb list | 45

 ldapsearch
ldapsearch -B <user@hostname>

Description
Use the Linux ldapsearch command to find objects in an LDAP directory. Note that only the Policy Manager-
specific command line arguments are listed. For other command line arguments, refer to ldapsearch man
pages on the Internet.

Parameter Description

-B Find the bind DN (Distinguished Name) of the LDAP directory.

<user@hostname> Specify the user name and fully qualified domain name of the host in
the format username@domain.

Description
The following example finds objects in an LDAP directory:

[appadmin]# ldapsearch -B admin@example.com

*********************************************************
This command provides limited functionality. For *
unsupported query options or complex query executions *
use administration UI. *
*********************************************************
ldap_initialize( ldap://example.com )
Enter LDAP Password: ******
filter: (&(cn=Administrator)(objectclass=*))
requesting: dn
extended LDIF
#
LDAPv3
base <dc=example,dc=com> with scope subtree
filter: (&(cn=Administrator)(objectclass=*))
requesting: dn
#
Administrator, Users, soltest.com
dn: CN=Administrator,CN=Users,DC=example,DC=com
ufn: Administrator, Users, example.com
search reference
ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
search reference
ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
search reference
ref: ldap://example.com/CN=Configuration,DC=example,DC=com
search result
search: 2
result: 0 Success
numResponses: 5
numEntries: 1
numReferences: 3

46 | ldapsearch ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Command History

Version Modification

Policy Manager 6.10 Command Introduced

quit
quit

Description
Use the quit command to exit the Policy Manager command shell.

Example
The following command quits the shell:

[appadmin]# quit

Command History

Version Modification

Policy Manager 6.10 Command Introduced

restore
restore [{<user@hostname>:/}|{http://<hostname>/}]<backup-filename> [-l] [-i] [-b] [-c] [-r]
[-n|-N] [-s]

Description
Use the restore command to restore Policy Manager configuration data from the backup file.

Parameter Description

<user@hostname>:/ Specify a user and a hostname to be used with the <backup-filename> parameter to
specify the filepath of the restore source.

<hostname> Specify hostname to be used with the <backup-filename> parameter to specify the
filepath of the restore source.

<backup-filename> Name of the backup file to be restored.

-b Do not backup the current configuration data before the restore operation starts.

ClearPass Policy Manager 6.10.x | CLI Reference Guide quit | 47

 Parameter Description

-c Restore Policy Manager configuration data.

-l If it exists in the backup file, restore the Policy Manager log database. This field is
optional.

-i Ignores version mismatch errors and attempts data migration. This field is optional.

-n Retain local node configuration data, such as certificates, after the restore operation
(default).

-N Do not retain local node configuration data after the restore operation.

-r Restore Insight data if it exists in the backup.

-s Restore cluster server/node entries from the backup file. Node entries are in a
disabled state upon restore. This field is optional.

Example
The following example restores Policy Manager configuration data from the backup file:

[appadmin]# restore user@hostname:/tmp/cppm1-backup.tgz -l -i -c -s

Command History

Version Modification

Policy Manager 6.10 Command Introduced

ssh lockout
ssh lockout
count <n>
duration <N mins>
mode <basic|advanced>
reset

Description
Configure the SSH timed lockout feature. This feature provides an administrator with the ability to configure
the number of successive unsuccessful authentication attempts for administrators attempting to authenticate
remotely. The SSH timed account lockout feature configuration persists across reboots, updates and upgrades.
The account lock status persists across reboots.
When the defined number of unsuccessful authentication attempts has been met, the CLI account is locked
and administrators cannot log in to the system via the CLI until one of the following conditions are met:
n The offending remote administrator cannot successfully authenticate until an action is taken by a local
administrator (the administrator issues the ssh unlock command).

48 | ssh lockout ClearPass Policy Manager 6.10.x | CLI Reference Guide

 n The offending remote administrator cannot successfully authenticate until a time period defined by the
administrator has elapsed.
This feature is node-specific. In a cluster with multiple nodes, SSH timed account lockout must be configured
on each node in the cluster.

The cluster reset-database command does not impact this feature.

The SSH timed account lockout feature is disabled by default.

SSH Account Lockout Behavior

The SSH account lockout feature is disabled by default. To enable SSH account lockout, issue the the ssh
lockout count or ssh lockout duration commands to set the configuration options.
l CLI access via SSH (password-based) authentication is locked on three consecutive failed login attempts.
l If the failed password attempt continues (even after the account is locked), the unlock time shifts for the
next five minutes (as in this example) from the current time from the last failed login attempt.
l Successful password-based SSH logins are rejected during the lockout period.
l Console-based logins are allowed during the lockout period.
l SSH logins via public key methods are allowed during the lockout period.

SSH Account Lockout Alerts

Alerts for SSH lockout events are logged in to the Event Viewer when any of the following conditions are
present:
l SSH lockout configurations are performed
l Account is locked
l Account is unlocked
l Failed SSH login attempts

Parameter Description

count The maximum failed SSH password login attempts before the
account attempting the logins is locked out. Supported values are 1-
1000. The default value is 5 attempts.

duration The number of minutes account will remain locked after the account
exceeds the maximum number of SSH login attempts. Supported
values are 1-10080. The default value is 15 minutes.

mode <basic|advanced> mode <basic|advanced> command sets the mode for this feature.
In basic mode, login failures via SSH public key methods are not
counted towards the account lockout, while in advanced mode, login
failures via SSH public key failures are counted towards the account
lockout.

reset Resets SSH lockout settings back to the default values.

ClearPass Policy Manager 6.10.x | CLI Reference Guide ssh lockout | 49

 Example
The following displays an example of the show date command output:

[appadmin]# show date

Wed Feb 27 13:30039 UTC 2018

Related Commands

Command Description

show ssh Show ssh timed lockout settings.

Command History

Version Modification

Policy Manager 6.10.0 Command Introduced

Service Commands
Select any command from the left navigation menu.

service
service <action> <service-name>

Description
Use the service <action> <service-name> command to control the specified Policy Manager service.

Table 5: Service Action Command Parameters

Service Parameter Description

<action> Specify an action:

n list
n restart
n start
n status
n stop

<service-name> Specify a service:

n airgroup-notify
n cpass-admin-server
n cpass-async-netd
n cpass-carbon-server
n cpass-dbcn-server
n cpass-dbwrite-server
n cpass-domain-server_<NetBIOS_name>

50 | service ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Service Parameter Description

n cpass-igssyslog-server
n cpass-igslogger-server
n cpass-igslogrepo-server
n cpass-ipsec-service
n cpass-zone-cache-server
n cpass-policy-server
n cpass-radius-server
n cpass-radsec
n cpass-repl-server
n cpass-statsd-server
n cpass-sysmon-server
n cpass-system-auxiliary-server
n cpass-tacacs-server
n cpass-vip
n fias_server

Example
The following example lists all Policy Manager services:

[appadmin#] service list

Policy server [ cpass-policy-server ]
TACACS server [ cpass-tacacs-server ]
Radius server [ cpass-radius-server ]
Async DB write service [ cpass-dbwrite-server ]
DB replication service [ cpass-replication ]
DB change notification server [ cpass-dbcn-server ]
System monitor service [ cpass-sysmon-server ]
System auxiliary service [ cpass-system-auxiliary-server ]
Admin server [ cpass-admin-server ]
Async netd service [ cpass-async-netd ]
Zone cache [ cpass-zone-cache-server ]
Domain Server [ cpass-domain-server@CPATSAD2012 ]
Domain Server [ cpass-domain-server@CPATSAD2016 ]
Stats collection service [ cpass-statsd-server ]
Stats aggregation service [ cpass-carbon-server ]
Ingress logger service [ cpass-igslogger-server ]
Ingress logrepo service [ cpass-igslogrepo-server ]
RadSec Service [ cpass-radsec ]
AirGroup notification service [ airgroup-workqueue ]
ClearPass Guest background service [ cpg-background ]
ClearPass Guest cache [ cpg-redis-cache ]
Extensions service [ cpass-extensions ]
Micros Fidelio FIAS [ fias-server ]
ClearPass Virtual IP service [ cpass-vip ]
ClearPass IPsec service [ cpass-ipsec ]

Command History

Version Modification

Policy Manager 6.10 Command Introduced

ClearPass Policy Manager 6.10.x | CLI Reference Guide service | 51

 Show Commands
Select any command from the left navigation menu.

show all-timezones
show all-timezones

Description
View all available time zones.

Example
The following displays an example of the show all-timezones command output.

[appadmin]# show all-timezones

Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
Africa/Algiers
Africa/Asmara
Africa/Asmera
Africa/Bamako
Africa/Bangui
[More]

Related Commands

Command Description

configure timezone Interactively configure the time zone.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

show date
show date

Description
View the system date, time, and time zone information.

52 | show all-timezones ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Example
The following displays an example of the show date command output:

[appadmin]# show date

Wed Feb 27 13:30039 UTC 2018

Command History

Version Modification

Policy Manager 6.10 Command Introduced

show domain
Use the show domain command to view the Active Directory Domain controller information.

The show domain command is operational only when the current Policy Manager server is joined to an Active
Directory domain.

Description
show domain

Example
The following displays an example of the show domain command output:

[appadmin]# show domain

=======================================================
Domain Information
-------------------------------------------------------
Domain Name : COLLEGE152.COM
Domain NETBIOS Name : COLLEGE152
Domain Server IP Address : 10.xx.110

Domain Server Name : balsam.college152.com

Domain Status : online
-------------------------------------------------------
=======================================================

Command History

Version Modification

Policy Manager 6.10 Command Introduced

ClearPass Policy Manager 6.10.x | CLI Reference Guide show domain | 53

 show dns
Use the show dns command to view DNS (Domain Name System) servers.

Description
show dns

Example
The following example of show dns command output displays the DNS servers configured for the current
Policy Manager server:

[appadmin]# show dns

===========================================
DNS Information
-------------------------------------------
Primary DNS : 192.0.2.16
Secondary DNS : <not configured>

Tertiary DNS : <not configured>

===========================================

Command History

Version Modification

Policy Manager 6.10 Command Introduced

show fipsmode
show fipsmode

Description

Determine whether FIPS (Federal Information Processing Standard) mode is enabled or disabled.

Example
The following example shows that FIPS mode is enabled:

[appadmin]# show fipsmode

FIPS Mode: Enabled

54 | show dns ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Command History

Version Modification

Policy Manager 6.10 Command Introduced

show hostname
show hostname

Description
View the hostname of the current Policy Manager server.

Example
The following displays an example of the show hostname command:

[appadmin]# show hostname

cppm_135

Command History

Version Modification

Policy Manager 6.10 Command Introduced

show ip
show ip

Description
View the IPv4, IPv6, and DNS information of the host.

