topic Re: ISE Authorization Policy regular expression support? in Network Access Control

ISE Authorization Policy regular expression support?

Arne Bier — Wed, 01 Aug 2018 01:55:35 GMT

Hello

This may have been asked before but I cannot find the discussion ... 😞

I have ISE 2.4 patch 1 and I am failing to use the MATCHES operator in an Authorization Rule. According to the Admin Guide, MATCHES should be used if the condition contains a regular expression.

I want to match a Certificate Issuer Common Name to match something simple like

CORP[1234]ISSUED

to match CORP1ISSUED, CORP2ISSUED, etc. But no matter what legal regex syntax I put in there, ISE just ignores it.

The MATCHES operator is in the drop down list but it clearly does nothing, because it does not even match a simple string.

I tried using CONTAINS to see if I could use wildcards (like ? and *) but that doesn't work either.

Anyone know how to perform a regular expression in a RADIUS Authorization rule?

BTW, this works just fine in TACACS Policy sets.

Re: ISE Authorization Policy regular expression support?

hslai — Wed, 01 Aug 2018 04:19:24 GMT

Please verify whether the field "Certificate Issuer Common Name" extract properly if the conditions are something like StartsWith CORP and EndsWith ISSUED.

I did a simple test with a custom attribute of Internal Users and was able to MATCHES on your pattern.

Re: ISE Authorization Policy regular expression support?

Arne Bier — Wed, 01 Aug 2018 04:52:51 GMT

Hi Hsing

In my test case the Issuer Common Name is exactly "EXTISS1CA"

Here is what I just tested and the rule works - I can see it in the Steps log output

But this much simpler MATCHES condition on its own below doesn't match at all - it fails, causing the next Rule to be computed

How can this be? MATCHES EXT should be a valid regular expression that matches EXTISS1CA ?

Re: ISE Authorization Policy regular expression support?

hslai — Wed, 01 Aug 2018 06:02:55 GMT

I would need to consult with our engineering team on why matching on "EXT" alone not working.

However, it working for me with "EXT.*"

Re: ISE Authorization Policy regular expression support?

Craig Hyps — Wed, 01 Aug 2018 10:05:08 GMT

The pattern matching is not exactly regex. For matching EXT, I would use CONTAINS. Or as Hsing noted, you can match complete pattern by padding with lead and trailing variables.

Re: ISE Authorization Policy regular expression support?

Arne Bier — Wed, 01 Aug 2018 13:07:16 GMT

The strange things is, that my TACACS Policy sets use proper legal regex syntax. I thought I could do the same with Radius Policy sets.

What is meant by "not exactly regex" - what is it then? Is it documented?

How do I achieve something like this in ISE's quasi regex?

(INT|EXT)ISS[1234]CA

Re: ISE Authorization Policy regular expression support?

Craig Hyps — Wed, 01 Aug 2018 13:18:22 GMT

Not all regex expressions and parameters are supported. The specific set is not documented anywhere I have seen. It may exist, but I have not seen it. From ISE 2.4 docs...

The “Matches” operator supports and uses regular expressions (REGEX) not wildcards.

Note

You must use the “equals” operator for straight forward comparison. “Contains” operator can be used for multi-value attributes. “Matches” operator should be used for regular expression comparison. When “Matches” operator is used, regular expression will be interpreted for both static and dynamic values.

The TACACS+ section on Command Sets does include more detail than what is shown for Policy Sets here.

Whenever I use MATCH operator, I expect it to match the entire expression. Since your example contained only a subset of the string, it did not work as it did not account for trailing characters.

Re: ISE Authorization Policy regular expression support?

Arne Bier — Wed, 01 Aug 2018 13:35:01 GMT

Thanks for the tip. I think my regex is a bit rusty after all 😞

I should have gone to regex101.com and tested my expression before posting. Sorry about that.

My initial expression was this one below and I thought it should have worked in ISE. I will try again

But I miscalculated on this one ... this is not going to work at all -

As Hsing stated correctly, I'd have to use something like

Re: ISE Authorization Policy regular expression support?

hslai — Wed, 01 Aug 2018 20:24:27 GMT

+ 1 to Craig's comments. Below are excerpted responses from our engineering:

“MATCHES” in rule evaluation is implemented to comply with java regular expressions. ...

Please refer the following to understand better on the regular expressions:

https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html

...

The pattern “EXT” is not working to match “EXTISS1CA” but the pattern “EXT.*” working. Why is “EXT” not working?

[DE] – regex “EXT” will match only with “EXT” string and nothing else.

The “?” (question mark) is not able to match a numeric digit, such as 1. Are we not permitting “?” in a RegEx pattern?

[DE] – “?” has a different meaning when used in regex. “\d” is the regex to match a numeric digit.