Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1151
Views
15
Helpful
9
Replies

Authorization policy: Using the contains operator

dgaikwad
Level 5
Level 5

‎09-28-2018 01:42 AM

Hi Experts,

I would like to get some information regarding the behavior of the contains operator.

So, here I have two authentication policy, with called-station-ID contains Cisco and another one with called-station-ID contains Cisco1

When a user connects to SSID Cisco, the policy with SSID Cisco1 will not be evaluated and the policy containing Cisco will be evaluated?

My question is here is that since I am using contains operator here, does it match the entire string or it looks for the Cisco in Cisco1 and select that policy?

So, when a user connects to SSID Cisco, which policy will be evaluated? the one with Cisco1 or Cisco?

0 Helpful
9 Replies 9

rcullum
Level 1
Level 1

‎09-28-2018 03:47 AM

Are you talking about authentication policies or authorization rules? If the latter, then the first match rule will win.
0 Helpful

paul
Level 10
Level 10

‎09-28-2018 04:14 AM

You would need to put the more specific match first.  In your case Cisco1.

0 Helpful

Aravind Ravichandran
Level 3
Level 3

‎09-28-2018 02:25 PM

Hi,

Contains will match whole string and authorization policy works in order,if called station Id contains Cisco1 is first rule & cisco is second rule.user connects to Cisco ssid will be evaluated with Cisco policy.

 

Thanks,

Aravind

-Aravind
0 Helpful

dgaikwad
Level 5
Level 5
In response to Aravind Ravichandran

‎10-04-2018 02:28 AM

So, if I configure the policy as follows:called station ID.JPG

 If a user connects to SSID "Cisco", then also he will be evaluated based on the policy containing "Cisco1"? Right? :/

 

 

0 Helpful

Aravind Ravichandran
Level 3
Level 3
In response to dgaikwad

‎10-04-2018 02:40 AM

No,if user connects to Cisco ssid he will be evaluated based on second policy sets as the first policy sets doesn't match the ssid name.

Also in policy sets you are using equals not contains.

-Aravind
0 Helpful

dgaikwad
Level 5
Level 5
In response to Aravind Ravichandran

‎10-04-2018 03:16 AM

The previous ones were created in a hurry just to visualize what I was trying to explain, here is the correct ones;called station ID.JPG

Now this proves, when the user selects Cisco SSID, he will be evaluated based on policy for Cisco and not from Cisco1, right?

This also shows that, the entire string is matched. 

 

 

0 Helpful

Aravind Ravichandran
Level 3
Level 3
In response to dgaikwad

‎10-04-2018 04:00 AM

Yes right, if it matches Cisco SSID & 802.1x

 

Thanks 

Aravind

-Aravind

Nidhi
Cisco Employee
Cisco Employee
In response to dgaikwad

‎10-04-2018 04:32 AM

Hi Dinesh, 

you can use the "Matches" operand to match the exact ssid. 

paul
Level 10
Level 10
In response to Nidhi

‎10-04-2018 04:39 AM

The matches would allow you to specify Regex to do an exact match, but you can also just use the ends with.  

 

Ends with Cisco and Ends  with Cisco1 do not overlap.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents