cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

519
Views
10
Helpful
8
Replies
Highlighted
VIP Engager

ISE Authorization Policy regular expression support?

Hello

 

This may have been asked before but I cannot find the discussion ... :(

 

I have ISE 2.4 patch 1 and I am failing to use the MATCHES operator in an Authorization Rule.  According to the Admin Guide, MATCHES should be used if the condition contains a regular expression.

I want to match a Certificate Issuer Common Name to match something simple like

CORP[1234]ISSUED

to match CORP1ISSUED, CORP2ISSUED, etc.  But no matter what legal regex syntax I put in there, ISE just ignores it. 

 

The MATCHES operator is in the drop down list but it clearly does nothing, because it does not even match a simple string.

 

I tried using CONTAINS to see if I could use wildcards (like ? and *) but that doesn't work either.

 

Anyone know how to perform a regular expression in a RADIUS Authorization rule?

BTW, this works just fine in TACACS Policy sets.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE Authorization Policy regular expression support?

+ 1 to Craig's comments. Below are excerpted responses from our engineering:

“MATCHES” in rule evaluation is implemented to comply with java regular expressions. ...

Please refer the following to understand better on the regular expressions:

https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html

...

  • The pattern “EXT” is not working to match “EXTISS1CA” but the pattern “EXT.*” working. Why is “EXT” not working?

[DE] – regex “EXT” will match only with “EXT” string and nothing else.

  • The “?” (question mark) is not able to match a numeric digit, such as 1. Are we not permitting “?” in a RegEx pattern?

[DE] – “?” has a different meaning when used in regex.  “\d” is the regex to match a numeric digit.

8 REPLIES 8
Cisco Employee

Re: ISE Authorization Policy regular expression support?

Please verify whether the field "Certificate Issuer Common Name" extract properly if the conditions are something like StartsWith CORP and EndsWith ISSUED.

I did a simple test with a custom attribute of Internal Users and was able to MATCHES on your pattern.

Screen Shot 2018-07-31 at 9.18.25 PM.png

 

VIP Engager

Re: ISE Authorization Policy regular expression support?

Hi Hsing

 

In my test case the Issuer Common Name is exactly "EXTISS1CA"

 

Here is what I just tested and the rule works - I can see it in the Steps log output

Rule1.PNG

 

But this much simpler MATCHES condition on its own below doesn't match at all - it fails, causing the next Rule to be computed

Rule2.PNG

 

How can this be?  MATCHES EXT should be a valid regular expression that matches EXTISS1CA ?

 

 

 

 

Cisco Employee

Re: ISE Authorization Policy regular expression support?

I would need to consult with our engineering team on why matching on "EXT" alone not working.

However, it working for me with "EXT.*"

Advocate

Re: ISE Authorization Policy regular expression support?

The pattern matching is not exactly regex.  For matching EXT, I would use CONTAINS.  Or as Hsing noted, you can match complete pattern by padding with lead and trailing variables.

VIP Engager

Re: ISE Authorization Policy regular expression support?

The strange things is, that my TACACS Policy sets use proper legal regex syntax.  I thought I could do the same with Radius Policy sets.

What is meant by "not exactly regex" - what is it then?  Is it documented?  

How do I achieve something like this in ISE's quasi regex?

(INT|EXT)ISS[1234]CA    

 

Advocate

Re: ISE Authorization Policy regular expression support?

Not all regex expressions and parameters are supported.  The specific set is not documented anywhere I have seen.  It may exist, but I have not seen it.  From ISE 2.4 docs...

 

The “Matches” operator supports and uses regular expressions (REGEX) not wildcards.

Note 

You must use the “equals” operator for straight forward comparison. “Contains” operator can be used for multi-value attributes. “Matches” operator should be used for regular expression comparison. When “Matches” operator is used, regular expression will be interpreted for both static and dynamic values.

 

The TACACS+ section on Command Sets does include more detail than what is shown for Policy Sets here.

 

Whenever I use MATCH operator, I expect it to match the entire expression.  Since your example contained only a subset of the string, it did not work as it did not account for trailing characters.

VIP Engager

Re: ISE Authorization Policy regular expression support?

 

Thanks for the tip.  I think my regex is a bit rusty after all :-(

I should have gone to regex101.com and tested my expression before posting.  Sorry about that.

My initial expression was this one below and I thought it should have worked in ISE.  I will try again

regex.PNG

 

But I miscalculated on this one ... this is not going to work at all - 

regex2.PNG

 

As Hsing stated correctly, I'd have to use something like

regex3.PNG

regex3.PNG

 

 

Cisco Employee

Re: ISE Authorization Policy regular expression support?

+ 1 to Craig's comments. Below are excerpted responses from our engineering:

“MATCHES” in rule evaluation is implemented to comply with java regular expressions. ...

Please refer the following to understand better on the regular expressions:

https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html

...

  • The pattern “EXT” is not working to match “EXTISS1CA” but the pattern “EXT.*” working. Why is “EXT” not working?

[DE] – regex “EXT” will match only with “EXT” string and nothing else.

  • The “?” (question mark) is not able to match a numeric digit, such as 1. Are we not permitting “?” in a RegEx pattern?

[DE] – “?” has a different meaning when used in regex.  “\d” is the regex to match a numeric digit.