Example
The following example of the show ip command displays the IPv4, IPv6, and DNS information of the host:

[appadmin]# show ip
===========================================
Device Type : Management Port
-------------------------------------------
IPv4 Address : 192.0.2.15
Subnet Mask : 255.255.255.0
Gateway : 192.0.2.1
IPv6 Address : 2001:db8:1:2:020c:29ff:fe0c:4703

ClearPass Policy Manager 6.10.x | CLI Reference Guide show hostname | 55

 Subnet Mask : ffff:ffff:ffff:ffff:0000:0000:0000:0000
Gateway : 2001:db8:1:2:020c:29ff:fe0c:0001
Hardware Address : 00:0C:39:10:27:20
MTU : 1499
===========================================
Device Type : Data Port
-------------------------------------------
IPv4 Address : <not configured>
Subnet Mask : <not configured>
Gateway : <not configured>
IPv6 Address : 2001:db8:1:2:020c:29ff:fe0c:4704
Subnet Mask : ffff:ffff:ffff:ffff:0000:0000:0000:0000
Gateway : 2001:db8:1:2:020c:29ff:fe0c:0001
Hardware Address : 01:0C:29:70:22:4A
MTU : 1498
===========================================
DNS Information
-------------------------------------------
Primary DNS : 192.0.2.30
Secondary DNS : 192.0.2.50
Tertiary DNS : 192.0.2.200

===========================================

Command History

Version Modification

Policy Manager 6.10 Command Introduced

show license
show license

Description
View the Policy Manager license information.

Example
The following displays an example of the show license command output.

[appadmin]# show license

show license
-------------------------------------------------------
Application : Entry
License key : -----BEGIN ENTRY LICENSE KEY-----
XXXXfKksJGYkjpMvgjNLmrcdb/dZHa+yfW7b2pxSh9MUKPZyMy6VxFhH7ARboTm4vsx226DqfdEAmuh
PMoCX1OTi4dTskbN2v0AAAD//w==
-----END ENTRY LICENSE KEY-----
License key type : Permanent

56 | show license ClearPass Policy Manager 6.10.x | CLI Reference Guide

 License added on : 2021-04-06 10:45:06
Validity : <not applicable>
Issued for : 25 users
Customer id : 6FTK5UTJ
Licensed features : <not applicable>
-------------------------------------------------------
Application : AccessUpgrade
License key : -----BEGIN ACCESSUPGRADE LICENSE KEY-----
XXXXH4sIAAAAAAACAwAAAv/9cZ6NB2Mk1kIonwbXukdAcC/khM3mKovp2lgjOYyLdq/M4I5VGtvp9tRj
8QoEI6/6PODrSElBwvAAAAD//w==
-----END ACCESSUPGRADE LICENSE KEY-----
License key type : Permanent
License added on : 2021-04-26 13:37:25
Validity : <not applicable>
Issued for : 25 users
Customer id : D7GLYVBD
Licensed features : <not applicable>
-------------------------------------------------------
Application : Access
License key : -----BEGIN ACCESS LICENSE KEY-----
XXXXH4sIAAAAAAACAwAAAv/9GqXsQreo8/O4+Iex+Vb+xRBXqnhD0LxeMH2JfGJ7/2BDREvw6G0du//d
-----END ACCESS LICENSE KEY-----
License key type : Permanent
License added on : 2021-04-06 10:45:11
Validity : <not applicable>
Issued for : 25 users
Customer id : 6FTK5UTJ
Licensed features : <not applicable>
-------------------------------------------------------
Application : ClearPassPlatform
License key : -----BEGIN CLEARPASS PLATFORM LICENSE KEY-----
XXXXH4sIAAAAAAACAwAAAv/9JFRruUEgSUeqO8GWmFwIvxNMYSLo0oSdfnkNKVQpvAg93QJCxBV64GR6
rtbIACCaLpSb+T6X+hwAAAD//w==
-----END CLEARPASS PLATFORM LICENSE KEY-----
License key type : Permanent
License added on : 2021-04-06 10:45:02
Validity : <not applicable>
Customer id : 6FTK5UTJ
Licensed features : <not applicable>
=======================================================

Command History

Version Modification

Policy Manager 6.10 Command Introduced

show ntp
show ntp

Description
View the IP addresses of the primary and secondary Network Time Protocol (NTP) servers configured for the
current Policy Manager server. The show ntp command also displays information such as the NTP

ClearPass Policy Manager 6.10.x | CLI Reference Guide show ntp | 57

 authentication key details corresponding to the NTP server configured (for example, Key ID and hash
algorithm).

Example
The following displays an example of the show ntp command output:

[appadmin]# show ntp

===========================================
NTP Server Information
-------------------------------------------
Primary NTP : 192.0.2.1
Key ID: 24
Algorithm: SHA1

Secondary NTP : 192.0.2.2

Key ID: 48
Algorithm: SHA1
===========================================

Command History

Version Modification

Policy Manager 6.10 Command Introduced

show sysinfo
show sysinfo

Description
View the node uptime, disk utilization, and memory utilization information.

Example
The following displays an example of the show sysinfo command output.

[appadmin]# show sysinfo

System Uptime : 1 day, 23:29:15.510000
===========================================
Disk Utilization
-------------------------------------------
Total : 115.48 GB
Free : 5.42 GB (6%)
===========================================
Memory Utilization
-------------------------------------------
Total : 4.00 GB
Free : 1.36 GB (36%)
===========================================

58 | show sysinfo ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Command History

Version Modification

Policy Manager 6.10 Command Introduced

show ssh
show ssh

Description
View SSH timed lockout settings.

