Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1476
Views
0
Helpful
4
Replies

create acs 5.8 regular expression for command sets

Go to solution
Eric R. Jones
Level 4
Level 4

‎11-11-2018 10:22 PM

Hello, I'm struggling with some regex issues on my ACS command sets.

I can of course block access to various commands and had blocked access to various interfaces; however, I'm unable to block access to our trunk interfaces while allowing access to our edge interfaces.

Using:

deny int* g1/1/1

deny int* g1/1/2

worked to keep low level admins out of those interfaces while allowing them access to:

g1/0/1, g1/0/2 etc...

I handled interface commands normally:

deny switchport 

Now I need to deny access to those very same interfaces, g1/1/1, g1/1/2 etc..

while allowing access go g1/0/1 - 24, g1/0/1 - 48 and also for stacks.

I worked up a regex that I created from findings Googling around.

permit int* g*([1-4/])*0/([1-4]|1[0-9]|2[0-9]|3[0-9]|4[0-8])$

should this be

permit int* g*([1-4/])0\/1[0-8]|2[0-8]|3[0-8]|4[0-8])$

Our switches are 24 and 48 porters.

So the stacks would range 1/0/1 - 24 or 48 and 2/0/1 - 24 or 48 etc.. up to 4 stacks.

The second value should always be a zero.

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-11-2018 10:50 PM

Do not use * operator for everything. It is 0 or more occurance.

There are a few pointers in the community on regular expresssions. Please look at those

https://community.cisco.com/t5/security-documents/acs-command-sets-arguments-regexp-interface-range/ta-p/3126213

 

https://community.cisco.com/t5/policy-and-access/need-help-in-creating-a-regex-in-acs-5-8/td-p/3221315

I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.

 

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

-Krishnan

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-11-2018 10:49 PM

if you looking to deny regex you can do same way as permit this time we change 0 to 1

 

Deny interf.*\sgig.*[1]\/2\/[1-2]

 

good regex tool

 

https://regex101.com/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Eric R. Jones
Level 4
Level 4
In response to balaji.bandi

‎11-12-2018 03:25 PM

Hi, I created this command set, permit int* g*^([1-4][\/][0][\/][1-4])$, and ran it through regex 101.

It gave me a Full match in the Match Information section on 1/0/1 and other interfaces using 1/0/? format.

It fails on g1/1/? format which is what I want.

However, I'm still not able to access the interface.

I modified the one you sent, .*\sgig.*[1-4]\/[1-4]\/[1-2], and no joy.

They pass regex 101, thanks for that link btw.

 

ej

 

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-11-2018 10:50 PM

Do not use * operator for everything. It is 0 or more occurance.

There are a few pointers in the community on regular expresssions. Please look at those

https://community.cisco.com/t5/security-documents/acs-command-sets-arguments-regexp-interface-range/ta-p/3126213

 

https://community.cisco.com/t5/policy-and-access/need-help-in-creating-a-regex-in-acs-5-8/td-p/3221315

I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.

 

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

-Krishnan

 

 

0 Helpful

Go to solution
Eric R. Jones
Level 4
Level 4
In response to kthiruve

‎11-13-2018 04:09 AM

I tested this one in  the regex 101 tester ^([1-4]\/[1-4]\/[1-4])$.

It worked and the group that reappeared shows all 3 sections.

Hopefully this will work following the g* to signify gigabitethernet.

So in my mind the rule should read.

Grant                command                            attribute

deny                 int*                                      g^([1-4]\/[1-4]\/[1-4])$

So when the user enters:

config t

int g1/1/1 

They should see a reply that this command is not authorized.

 

ej 

0 Helpful
Customers Also Viewed These Support Documents