cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7926
Views
25
Helpful
8
Replies

ISE Authorization Policy regular expression support?

Arne Bier
VIP
VIP

Hello

 

This may have been asked before but I cannot find the discussion ... :(

 

I have ISE 2.4 patch 1 and I am failing to use the MATCHES operator in an Authorization Rule.  According to the Admin Guide, MATCHES should be used if the condition contains a regular expression.

I want to match a Certificate Issuer Common Name to match something simple like

CORP[1234]ISSUED

to match CORP1ISSUED, CORP2ISSUED, etc.  But no matter what legal regex syntax I put in there, ISE just ignores it. 

 

The MATCHES operator is in the drop down list but it clearly does nothing, because it does not even match a simple string.

 

I tried using CONTAINS to see if I could use wildcards (like ? and *) but that doesn't work either.

 

Anyone know how to perform a regular expression in a RADIUS Authorization rule?

BTW, this works just fine in TACACS Policy sets.

1 Accepted Solution

Accepted Solutions

+ 1 to Craig's comments. Below are excerpted responses from our engineering:

“MATCHES” in rule evaluation is implemented to comply with java regular expressions. ...

Please refer the following to understand better on the regular expressions:

https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html

...

  • The pattern “EXT” is not working to match “EXTISS1CA” but the pattern “EXT.*” working. Why is “EXT” not working?

[DE] – regex “EXT” will match only with “EXT” string and nothing else.

  • The “?” (question mark) is not able to match a numeric digit, such as 1. Are we not permitting “?” in a RegEx pattern?

[DE] – “?” has a different meaning when used in regex.  “\d” is the regex to match a numeric digit.

View solution in original post

8 Replies 8

hslai
Cisco Employee
Cisco Employee

Please verify whether the field "Certificate Issuer Common Name" extract properly if the conditions are something like StartsWith CORP and EndsWith ISSUED.

I did a simple test with a custom attribute of Internal Users and was able to MATCHES on your pattern.

Screen Shot 2018-07-31 at 9.18.25 PM.png

 

Hi Hsing

 

In my test case the Issuer Common Name is exactly "EXTISS1CA"

 

Here is what I just tested and the rule works - I can see it in the Steps log output

Rule1.PNG

 

But this much simpler MATCHES condition on its own below doesn't match at all - it fails, causing the next Rule to be computed

Rule2.PNG

 

How can this be?  MATCHES EXT should be a valid regular expression that matches EXTISS1CA ?

 

 

 

 

I would need to consult with our engineering team on why matching on "EXT" alone not working.

However, it working for me with "EXT.*"

The pattern matching is not exactly regex.  For matching EXT, I would use CONTAINS.  Or as Hsing noted, you can match complete pattern by padding with lead and trailing variables.

The strange things is, that my TACACS Policy sets use proper legal regex syntax.  I thought I could do the same with Radius Policy sets.

What is meant by "not exactly regex" - what is it then?  Is it documented?  

How do I achieve something like this in ISE's quasi regex?

(INT|EXT)ISS[1234]CA    

 

Not all regex expressions and parameters are supported.  The specific set is not documented anywhere I have seen.  It may exist, but I have not seen it.  From ISE 2.4 docs...

 

The “Matches” operator supports and uses regular expressions (REGEX) not wildcards.

Note 

You must use the “equals” operator for straight forward comparison. “Contains” operator can be used for multi-value attributes. “Matches” operator should be used for regular expression comparison. When “Matches” operator is used, regular expression will be interpreted for both static and dynamic values.

 

The TACACS+ section on Command Sets does include more detail than what is shown for Policy Sets here.

 

Whenever I use MATCH operator, I expect it to match the entire expression.  Since your example contained only a subset of the string, it did not work as it did not account for trailing characters.

 

Thanks for the tip.  I think my regex is a bit rusty after all :-(

I should have gone to regex101.com and tested my expression before posting.  Sorry about that.

My initial expression was this one below and I thought it should have worked in ISE.  I will try again

regex.PNG

 

But I miscalculated on this one ... this is not going to work at all - 

regex2.PNG

 

As Hsing stated correctly, I'd have to use something like

regex3.PNG

regex3.PNG

 

 

+ 1 to Craig's comments. Below are excerpted responses from our engineering:

“MATCHES” in rule evaluation is implemented to comply with java regular expressions. ...

Please refer the following to understand better on the regular expressions:

https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html

...

  • The pattern “EXT” is not working to match “EXTISS1CA” but the pattern “EXT.*” working. Why is “EXT” not working?

[DE] – regex “EXT” will match only with “EXT” string and nothing else.

  • The “?” (question mark) is not able to match a numeric digit, such as 1. Are we not permitting “?” in a RegEx pattern?

[DE] – “?” has a different meaning when used in regex.  “\d” is the regex to match a numeric digit.