Example
The following displays an example of the show ssh command output for non-default SSH lockout settings.

[appadmin]# show show ssh

=======================================================
SSH lockout details
-------------------------------------------------------
SSH lockout count : 6 attempts
SSH lockout duration : 900 secs
SSH lockout mode : basic
-------------------------------------------------------
SSH sessions
-------------------------------------------------------
Client IP Address = 192.0.2.15 : Session Count = 1
=======================================================

If the SSH lockout feature is not configured and is currently using all default values, the ssh lockout details
section of the output will show only <not-configured>.

[appadmin]# show show ssh

=======================================================
SSH lockout details
-------------------------------------------------------
SSH lockout options : <not-configured>
-------------------------------------------------------
SSH sessions
-------------------------------------------------------
Client IP Address = 192.0.2.15 : Session Count = 1
=======================================================

ClearPass Policy Manager 6.10.x | CLI Reference Guide show ssh | 59

 Related Commands

Command Description

ssh lockout Configure the number of successive unsuccessful

authentication attempts for administrators attempting to
authenticate remotely

Command History

Version Modification

Policy Manager 6.10 Command Introduced

show timezone
show timezone

Description
Use the show timezone command to view the current system time zone.

Example
The following displays an example of the show timezone command output:

[appadmin]# show timezone

Timezone is set to 'Asia/Kolkata'

Related Commands

Command Description

configure timezone Interactively configure the time zone.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

show version
show version

60 | show timezone ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Description
Use the show version command to view the Policy Manager software version and the hardware model.

Example
The following displays an example of the show version command output:

[appadmin]# show version

=======================================
Policy Manager software version : 6.10.0.180009
Policy Manager model number : C1000V
=======================================

Command History

Version Modification

Policy Manager 6.10 Command Introduced

System Commands
Select any command from the left navigation menu.

system admin-password-reset
system admin-password-reset

Description
Resets the admin password for the Policy Manager WebUI back to the default setting of eTIPS123.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system apps-access-reset
system apps-access-reset

ClearPass Policy Manager 6.10.x | CLI Reference Guide system admin-password-reset | 61

 Description
Reset the access control restrictions for Policy Manager.

Example
The following example resets the access control restrictions for Policy Manager:

[appadmin]# system apps-access-reset

Policy Manager application access is restored

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system boot-image
system boot-image {-l}|{-a <version>}

Description
Use the system boot-image command to set system boot image control options.

Parameter Description

-l List the boot images installed on the system.

-a <version> Set the active boot image version.

Example
The following example lists the system boot images. The index number for each entry is displayed in front of
the image version.

[appadmin]# system boot-image -l

0) Aruba ClearPass Platform 6.10.0.181036
1) Aruba ClearPass Platform 6.10.1.181039 [Active]

The following example sets the active boot image to the image in index 0

[appadmin]# system boot-image -a 0

Boot-image with index 0 is set to active
Restart the system to boot from the updated image

62 | system boot-image ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Command History

Version Modification

Policy Manager 6.10 Command Introduced

system cleanup
system cleanup <num_days>

Description
Use the system cleanup command to perform a system cleanup operation that purges the following records:
n System and application log files
n Past authentication records
n Audit records
n Expired guest accounts
n Past auto and manual backups
n Stored reports

Parameter Description

<num_days> This is the cleanup interval that specifies the number of days to
retain the data. This field is mandatory.

Example
The following example performs a system cleanup operation that retains records for four days:

[appadmin]# system cleanup 4

********************************************************
* *
* WARNING: This command will perform system cleanup *
* operation that will result in purging of: *
* [*] system and application log files *
* [*] past authentication records *
* [*] audit records *
* [*] expired guest accounts *
* [*] past auto and manual backups *
* [*] endpoints *
* [*] stored reports etc... *
* *
********************************************************
Are you sure you want to continue? [y|n]: y
INFO - Starting system cleanup
INFO - Purging diagnostic dumps
INFO - Detected empty core directory
INFO - Performing system cleanup tasks
INFO - Purging platform logs
INFO - Purging application logs

ClearPass Policy Manager 6.10.x | CLI Reference Guide system cleanup | 63

 INFO - Performing database cleanup tasks
INFO - Completed system cleanup

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system create-api-client
system create-api-client <Client_ID> <Client_Secret>

Description
Create a new API client.

Parameter Description

<Client_ID> A unique string used to identify the client.

<Client_Secret> A string used as the client password.

Example
The following example creates an API client by specifying the client ID and client secret.

[appadmin]#system create-api-client Win.139 college52

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system export-endpoints-csv
system export-endpoints-csv

Description
use this command to export endpoints and endpoint profile details to a zip file that can be downloaded from
Admin UI - Backup files under Administration > Server Manager > Local Shared Folders. When using
an XML file to export or import a very large number of endpoints, performance is sometimes degraded.
When using an XML file to export a very large number of endpoints (> 250 K), performance is sometimes
degraded or the user interface hangs and out-of-memory error messages are logged. Although exporting CSV

64 | system create-api-client ClearPass Policy Manager 6.10.x | CLI Reference Guide

 files through the CLI is still supported, users should be aware that importing ZIP files that contain CSV files of
endpoints and endpoint profiles is not currently allowed through either the CLI or the user interface (UI).

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system factory-reset
system factory-reset

Description
The system factory-reset command restores a Policy Manager hardware appliance to factory defaults. This
command is available only to the appadmin user on a physical appliance. It is not available on a virtual
machine.

