topic Re: ISE regex in Network Access Control

ISE regex

wess — Fri, 21 Feb 2020 18:46:25 GMT

do you know a documentation for regex syntax in policy sets on ISE 2.3?

is it like the syntax on cisco routers?

Br Matthias

Re: ISE regex

Ben Walters — Thu, 22 Feb 2018 21:23:32 GMT

I found this in a guide related to ISE policies and WLC hopefully it gives you an idea on the format for regex.

REGEX Examples

'Starts with'—for example, use the REGEX value of ^(Acme).*—this condition is configured as CERTIFICATE:Organization MATCHES 'Acme' (any match with a condition that starts with "Acme").

'Ends with'—for example, use the REGEX value of .*(mktg)$—this condition is configured as CERTIFICATE:Organization MATCHES 'mktg' (any match with a condition that ends with "mktg").

'Contains'—for example, use the REGEX value of .*(1234).*—this condition is configured as CERTIFICATE:Organization MATCHES '1234' (any match with a condition that contains "1234", such as Eng1234, 1234Dev, and Corp1234Mktg).

'Does not start with'—for example, use the REGEX value of ^(?!LDAP).*—this condition is configured as CERTIFICATE:Organization MATCHES 'LDAP' (any match with a condition that does not start with "LDAP", such as usLDAP or CorpLDAPmktg).

Original document here

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115734-ise-policies-ssid-00.html

Re: ISE regex

Arne Bier — Thu, 22 Feb 2018 22:50:57 GMT

Further to the previous reply, I am not sure what part of ISE you are using regex, but if it's in the Policy Sets, then I have found that using the MATCHES operator allows me to use standard regex syntax. There were some bugs in ISE 2.2 - but so far in ISE 2.3 the regex is reliable. In my case I use it a lot in my TACACS authentication policies, e.g.

I can add one small caveat when using ISE for TACACS+ command sets. Have a look at this posting over at the ISE Community page - it explains that TACACS+ commands use wildcards, and their arguments use regex

https://communities.cisco.com/thread/86989

Wildcards and Regex in Command Sets

A command line comprises the command and zero or more arguments. When Cisco ISE receives a command line (request), it handles the command and its arguments in different ways:

• It matches the command in the request with the commands specified in the command set list using the wildcard matching paradigm.

Example: Sh?? or S*

• It matches the arguments in the request with the arguments specified in the command set list using regular expressions (regex) matching paradigm.

Re: ISE regex

wess — Fri, 23 Feb 2018 07:03:37 GMT

Thanks Ben and Arne!

I also found the following in the ISE admin guide

The “Matches” operator supports and uses regular expressions (REGEX) not wildcards.

You must use the “equals” operator for straight forward comparison. “Contains” operator can be used for multi-value attributes.
“Matches” operator should be used for regular expression comparison.
When “Matches” operator is used, regular expression will be interpreted for both static and dynamic values.

I looks like the normal regex syntak (https://en.wikipedia.org/wiki/Regular_expression) is supported