Hello,
I have created the below tacacs command set in ISE.
When testing I am able to issue the commands conf t and exit but I can not run any show commands. I was intending to deny "show version" and then permit any other show commands but for some reason all "show" commands are being denied.
I moved the permit s*w .* above the deny show v* and all worked fine. I was under the impression that the way I have set this up in the screenshot then after issuing a "show run" it would skip past the deny show v* and be permitted by the permit s*w .*
Can anyone see if I am making an obvious error?
Thanks
Nick
Accepted Solutions
I think I have figured this out. The "*" doesn't behave like a wildcard in the Arguments, but rather, it takes on the behaviour of a regular expression. However "*" does behave like a wildcard in "Command". Subtle difference. Confusing.
This means that if you use v* in your arguments, you have basically said "match 0 or more occurrences of v" - and not "match any string containing v"
The trick is to use a regex syntax. v.* - this means "match string containing a v, followed by zero or more characters of any kind"
If you try using regex syntax in Command rules, it won't work. e.g. the "." is interpreted literally and does not mean the same as when used in Arguments. So Command definitely used wildcards! Beware!
Below works for me in ISE 2.2 and ISE 2.3 - no matter what ordering I put the sh* rules (i.e. DENY first, or last)
I think I have figured this out. The "*" doesn't behave like a wildcard in the Arguments, but rather, it takes on the behaviour of a regular expression. However "*" does behave like a wildcard in "Command". Subtle difference. Confusing.
This means that if you use v* in your arguments, you have basically said "match 0 or more occurrences of v" - and not "match any string containing v"
The trick is to use a regex syntax. v.* - this means "match string containing a v, followed by zero or more characters of any kind"
If you try using regex syntax in Command rules, it won't work. e.g. the "." is interpreted literally and does not mean the same as when used in Arguments. So Command definitely used wildcards! Beware!
Below works for me in ISE 2.2 and ISE 2.3 - no matter what ordering I put the sh* rules (i.e. DENY first, or last)
I don't blame anyone for not always reading and understanding all 1238 pages of the Admin guide 
But the ISE 2.2 Admin Guide PDF on page 194 confirms the behaviour:
Wildcards and Regex in Command Sets
A command line comprises the command and zero or more arguments. When Cisco ISE receives a command line (request), it handles the command and its arguments in different ways:
• It matches the command in the request with the commands specified in the command set list using the wildcard matching paradigm.
Example: Sh?? or S*
• It matches the arguments in the request with the arguments specified in the command set list using regular expressions (regex) matching paradigm.
Tested this out in my lab and you are spot on....
Thank you so much for the help.
I now understand how these command sets work and the difference between wildcards and regex's
Thanks Arne 