The system factory-reset command is inherently a destructive one as it wipes out data, including any licenses on
the current partition and any backups currently stored on the server. Hence, the user should create data backups
outside of the target Policy Manager server before running this command. This command is not available on Policy
Manager installations hosted on a cloud services platform such as Amazon Web Services (AWS) or Azure.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system gen-recovery-key
system gen-recovery-key

Description
Support engineers use this password to generate the recovery key for the Policy Manager server.

Example
The following example generates the recovery key for the system:

[appadmin]# system gen-recovery-key

*********************************************************
This command is intended for support engineers only *
*********************************************************
Username: support@hpe.com
Token is c2ab-97a8-bf3f-49f6
Use the above token and Generate password from support server

ClearPass Policy Manager 6.10.x | CLI Reference Guide system factory-reset | 65

 Password: ***********
Password is valid.
Use the Password to login as user 'arubasupport'

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system gen-support-key
system gen-support-key

Description
The system gen-support-key command uses the Support Engineer's email ID to generate a token that the
Support Engineer can use to generate a password that allows privileged access to the Policy Manager server.

Example
The following example generates the support key for the system:

[appadmin]# system gen-support-key

*********************************************************
This command is intended for support engineers only *
*********************************************************
Username: support@hpe.com
Token is c2ab-97a8-bf3f-49f6
Use the above token and Generate password from support server
Password: ***********
Password is valid.
Use the Password to login as user 'arubasupport'

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system install-image
system install-image
{http|https}://<hostname>/<filename>
<user@hostname>:/<filename>
<filename>

66 | system gen-support-key ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Description
The system install-image command installs a fresh image of the major product version specified in the
second partition of a Policy Manager hardware appliance.
This command is available only for the appadmin user on a physical appliance. It is not available on a virtual
appliance.

This command is not available on Policy Manager installations hosted on a cloud services platform such as Amazon
Web Services (AWS) or Azure.

After successful execution of the system install-image command, the system will reboot and you will return
to the installed image. After successful configuration and reboot, you will be presented with the bootstrap
configuration screen, where you will have to reset all the ClearPass parameters.

Any data present in the second partition prior to the execution of the system install-image command will be wiped
out. Also, no licensing information from where the command is executed is carried forward.

You can apply the system install-image command in the following ways:

Parameter Description

{http|https}://<hostname>/<filename> Install the specified Policy Manager image through HTTP or HTTPS.

< user@hostname>:/<filename> Specify the username and hostname to install the selected file
through SCP (Secure Copy Protocol).

<filename> Install the specified image imported to the Policy Manager server
and available locally (offline install-image).

Example
[appadmin]# system install-image http://cppm.example.com/downloads/6.8.0/CPPM-x86_64-
6.8.0.109568-upgrade.signed.tar

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system morph-vm
system morph-vm C1000V|C2000V|C3000V

ClearPass Policy Manager 6.10.x | CLI Reference Guide system morph-vm | 67

 Description
Use the system morph-vm command to convert an evaluation virtual appliance (also called a virtual machine,
or VM) to a production virtual appliance. With this command, licenses are still required to be installed after the
morph operation is completed.

When you use the system morph-vm CLI command in Policy Manager 6.7 or later to morph a virtual
appliance (VA) to a larger size, all the licenses are deleted. This issue does not affect configuration data.
After the upgrade, contact Aruba's Technical Assistance Center (TAC) to have the licenses activated
again.

Parameter Description

<vm-version> Select a virtual appliances type. The following options are available:
n C1000V
n C2000V
n C3000V

To convert an evaluation virtual appliance to a production virtual appliance:

1. Determine the type of the appliance to which you want to morph your evaluation virtual appliance .
2. Procure the license for the target virtual appliance.
3. Shut down the virtual appliance.
4. Determine the required capacity of an additional hard disk and attach it to the target virtual appliance.
5. Adjust the CPU and Memory settings for the evaluation virtual appliance to match the target virtual
appliance.
6. Boot the virtual appliance.
7. Execute the system morph-vm command. The configuration data from the evaluation virtual appliance
will migrate to the newly-attached disk. The node will reboot as a virtual appliance of the selected appliance
model.
8. Log in to the user interface and enter the permanent license. The evaluation virtual appliance is now a
production virtual appliance.

Example
The following example converts an evaluation virtual appliance to a production C3000V virtual appliance:

[appadmin]# system morph-vm C3000V

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system patch-rollback
system patch-rollback

68 | system patch-rollback ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Description
The system patch-rollback command allows a user with appadmin credentials to revert to the most recent
installed version of Policy Manager. For example, if a Policy Manager system is at 6.9.6 and cumulative update
6.9.x is applied, Policy Manager can be reverted to 6.9.6 through the system patch-rollback command.
This command can also be used if there is a problem that occurs after the patch update process—for example,
if an issue is identified in production that was not identified during testing, resulting in a degradation of
capabilities.

Before using this command to revert command to revert from 6.10.x to 6.10.0, you must first download the 6.10.0_
source-rollback-package from the Software Updates page and install it .

When issuing the system patch-rollback command, keep in mind the following points:
n Patch-rollback is supported only for Policy Manager versions 6.7 and above.
n The system patch-rollback command reverts only the most recently installed cumulative patch update
within the major version. After the cumulative patch is reverted, the user will be in the patch version that
was installed prior to the patch update.

