topic Re: ISE 2.1.0 TACACS command sets issue in Network Access Control

ISE 2.1.0 TACACS command sets issue

n-russell-biggie — Tue, 07 Nov 2017 14:58:50 GMT

Hello,

I have created the below tacacs command set in ISE.

When testing I am able to issue the commands conf t and exit but I can not run any show commands. I was intending to deny "show version" and then permit any other show commands but for some reason all "show" commands are being denied.

I moved the permit s*w .* above the deny show v* and all worked fine. I was under the impression that the way I have set this up in the screenshot then after issuing a "show run" it would skip past the deny show v* and be permitted by the permit s*w .*

Can anyone see if I am making an obvious error?

Thanks

Nick

Re: ISE 2.1.0 TACACS command sets issue

kthiruve — Tue, 07 Nov 2017 20:30:36 GMT

HI Nick,

The problem could be in the wildcards that you use.

Firstly, try denying “show version” before allowing commands and see if it works. * usually means zero or more occurances of previous character. For more information

http://www.rexegg.com/regex-quickstart.html

Thanks

Krishnan

Re: ISE 2.1.0 TACACS command sets issue

Arne Bier — Wed, 08 Nov 2017 00:21:32 GMT

I think I have figured this out. The "*" doesn't behave like a wildcard in the Arguments, but rather, it takes on the behaviour of a regular expression. However "*" does behave like a wildcard in "Command". Subtle difference. Confusing.

This means that if you use v* in your arguments, you have basically said "match 0 or more occurrences of v" - and not "match any string containing v"

The trick is to use a regex syntax. v.* - this means "match string containing a v, followed by zero or more characters of any kind"

If you try using regex syntax in Command rules, it won't work. e.g. the "." is interpreted literally and does not mean the same as when used in Arguments. So Command definitely used wildcards! Beware!

Below works for me in ISE 2.2 and ISE 2.3 - no matter what ordering I put the sh* rules (i.e. DENY first, or last)

Re: ISE 2.1.0 TACACS command sets issue

Arne Bier — Wed, 08 Nov 2017 03:44:22 GMT

I don't blame anyone for not always reading and understanding all 1238 pages of the Admin guide

But the ISE 2.2 Admin Guide PDF on page 194 confirms the behaviour:

Wildcards and Regex in Command Sets

A command line comprises the command and zero or more arguments. When Cisco ISE receives a command line (request), it handles the command and its arguments in different ways:

• It matches the command in the request with the commands specified in the command set list using the wildcard matching paradigm.

Example: Sh?? or S*

• It matches the arguments in the request with the arguments specified in the command set list using regular expressions (regex) matching paradigm.

Re: ISE 2.1.0 TACACS command sets issue

n-russell-biggie — Wed, 08 Nov 2017 08:05:36 GMT

Hey Arne,

Many thanks for this. I will test this out this evening when I have some time.

Thanks

Nick

Re: ISE 2.1.0 TACACS command sets issue

n-russell-biggie — Wed, 08 Nov 2017 20:19:18 GMT

Tested this out in my lab and you are spot on....

Thank you so much for the help.

I now understand how these command sets work and the difference between wildcards and regex's

Thanks Arne