cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1886
Views
8
Helpful
5
Replies
Highlighted

ISE 2.1.0 TACACS command sets issue

Hello,

I have created the below tacacs command set in ISE.

When testing I am able to issue the commands conf t and exit but I can not run any show commands. I was intending to deny "show version" and then permit any other show commands but for some reason all "show" commands are being denied.

I moved the permit s*w .* above the deny show v* and all worked fine. I was under the impression that the way I have set this up in the screenshot then after issuing a "show run" it would skip past the deny show v* and be permitted by the permit s*w .*

Can anyone see if I am making an obvious error?

Thanks

Nick

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: ISE 2.1.0 TACACS command sets issue

I think I have figured this out.  The "*" doesn't behave like a wildcard in the Arguments, but rather, it takes on the behaviour of a regular expression.  However "*" does behave like a wildcard in "Command".  Subtle difference.  Confusing.

This means that if you use v*  in your arguments, you have basically said "match 0 or more occurrences of v" - and not "match any string containing v"

The trick is to use a regex syntax.  v.*    - this means "match string containing a v, followed by zero or more characters of any kind"

If you try using regex syntax in Command rules, it won't work.  e.g. the "." is interpreted literally and does not mean the same as when used in Arguments.  So Command definitely used wildcards!   Beware!

Below works for me in ISE 2.2 and ISE 2.3 - no matter what ordering I put the sh* rules (i.e. DENY first, or last)

5 REPLIES 5
Cisco Employee

Re: ISE 2.1.0 TACACS command sets issue

HI Nick,

The problem could be in the wildcards that you use.

Firstly, try denying “show version” before allowing commands and see if it works. * usually means zero or more occurances of previous character. For more information

http://www.rexegg.com/regex-quickstart.html

Thanks

Krishnan

VIP Engager

Re: ISE 2.1.0 TACACS command sets issue

I think I have figured this out.  The "*" doesn't behave like a wildcard in the Arguments, but rather, it takes on the behaviour of a regular expression.  However "*" does behave like a wildcard in "Command".  Subtle difference.  Confusing.

This means that if you use v*  in your arguments, you have basically said "match 0 or more occurrences of v" - and not "match any string containing v"

The trick is to use a regex syntax.  v.*    - this means "match string containing a v, followed by zero or more characters of any kind"

If you try using regex syntax in Command rules, it won't work.  e.g. the "." is interpreted literally and does not mean the same as when used in Arguments.  So Command definitely used wildcards!   Beware!

Below works for me in ISE 2.2 and ISE 2.3 - no matter what ordering I put the sh* rules (i.e. DENY first, or last)

VIP Engager

Re: ISE 2.1.0 TACACS command sets issue

I don't blame anyone for not always reading and understanding all 1238 pages of the Admin guide

But the ISE 2.2 Admin Guide PDF on page 194 confirms the behaviour:

 

Wildcards and Regex in Command Sets

A command line comprises the command and zero or more arguments. When Cisco ISE receives a command line (request), it handles the command and its arguments in different ways:

 

It matches the command in the request with the commands specified in the command set list using the wildcard matching paradigm.

Example: Sh?? or S*

 

It matches the arguments in the request with the arguments specified in the command set list using regular expressions (regex) matching paradigm.

 

Re: ISE 2.1.0 TACACS command sets issue

Hey Arne,

Many thanks for this. I will test this out this evening when I have some time.

Thanks

Nick

Re: ISE 2.1.0 TACACS command sets issue

Tested this out in my lab and you are spot on....

Thank you so much for the help.

I now understand how these command sets work and the difference between wildcards and regex's

Thanks Arne