The system patch-rollback command cannot be used after an upgrade to revert to an earlier major version.

n Although you can only roll back to the last version that was installed, if multiple hotfix patches are included
within the cumulative patch version you are rolling back from, then you can roll back multiple hotfix
patches, one at a time, to a specific hotfix within the current version. To roll back to the previously installed
version, you must first roll back each intervening hotfix patch.
n As best practice, users should always back up all data before proceeding with an update.
n This command can also be used at the cluster level. In this case, system patch-rollback must be run
individually on each appliance in the cluster within 24 hours after the rollback in order to maintain the
cluster status. For patch rollback across a cluster, the appadmin user must go to each Policy Manager server
in the cluster to rollback the last applied patch.
n Any custom skins that are installed in the current version are retained after the rollback to the earlier
version.
n System rollback events are logged in the Event Viewer.

Example
[appadmin]# system patch-rollback
****************************************************************************************

* WARNING: This command is recommended to be executed from local console unless otherwise
instructed by TAC * Execution through SSH console may result in system instability.*
* WARNING: This command will undo software changes done by the currently installed patch.
Configuration
*changes should not be affected by this action.
* As a best practice, please be sure to back-up this system before starting the operation.
*
* Are you sure you want to continue? y
******************************************************************************************
INFO: Preparing for rollback
INFO: 2018022-clearpass-6.8-updates-2 will be rolled back
INFO: This will take a few minutes to complete. Please wait.

ClearPass Policy Manager 6.10.x | CLI Reference Guide system patch-rollback | 69

 INFO: Running pre-rollback scripts
INFO: Executing rollback
INFO: Running post-rollback scripts
INFO: Please reboot now for the changes to take effect.
******************************************************************************************

For example, if Policy Manager has been installed in the order 6.x.0 > 6.x.1 > 6.x.2, when the appadmin user
executes the system patch-rollback command, the system would revert to a time just before Policy Manager
6.x.2 was installed.
If, in this example, the installed 6.x.2 patch added an rpm-X, system patch-rollback deletes rpm-Y, and
updates rpm-Z to rpm-Z+1 version. Then system patch-rollback deletes rpm-X, adds rpm-Y, and restores
rpm-Z.
Also note that if, for example, a system was at 6.x.0 and cumulative update 6.x.3 is applied, the system can
only be reverted to 6.x.0 because that was the last installed version. It cannot be reverted to 6.x.2.

For more information, refer to the "After You Update: Performing a Patch Rollback" section in the most recent
version of the ClearPass Release Notes.

The system patch-rollback command also removes any configuration and database changes that were done as
part of post-installation during the patch update.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system refresh-license
system refresh-license

Description
Refresh the license count information.

Example
The following example refreshes the license count information.

[appadmin]# system refresh-license

INFO: Refreshing license count information
INFO: Successfully refreshed license count information

70 | system refresh-license ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Command History

Version Modification

Policy Manager 6.10 Command Introduced

system refresh-network
system refresh-network

Description
Refresh the newly added or removed network adapters in Policy Manager so that they are reflected in the
system. This command also enforces network adapter ordering and associates the lower-order MAC address to
eth0 and the next higher-order MAC address to eth1, and so on. Ensure that you have the console session
available.
The system refresh-network command is useful when you bring up a virtual appliance without one or more
of the network interface cards (NICs) and you then add them at a later stage. This command is required when
you delete NICs and add them back into the system (VMware ESXi may generate new MAC addresses as a
result).
For the network refresh to take effect, you must reboot the Policy Manager server.

Using this command may result in loss of network connectivity.

Example
[appadmin]# system refresh-network
********************************************************
*
WARNING: The command will refresh the network *
adapters which may result in loss of network *
connectivity. *
*
********************************************************
Are you sure you want to continue? [y|Y]: y
INFO: Associating "2001:DB8:441:1020::3" with eth0
INFO: Associating "2001:DB8:441:1022::4" with eth1
INFO: Command execution completed successfully.
INFO: Reboot the system to reflect the changes.
WARNING: System may lose network connectivity after the reboot.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

ClearPass Policy Manager 6.10.x | CLI Reference Guide system refresh-network | 71

 system restart
system restart

Description
Restart the Policy Manager system.

Executing this command shuts down all running applications and reboots the system.

Example
The following example restarts the system with a confirmation before proceeding:

[appadmin]# system restart

system restart
*********************************************************

* WARNING: This command will shut down all applications *

* and reboot the system *
********************************************************
Are you sure you want to continue? [y|Y]: y

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system reset-server-certificate
system reset-server-certificate

Description
Reset the HTTPS(RSA), HTTPS(ECC), RADIUS/EAP or Database Server Certificates, or all of them.
After executing the command, the Policy Manager services are restarted to reflect the changes.

Example
The following example resets resets the HTTPS, RADIUS/EAP and Database Server Certificates.:

[appadmin]# system reset-server-certificate

******************************************************************
* *
* WARNING: When the command is completed Policy Manager services *
* are restarted to reflect the changes. *

72 | system restart ClearPass Policy Manager 6.10.x | CLI Reference Guide

 * *
******************************************************************
Continue? [y|n]: y
0: Reset HTTPS, RADIUS and Database Server Certificates
1: Reset RADIUS Server Certificate
2: Reset HTTPS (ECC) Server Certificate
3: Reset Database Server Certificate
4: Reset HTTPS (RSA) Server Certificate
5: Quit
0
Updating server certificate(s)...
Update of server certificate(s) complete
INFO - Stopping Policy Manager services...

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system shutdown
system shutdown

Description
Shut down the current Policy Manager server.

Executing this command shuts down all running applications and powers off the system.

