https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488569#M517893 <HTML><HEAD></HEAD><BODY><P>Hi George</P><P></P><P>I did find a way, I think. I'm going to test this next Wednesday. One can define an alias on the CPE and exclude items.</P><P></P><P>for instance: alias Test show run | exclude password|user|etc</P><P>Then you put config in ISE allowing a user to call only that alias.</P><P></P><P>I hope this will work out but I'll know soon enough.</P></BODY></HTML> Fri, 23 Feb 2018 10:31:53 GMT Jeroen1001 2018-02-23T10:31:53Z https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488565#M517889 <HTML><HEAD></HEAD><BODY><P>Dear community,</P><P></P><P>I'm looking for ISE to remove sensitive information from the output of certain commands. For example, when issuing a <EM>show run</EM> command, I want to remove (or replace with *) all lines containing the word username and all lines containing a certain IP like 192.168*</P><P>So to put it more concisely, I want to apply a regex. </P><P></P><P>Is this possible with ISE? I'm assuming no because it is probably not intended for this use but you never know, right?</P><P></P><P>Many thanks,</P><P>Jeroen</P></BODY></HTML> Mon, 12 Feb 2018 14:57:48 GMT https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488565#M517889 Jeroen1001 2018-02-12T14:57:48Z https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488566#M517890 <HTML><HEAD></HEAD><BODY><P>Hi Jeroen,</P><P></P><P>Here are the options ISE supports command line.</P><P>ise/admin# sh run | ?<BR />Output modifier commands:<BR />&nbsp; begin&nbsp;&nbsp;&nbsp; Begin with line that matches<BR />&nbsp; count&nbsp;&nbsp;&nbsp; Count the number of lines in the output<BR />&nbsp; end&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; End with line that matches<BR />&nbsp; exclude&nbsp; Exclude lines that match<BR />&nbsp; include&nbsp; Include lines that match<BR />&nbsp; last&nbsp;&nbsp;&nbsp;&nbsp; Display last few lines of the output</P><P>ise/admin# sh run ?<BR />&nbsp; &gt;&nbsp;&nbsp;&nbsp;&nbsp; Output Redirection.<BR />&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp; Output modifiers.<BR />&nbsp; &lt;cr&gt;&nbsp; Carriage return.</P><P>ise/admin# sh run &gt; ?<BR />&nbsp; &lt;File&gt;&nbsp; Name of file to redirect stdout</P><P></P><P>You can save it to a file and then parse it the way you want.</P><P>It does not support wildcards in command line.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Tue, 13 Feb 2018 06:55:30 GMT https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488566#M517890 kthiruve 2018-02-13T06:55:30Z https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488567#M517891 <HTML><HEAD></HEAD><BODY><P>Dear Krishnan,</P><P></P><P>Many thanks for your reply but I meant in it another context. Say I give access to a CPE to a third party. I want this 3rd party to be able to do a <EM>show run</EM>, but without seeing any sensitive information. </P><P>Basically, I want to ISE to transform <EM>show running-config</EM> into <EM>show running-config | exclude user*|password</EM></P><P>I could exclude more information by adding more pipes making this quite flexible.</P><P></P><P>So to summarize, can ISE replace <EM>show running-config </EM>with<EM> <EM>show running-config | exclude user*|password&nbsp;&nbsp; </EM></EM></P></BODY></HTML> Tue, 13 Feb 2018 11:49:46 GMT https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488567#M517891 Jeroen1001 2018-02-13T11:49:46Z https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488568#M517892 <HTML><HEAD></HEAD><BODY><P>The short answer is no. However, you can leverage the privilege level command and hide certain configuration items from the user which should then also hide it from the running configuration for them.</P></BODY></HTML> Thu, 15 Feb 2018 22:00:47 GMT https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488568#M517892 gbekmezi-DD 2018-02-15T22:00:47Z https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488569#M517893 <HTML><HEAD></HEAD><BODY><P>Hi George</P><P></P><P>I did find a way, I think. I'm going to test this next Wednesday. One can define an alias on the CPE and exclude items.</P><P></P><P>for instance: alias Test show run | exclude password|user|etc</P><P>Then you put config in ISE allowing a user to call only that alias.</P><P></P><P>I hope this will work out but I'll know soon enough.</P></BODY></HTML> Fri, 23 Feb 2018 10:31:53 GMT https://community.cisco.com/t5/network-access-control/can-ise-parse-the-result-of-an-authorized-command/m-p/3488569#M517893 Jeroen1001 2018-02-23T10:31:53Z