Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1623
Views
13
Helpful
4
Replies

ISE 3.1 TACACS Command set RegEx problem (Solved)

Go to solution
iskandar
Level 1
Level 1

‎01-26-2023 07:27 PM

I am posting this out those who just installed ISE 3.1 without patching, don't waste their time.

I was trying to perform a simple regex match in command set.

Sample "configure service vprn 2000 shutdown"

Exact deny command works.

Deny Always: configure service vprn 2000 shutdown

In Gui configured the wildcard below but the match kept failing and I kept thinking there was a problem with my regex syntax.

Deny Always: configure service vprn .* shutdown

Gave up and finally decided to google for known issues for ISE 3.1 command sets and regular expressions.

Came across

CSCwa41166

RegEx expressions in TACACS Command Sets malformed

And yes that was it. There was no issue with my syntax and the match was fail due to a bug with the unpatched version of ISE 3.1.

The workaround described in the bug details works. If you export the command set to CSV, you can see that command portion for ".*" is corrupted. Manually editing the CSV and re-importing the CSV template does work.

The fixed release is in ISE 3.1 patch 3.

 

2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎01-26-2023 08:20 PM

I'd hope that by now, nobody is trying to operating an ISE 3.1 deployment in an unpatched state.  When an early ISE release comes out (when no patches are yet available), then you could be forgiven (and pitied) for doing so

View solution in original post

0 Helpful

Go to solution
iskandar
Level 1
Level 1

‎01-26-2023 11:02 PM

In my case I was running ISE 3.1 for POC and I guess it was too expect for basic features to correctly out of the box. Also coming from network engineering had the misconception that latest recommended version would have been on of the latest version. My bad,

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎01-26-2023 08:20 PM

I'd hope that by now, nobody is trying to operating an ISE 3.1 deployment in an unpatched state.  When an early ISE release comes out (when no patches are yet available), then you could be forgiven (and pitied) for doing so

0 Helpful

Go to solution
iskandar
Level 1
Level 1

‎01-26-2023 11:02 PM

In my case I was running ISE 3.1 for POC and I guess it was too expect for basic features to correctly out of the box. Also coming from network engineering had the misconception that latest recommended version would have been on of the latest version. My bad,

Go to solution
Arne Bier
VIP
VIP
In response to iskandar

‎01-29-2023 08:42 PM

I think your expectation is not wrong. ISE 3.1 out of the box should have passed quality assurance testing for the most basic features. It astounds me every time that when a new ISE version is released or a new patch comes out, that there are defects in things that used to always work. That worries me. It shows a lack of basic QA testing. I would expect to read the ISE release notes to find bugs in bleeding edge features. That's normal.  I don't even care about release notes anymore because they read like a never-ending horror story and one that would prevent me from even going near the product. And remember, this is an ongoing issue for stuff that always used to work. 

Best thing is to keep testing and then to hope that Cisco has a rigorous process for code version management -  and that they also  perform real-world testing (and not just basic automated tests)

 

I'm waiting for the day when the basic RADIUS decoding engine develops a bug ... touch wood that never happns.

Go to solution
minas.balaskas
Level 1
Level 1

‎06-08-2023 05:21 AM

Hello Iskandar , 

Thanks for that !!

BTW , i have 3.1.0 Patch 6 and the problem seems still there.

Regards,

0 Helpful
Customers Also Viewed These Support Documents