CLI configuration
A CLI configuration is a set of commands that are normally used through the command line interface. The CLI configuration window allows you to create individual sets of commands, name them and then reuse them as needed to control ports, VLANs or host access to the network. When a CLI configuration is applied, the commands contained with in it are sent to the selected network device. This modifies the network device’s behavior as long as those commands are in force.
This software currently supports CLI commands for Cisco, D-Link, HP ProCurve, Nortel, Enterasys, Brocade, and Extreme wired and wireless devices. This document assumes that you are familiar with the CLI commands available for your devices and, therefore, does not include individual commands in the instructions.
It is recommended that you test all CLI commands or sets of commands using the console for the switch, router or other device before implementing CLI commands through FortiNAC. FortiNAC does not detect errors in the structure of the command set being applied on the device. CLI commands are applied to the device exactly as they are created.
You can create a set of CLI commands to perform an operation, and a separate set to undo the operation. Undo is triggered when FortiNAC recognizes that the host or device has disconnected from the port. The do and undo command combination is sometimes referred to as Flex-CLI. Note that by using both Set and Undo, the CLI configurations do not become cumulative on the device.
To access the CLI configuration view, go to Network > CLI Configuration.
Settings
|
Field |
Definition |
||
|
Name |
Name used to identify the CLI configuration. |
||
|
Description |
User specified description for the CLI configuration. |
||
|
Last Modified By |
User name of the last user to modify the configuration. |
||
|
Last Modified Date |
Date and time of the last modification to this configuration. |
||
|
Right click options |
|||
|
Copy |
Creates a copy of the selected CLI configuration. |
||
|
Delete |
Deletes the selected CLI configuration. |
||
|
In Use |
Provides a list of other features that reference this CLI configuration, such as a role mapping or a Scheduled Task. See Configuration in use. |
||
|
Modify |
Opens the Modify CLI Configuration window. See Add or modify a configuration. |
||
|
Show Audit Log |
Opens the admin auditing log showing all changes made to the selected item. For information about the admin auditing log, see Audit Logs
|
||
|
Buttons |
|||
|
Show CLI |
Opens the CLI window and displays a all of the commands in the Set and Undo sections of the configuration. See Show configuration. |
||
There are several CLI Configuration events that can be enabled and mapped to alarms for notification:
|
Event |
Definition |
|---|---|
|
CLI Configuration Failure CLI Configuration Success |
Generated when a user tries to configure a Scheduled task that involves applying a CLI configuration to a group. Indicates whether or not the configuration of the scheduled task was successful. |
|
Host CLI Task Failure Host CLI Task Success |
Indicates whether or not the CLI commands associated with host/adapter based ACLs have been successful. |
|
Port CLI Task Failure Port CLI Task Success |
Indicates whether or not the CLI commands associated with port based ACLs have been successful. |
|
Port CLI Data Substitution Failure Port CLI Data Substitution Success |
Indicates success or failure to substitute the "Port, VLAN, IP, or MAC" data into the CLI. |
Using CLI configurations you can do the following:
- Apply or remove specific CLI configurations to networking devices based on control states, such as registration, authentication, or quarantine. See Apply a port based configuration via model configuration.
- Apply or remove ACL based CLI configurations to hosts connected to the network on a Layer 2 or Layer 3 device. The ACL modified by the CLI configuration controls host access to the network. These configurations can be applied or removed based on control states, such as registration, authentication, or quarantine. See Apply a host based configuration via the model configuration and Requirements for ACL based configurations.
- Apply specific CLI configurations for roles. Note that roles are associated with device or port groups. Be sure to group devices with common CLI capabilities. See Roles and Apply a CLI configuration using a role.
- Apply specific CLI configurations for network access policies. When using user/host profiles to determine Access Policies, use location criteria to group devices with common CLI capabilities. See Network access and Apply a CLI configuration using a network access policy.
- Create a scheduled task for a CLI configuration to be applied to a device group. See Apply a CLI configuration using a scheduled task.
- Use port logging capabilities to see which port control changes and CLI configurations were applied and when. See Port changes .
Variable options
|
Substitution Data |
Port Based DO |
Port Based UNDO |
Host Based DO |
Host Based UNDO |
|---|---|---|---|---|
|
%port% |
Yes |
Yes |
Yes |
No |
|
%vlan% |
Yes (if specified in network access configuration) |
Yes (from present "current" vlan of the port) |
Yes (from present "current" vlan of the port) |
No |
|
%ip% |
No |
No |
Yes |
Yes |
|
%mac% |
No |
No |
Yes |
Yes |