Example
The following example shuts down the system with a confirmation before proceeding:

[appadmin]# system shutdown

********************************************************
* WARNING: This command will shut down all applications *

* and power off the system *

********************************************************
Are you sure you want to continue? [y|N]: y

Command History

Version Modification

Policy Manager 6.10 Command Introduced

ClearPass Policy Manager 6.10.x | CLI Reference Guide system shutdown | 73

 system start-rasession
system start-rasession <duration_hours 0-12> <duration_mins 0-59> <contact_id> <cppm_
server_ip>

Description
Start a Remote Assistance (RA) session.

Parameter Description

<duration_hours 0-12> Specify the session duration in hours.

You can specify values from 0 to 12.

<duration_mins 0-59> Specify the session duration in minutes.

You can specify values from 0 to 59.

<contact_id> Enter the username ID of the Aruba TAC or Engineering contact.

<cppm_server_ip> Specify the Policy Manager server IP address.

Example
The following example starts a 30-minute remote session on a Policy Manager server with the IP address
198.0.2.14.

[appadmin]# system start-rasession 0 30 tacperson 198.0.2.14

Successfully scheduled a RemoteAssist session with id[3001], Please use this id to check
status and terminate the session.

Related Commands

Command Description

system status-rasession Check the status of a Remote Assistance (RA) session.

system terminate-rasession Terminate a a Remote Assistance (RA) session.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system sso-reset
system sso-reset

74 | system start-rasession ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Description
Reset the Policy Manager Single Sign-On (SSO) configuration.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system status-rasession
system status-rasession <session_id>

Description
Check the status of a Remote Assistance (RA) session.

Parameter Description

<session_id> The Remote Session ID. This session ID is generated in the output of
the command system start-rasession.

Example
The following example displays the status of an active remote assistance session with the session ID 3001.

[appadmin]# system status-rasession 3001

Session is running.

Related Commands

Command Description

system start-rasession Start a Remote Assistance (RA) session.

system terminate-rasession Terminate a a Remote Assistance (RA) session.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system terminate-rasession
system terminate-rasession <session_id>

ClearPass Policy Manager 6.10.x | CLI Reference Guide system status-rasession | 75

 Description
Terminate a running Remote Assistance session.

Parameter Description

<session_id> The Remote Session ID. This session ID is generated in the output of
the command system start-rasession.

Example
The following example terminates a running Remote Assist session with session ID 3001.

[appadmin]# system terminate-rasession 3001

Related Commands

Command Description

system start-rasession Start a Remote Assistance (RA) session.

system status-rasession Check the status of a Remote Assistance (RA) session.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system update
system update

-i [-f] <user@hostname:/<filename> | http://hostname/<filename>>

-f

-l

Description
The system update command provides options to manage system patch updates.

Parameter Description

-i user@hostname:/<filename>| Installs the specified patch on the system.

http://hostname/<filename> n user@hostname:/<filename>: Install the update from a Linux
server

76 | system update ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Parameter Description

n http://hostname/<filename>: Install the update from a Web

server.

-f Reinstalls the patch in the event of a problem with the initial

installation attempt.

-l Lists the patches installed on the system.

This command supports Secure Copy (SCP), HTTPS, HTTP, and local uploads.

Example
The following example of the system update command installs the selected Policy Manager 6.10 patch.

[appadmin# system update -i http://198.0.2.12/downloads/6.10.0/Upgrade/latest/CPPM-x86_64-

6.10.0.180055-upgrade.signed.tar

The following example of the system update command lists the patches currently installed on the Policy
Manager server:

[appadmin]# system update -l

Update : 20201119-clearpass-6.9-updates-5
Installed Date : Thu Feb 11 18:33:28 2021

Description : ClearPass Policy Manager Cumulative Patch 5 for 6.9.0, 6.9.1, 6.9.2,
6.9.3 and 6.9.4
Packages : tips-,avenda-quick1x,aruba-pgtools,clearpass-guest,cppm-
in,platform-,radsecproxy-,mod_php,php-cli,php-common,php-gd,php-ldap,php-mysql,php-
opcache,php-pdo,php-pgsql,php-process,php-soap,php-xml,php-xmlrpc,updateverify_v4,avenda-
tomcat,mod_jk,oracle-instantclient19.6-basic,oracle-instantclient19.6-
odbc,libsmbclient,samba-client-libs,samba-libs,libwbclient,samba-common,samba-
winbind,samba,samba-common-libs,samba-winbind-clients,samba-client,samba-common-
tools,samba-winbind-modules,dnsmasq,PhantomJS,openssl-perl-aruba-w,openssl-aruba-
w,openssl-libs-aruba-w,pycparser,zulu8.48.0.51-ca-jdk8.0.262
Affects : tips-ntp,platform-system-setup,tips-async-netd,tips-system-monitor

Update : 6.9.0_source-rollback-package
Installed Date : Thu Feb 11 21:50:58 2021

Description : Optional ClearPass 6.9.x package required to rollback to 6.9.0 version

Packages : clearpass
Affects :

Update : 20210204-snmp-cdp-fix
Installed Date : Sat Feb 13 08:37:43 2021

Description : This hotfix provides the enhancements to network discovery profiling to

fetch MAC address from CDP.
Packages : tips-network-services
Affects : backend-tomcat

Update : 20210204-clearpass-6.9-updates-6
Installed Date : Sat Feb 13 08:49:33 2021

