cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5954
Views
9
Helpful
5
Replies

ISE 2.1.0 TACACS command sets issue

Hello,

I have created the below tacacs command set in ISE.

When testing I am able to issue the commands conf t and exit but I can not run any show commands. I was intending to deny "show version" and then permit any other show commands but for some reason all "show" commands are being denied.

I moved the permit s*w .* above the deny show v* and all worked fine. I was under the impression that the way I have set this up in the screenshot then after issuing a "show run" it would skip past the deny show v* and be permitted by the permit s*w .*

Can anyone see if I am making an obvious error?

Thanks

Nick

1 Accepted Solution

Accepted Solutions

I think I have figured this out.  The "*" doesn't behave like a wildcard in the Arguments, but rather, it takes on the behaviour of a regular expression.  However "*" does behave like a wildcard in "Command".  Subtle difference.  Confusing.

This means that if you use v*  in your arguments, you have basically said "match 0 or more occurrences of v" - and not "match any string containing v"

The trick is to use a regex syntax.  v.*    - this means "match string containing a v, followed by zero or more characters of any kind"

If you try using regex syntax in Command rules, it won't work.  e.g. the "." is interpreted literally and does not mean the same as when used in Arguments.  So Command definitely used wildcards!   Beware!

Below works for me in ISE 2.2 and ISE 2.3 - no matter what ordering I put the sh* rules (i.e. DENY first, or last)

View solution in original post

5 Replies 5

kthiruve
Cisco Employee
Cisco Employee

HI Nick,

The problem could be in the wildcards that you use.

Firstly, try denying “show version” before allowing commands and see if it works. * usually means zero or more occurances of previous character. For more information

http://www.rexegg.com/regex-quickstart.html

Thanks

Krishnan

I think I have figured this out.  The "*" doesn't behave like a wildcard in the Arguments, but rather, it takes on the behaviour of a regular expression.  However "*" does behave like a wildcard in "Command".  Subtle difference.  Confusing.

This means that if you use v*  in your arguments, you have basically said "match 0 or more occurrences of v" - and not "match any string containing v"

The trick is to use a regex syntax.  v.*    - this means "match string containing a v, followed by zero or more characters of any kind"

If you try using regex syntax in Command rules, it won't work.  e.g. the "." is interpreted literally and does not mean the same as when used in Arguments.  So Command definitely used wildcards!   Beware!

Below works for me in ISE 2.2 and ISE 2.3 - no matter what ordering I put the sh* rules (i.e. DENY first, or last)

I don't blame anyone for not always reading and understanding all 1238 pages of the Admin guide

But the ISE 2.2 Admin Guide PDF on page 194 confirms the behaviour:

 

Wildcards and Regex in Command Sets

A command line comprises the command and zero or more arguments. When Cisco ISE receives a command line (request), it handles the command and its arguments in different ways:

 

It matches the command in the request with the commands specified in the command set list using the wildcard matching paradigm.

Example: Sh?? or S*

 

It matches the arguments in the request with the arguments specified in the command set list using regular expressions (regex) matching paradigm.

 

Hey Arne,

Many thanks for this. I will test this out this evening when I have some time.

Thanks

Nick

Tested this out in my lab and you are spot on....

Thank you so much for the help.

I now understand how these command sets work and the difference between wildcards and regex's

Thanks Arne

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: