ACS 5.2 compound condition wildcard support

andrewswanson · ‎01-27-2011

hello

is it possible to use wildcards in Compund Conditions in ACS 5.2? i've been suing the following to try and match a username that contains @*.*:

This would hopefully match a username like j.blogs@somewhere.com but doesn't work as expected - am i doing something wrong or are wildcards not supported in compund conditions?

cheers

andy

andrewswanson · ‎01-28-2011

hello - i've done some more testing on this and can't get the wildcards (* and ?) to work in a compound condition like the one above so i reckon they aren't supported. additionally, i've found that the compound condition is case- sensitive:

if i have a condition where System:UserName contains @something.com - this will match jblogss@something.com but not jblogss@Something.com. Can i turn case sensitivity off for this?

thanks

andy

greenberg.j · ‎08-31-2011

I'm having the same issue.

I'm finding it very difficult to make authorization policies on a per-user basis because the username is inconsistent. For example, Depending on how the user authenticates (ASA Remote VPN, 802.1x port, etc), sometimes the Active Directory domain prefix is present and sometimes it isn't. Sometimes the user capitalizes the username and sometimes they don't. Authentication passes no matter what against AD, but I can't get a handle on it in my policy.

As a workaround I look up their active directory account and grab their exact (Case Sensitive) mail attribute, and it hits every time. This works, but it's annoying because i think i should be able to use their logon name (can't ACS strip & normalize it?), and also it should be case insensitive as an option.