ClearPass Policy Manager 6.10.x | CLI Reference Guide system update | 77

 Description : ClearPass Policy Manager Cumulative Patch 6 for 6.9.0, 6.9.1, 6.9.2,
6.9.3, 6.9.4 and 6.9.5
Packages : tips-,avenda-quick1x,aruba-pgtools,clearpass-guest,cppm-
in,platform-,radsecproxy-,mod_php,php-cli,php-common,php-gd,php-ldap,php-mysql,php-
opcache,php-pdo,php-pgsql,php-process,php-soap,php-xml,php-xmlrpc,updateverify_v4,avenda-
tomcat,mod_jk,oracle-instantclient19.6-basic,oracle-instantclient19.6-
odbc,libsmbclient,samba-client-libs,samba-libs,libwbclient,samba-common,samba-
winbind,samba,samba-common-libs,samba-winbind-clients,samba-client,samba-common-
tools,samba-winbind-modules,dnsmasq,PhantomJS,openssl-perl-aruba-x,openssl-aruba-
x,openssl-libs-aruba-x,pycparser,redis,zulu8.48.0.51-ca-jdk8.0.262,httpd,httpd-tools,mod_
ssl
Affects : tips-ntp,platform-system-setup,tips-async-netd,tips-system-monitor

4 installed updates.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system update-luks-key
system update-luks-key

Description
This command allows an administrator to specify the passphrase (key) for LUKS encryption. The LUKS
passphrase has a minimum length of eight characters. When this command is used, the new passphrase
replaces the default LUKS key in ClearPass. Each time Policy Manager is rebooted or a new session is initiated,
the administrator will be prompted to enter the specified LUKS passphrase before access is granted. As part of
this feature, users should be aware that:
If the LUKS passphrase is long, and depending on the size of the console window, the administrator might be
prompted to enter the passphrase on the next line. In this case, the administrator only needs to enter the
remainder of the characters in the next line and does not need to enter the entire passphrase again.
If the system update-luks-key command has been used to specify a LUKS key, then when the Cluster Update
page is used to update to a 6.10.x version, the key must be manually entered in the publisher and in each
subscriber after the reboot stage before the cluster update can proceed.

After a LUKS key has been specified, if the administrator forgets the LUKS key and a reboot of ClearPass Policy
Manager is initiated, the system cannot be recovered. System administrators must be extremely careful to not forget
this key after it is created.

Example
the following example updates the existing LUKS passphrase.

[appadmin@test]# system update-luks-key

WARN: VM will be encrypted with new passphrase.
Once initiated you cannot revert.Upon reboot, enter new LUKS passphrase on the prompt.

78 | system update-luks-key ClearPass Policy Manager 6.10.x | CLI Reference Guide

 Press 'y' or 'Y' to proceed: y
Enter LUKS passphrase to be changed (Press Enter if None): *********
Enter new LUKS passphrase: ********
Re-enter new LUKS passphrase: ********
Updating LUKS passphrase...
Upon reboot, enter new LUKS passphrase on the prompt.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

system upgrade
system upgrade
user@hostname:/<filepath>
http://hostname/<filepath>
<filepath>
-W
-l
-L

Description
The system upgrade command upgrades the Policy Manager system. This command provides you with the
following system upgrade options:

Parameter Description

<user@hostname>:/<filepath> Specify a user name, host name and file path to upgrade to the
specified file on a Linux server

http://<hostname>/<filepath> Specify a host name and file path to upgrade to the specified file on
a Web server

<filepath> Specify the path of a local file to perform an offline upgrade.

-w Restores last (one) week of access tracker records after the

upgrade.

-l Restores all access tracker records from this version.

-L Does not backup or restore access tracker records from this

version.

This command supports Secure Copy (SCP), HTTPS, HTTP, and local uploads.

If none of these system upgrade command options are specified, Access Tracker records are backed up, but they
are not restored by default.

ClearPass Policy Manager 6.10.x | CLI Reference Guide system upgrade | 79

 Examples
Upgrading from a Web Server
To upgrade the Policy Manager image from a Web server:
1. Upload the upgrade image to a Web server.
2. Use the following syntax to upload the upgrade image:

system upgrade http://hostname/<filepath> [-w] [-l] [-L]

For example:

[appadmin]# system upgrade http://192.0.2.15/downloads/master/Upgrade/CPPM-x86_64-

6.9.0.170156-upgrade.signed.tar

Performing an Offline Upgrade

To perform an offline upgrade:
1. Log in to the Aruba Support Center and select the Download Software tab.
2. Navigate to the ClearPass > Policy Manager > Current Release folder > Upgrade folder.
The Upgrade page opens.
3. In the Description/Remarks section, click the link for the appropriate upgrade.
The upgrade file is uploaded to your local system.
4. Navigate to the Policy Manager Software Updates page at Administration > Agents and Software
Updates > Software Updates.
5. In the Firmware & Patch Updates section of the Software Updates page, click the Import Updates
button.
The Import from File dialog opens.
6. Browse to the location of the upgrade file on your system, then click Import.
The selected upgrade file is uploaded to the Policy Manager.
7. Log in to the Policy Manager command line interface (CLI) with the following user name: appadmin.
8. Initiate the upgrade process by entering the following command:

system upgrade <filepath> [-w] [-l] [-L]

For example:

[appadmin]# system upgrade CPPM-upgradeimage.bin

9. After the upgrade process is complete, restart the appliance by issuing the system restart command.The
Policy Manager restarts and boots up to the most recent version of Policy Manager.

Command History

Version Modification

Policy Manager 6.10 Command Introduced

80 | system upgrade ClearPass Policy Manager 6.10.x | CLI Reference Guide