Hi Hsing

In my test case the Issuer Common Name is exactly "EXTISS1CA"

Here is what I just tested and the rule works - I can see it in the Steps log output

But this much simpler MATCHES condition on its own below doesn't match at all - it fails, causing the next Rule to be computed

How can this be?  MATCHES EXT should be a valid regular expression that matches EXTISS1CA ?

I would need to consult with our engineering team on why matching on "EXT" alone not working.

However, it working for me with "EXT.*"

The pattern matching is not exactly regex.  For matching EXT, I would use CONTAINS.  Or as Hsing noted, you can match complete pattern by padding with lead and trailing variables.

The strange things is, that my TACACS Policy sets use proper legal regex syntax.  I thought I could do the same with Radius Policy sets.

What is meant by "not exactly regex" - what is it then?  Is it documented?  

How do I achieve something like this in ISE's quasi regex?

(INT|EXT)ISS[1234]CA    

Not all regex expressions and parameters are supported.  The specific set is not documented anywhere I have seen.  It may exist, but I have not seen it.  From ISE 2.4 docs...

The “Matches” operator supports and uses regular expressions (REGEX) not wildcards.

The TACACS+ section on Command Sets does include more detail than what is shown for Policy Sets here.

Whenever I use MATCH operator, I expect it to match the entire expression.  Since your example contained only a subset of the string, it did not work as it did not account for trailing characters.

Thanks for the tip.  I think my regex is a bit rusty after all :-(

I should have gone to regex101.com and tested my expression before posting.  Sorry about that.

My initial expression was this one below and I thought it should have worked in ISE.  I will try again

But I miscalculated on this one ... this is not going to work at all - 

As Hsing stated correctly, I'd have to use something like