ISE Condition - NAS IP Address Wildcard?

Zachary McGibbon · ‎04-15-2013

I'm trying to add a condition rule into an uthorization policy by using the 'NAS IP Address' with a IP address that has a wildcard in it, ie, 192.168.0.* but it doesn't seem to like that. Does anyone know how I can use a wildcard in this field? I only have option of 'Equals' 'Not Equals' so there is no 'Starts with'

Thanks

Tarik Admani · ‎04-15-2013

What version of code are you on, you should be able to regex in combination with the "matches" argument. Here is a sample of the regex commands you can use with ISE.

Example 3: Matches—You select the CERTIFICATE dictionary, and you select the Organization value, which displays CERTIFICATE:Organization in the Expression field. You select the Matches operator in the second field (pull-down list). In the third field (text box), you enter a REGEX value to match Organization value. The following are some common options for "Matches:

–`Starts with'—for example, using the REGEX value of ^(Acme).*—this condition is configured as CERTIFICATE:Organization MATCHES `Acme' (any match with a condition that starts with "Acme").

–`Ends with'—for example, using the REGEX value of .*(mktg)$—this condition is configured as CERTIFICATE:Organization MATCHES `mktg' (any match with a condition that ends with "mktg").

–`Contains'—for example, using the REGEX value of .*(1234).*—this condition is configured as CERTIFICATE:Organization MATCHES `1234' (any match with a condition that contains "1234", such as Eng1234, 1234Dev, and Corp1234Mktg).

–`Does not start with'—for example, using the REGEX value of ^(?!LDAP).*—this condition is configured as CERTIFICATE:Organization MATCHES `LDAP' (any match with a condition that does not start with "LDAP", such as usLDAP or CorpLDAPmktg).

Thanks,

Tarik Admani
*Please rate helpful posts*

Zachary McGibbon · ‎04-16-2013

Tarik, I tried to put this condition in with regex and it failed, my condition:

And I get this:

So it doesn't look like it likes it... I'm running:

ise-01/admin# sh application version ise

Cisco Identity Services Engine

---------------------------------------------

Version : 1.1.3.124

Build Date : Thu Feb 7 06:55:38 2013

Install Date : Fri Apr 12 14:17:44 2013

Cisco Identity Services Engine Patch

---------------------------------------------

Version : 1

Install Date : Fri Apr 12 14:23:17 2013

Tarik Admani · ‎04-16-2013

Hi,

Can you try to use the argument "Matches" and if it is not present you can add this into an authorization condition (Policy Elements > Conditions > Authorization). Create the condition there and then call the condition in the authorization policy.

Thanks,

Tarik Admani
*Please rate helpful posts*

Zachary McGibbon · ‎04-16-2013

For NAS-IP I only get EQUALS, NOT EQUALS, no matches

Tarik Admani · ‎04-16-2013

That is fine, you should be able to add this in the authorization condition.

Thanks,

Tarik Admani
*Please rate helpful posts*

Zachary McGibbon · ‎04-16-2013

Same thing

Tarik Admani · ‎04-16-2013

Hi,

Since you are trying to use the nas-ip-address with a wildcard you may want to consider mapping these network devices to a group and setting the group condition. However, I am curious to see if this is a bug, because I am able to run the matches condition against the Called-Station-ID.

Can you please run this by TAC and see if a bug needs to be opened or have a feature enhancement filed for this? I would assume all attributes should be able to use regex statements with the Matches arguement.

Thanks

Tarik Admani
*Please rate helpful posts*