04-15-2013 11:31 AM - edited 03-10-2019 08:18 PM
I'm trying to add a condition rule into an uthorization policy by using the 'NAS IP Address' with a IP address that has a wildcard in it, ie, 192.168.0.* but it doesn't seem to like that. Does anyone know how I can use a wildcard in this field? I only have option of 'Equals' 'Not Equals' so there is no 'Starts with'
Thanks
04-15-2013 02:43 PM
What version of code are you on, you should be able to regex in combination with the "matches" argument. Here is a sample of the regex commands you can use with ISE.
Example 3: Matches—You select the CERTIFICATE dictionary, and you select the Organization value, which displays CERTIFICATE:Organization in the Expression field. You select the Matches operator in the second field (pull-down list). In the third field (text box), you enter a REGEX value to match Organization value. The following are some common options for "Matches:
–`Starts with'—for example, using the REGEX value of ^(Acme).*—this condition is configured as CERTIFICATE:Organization MATCHES `Acme' (any match with a condition that starts with "Acme").
–`Ends with'—for example, using the REGEX value of .*(mktg)$—this condition is configured as CERTIFICATE:Organization MATCHES `mktg' (any match with a condition that ends with "mktg").
–`Contains'—for example, using the REGEX value of .*(1234).*—this condition is configured as CERTIFICATE:Organization MATCHES `1234' (any match with a condition that contains "1234", such as Eng1234, 1234Dev, and Corp1234Mktg).
–`Does not start with'—for example, using the REGEX value of ^(?!LDAP).*—this condition is configured as CERTIFICATE:Organization MATCHES `LDAP' (any match with a condition that does not start with "LDAP", such as usLDAP or CorpLDAPmktg).
Thanks,
Tarik Admani
*Please rate helpful posts*
04-16-2013 08:59 AM
Tarik, I tried to put this condition in with regex and it failed, my condition:
And I get this:
So it doesn't look like it likes it... I'm running:
ise-01/admin# sh application version ise
Cisco Identity Services Engine
---------------------------------------------
Version : 1.1.3.124
Build Date : Thu Feb 7 06:55:38 2013
Install Date : Fri Apr 12 14:17:44 2013
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 1
Install Date : Fri Apr 12 14:23:17 2013
04-16-2013 09:07 AM
Hi,
Can you try to use the argument "Matches" and if it is not present you can add this into an authorization condition (Policy Elements > Conditions > Authorization). Create the condition there and then call the condition in the authorization policy.
Thanks,
Tarik Admani
*Please rate helpful posts*
04-16-2013 09:10 AM
For NAS-IP I only get EQUALS, NOT EQUALS, no matches
04-16-2013 09:11 AM
That is fine, you should be able to add this in the authorization condition.
Thanks,
Tarik Admani
*Please rate helpful posts*
04-16-2013 09:14 AM
Same thing
04-16-2013 09:29 AM
Hi,
Since you are trying to use the nas-ip-address with a wildcard you may want to consider mapping these network devices to a group and setting the group condition. However, I am curious to see if this is a bug, because I am able to run the matches condition against the Called-Station-ID.
Can you please run this by TAC and see if a bug needs to be opened or have a feature enhancement filed for this? I would assume all attributes should be able to use regex statements with the Matches arguement.
Thanks
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide