05-03-2013 08:04 AM - edited 03-10-2019 08:23 PM
I'm trying to come up with a profiling condition to match on FQDN. In this particular example, all corporate workstations have the following common FQDN:
abcd-machinename.xyz.com
I would like to match on everything except the machinename which can be a wildcard. The profiling condition I've attempted to configure is
IP:FQDN CONTAINS ^(abcd)*(\.xyz\.com)$
I never get any matches on this or any variation that I've tried. When I look at the Endpoint in Identity, I do see the full FQDN as an attribute.
Can anyone help me with the correct syntax to match a FQDN in this manner?
Thanks,
Brian
Solved! Go to Solution.
05-17-2013 08:59 AM
Hello Brian,
Upcoming ISE 1.2 which is to be released soon, has the additional operators "Starts With" & "Ends With" operators that will be useful,
For DHCP host-name you can use Starts With
and
For domain name Ends With
05-03-2013 02:22 PM
I think you should use "Ends with" operator against the domain name "xyz.com" instead of using "contains" operator against entire FQDN
For more detail, the following link may be helpful:
Creating a New Authorization Policy
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html#wp1082656
In the above link, review the Note:The "Matches" operator supports and uses regular expressions (REGEX) not wildcards.
From my understanding, regular expressions can't be used against all operators
05-03-2013 02:32 PM
"Ends with" does not appear to be an operator. My choices are EQUALS, NOTEQUALS, GREATERTHAN, LESSTHAN or CONTAINS. I will most likely need to use the EQUALS operator to match on my regular expression, but can't figure out what the proper syntax is to match on first few characters and domain.
05-03-2013 04:43 PM
Regardless of Ends With operator, your filter may focus on the domain name xyz.com instead of entire FQDN.
Regular expressions pattern varies among different platforms. Writing perfect and precise regex is a tricky method that can't be discussed at forum.
But the best way out is you try these online editors:
You may also search for Regular Expressions Editor / Tester
05-17-2013 08:59 AM
Hello Brian,
Upcoming ISE 1.2 which is to be released soon, has the additional operators "Starts With" & "Ends With" operators that will be useful,
For DHCP host-name you can use Starts With
and
For domain name Ends With
05-17-2013 09:20 AM
Thanks Ashok. Until 1.2 gets released, we will use the CONTAINS operator as we discussed over the phone earlier this week. Thanks for your assistance.
05-17-2013 12:58 PM
Hi Brian,
Just wanted to add what all you discussed so far;
A new defect has bee filed on the same topic
CSCug82199 Profiler Conditions Using REGEX as Attribute Value Don't Work Correctly
Symptom: Profiling condition does not match a REGEX configured in the Attribute Value text box when set to EQUAL the contents
Conditions: REGEX configured with a wildcard portion in the middle fail the be profiled.
Workaround: Use a simple text value in the Attribute Value Box matched with the CONTAINS operator.
Jatin Katyal
- Do rate helpful posts -
05-17-2013 11:20 PM
Hello Jatin,
At the time of writing this message, the bug detail page is not accessible. Please confirm the URL
And I wanted to share my views on the operators' use:
Although, ISE does not seem to be functioning in this way but logically EQUALS, GREATER THAN, LESS THAN operators (should) call for mathematical evaluation of the expression, whereas the textual operation, comparison, analysis etc. would require the following operators:
MATCHES
STARTS WITH
ENDS WITH
CONTAINS
DOESNT CONTAIN
etc.
I have also noticed that in earlier ISE versions, FQDN was displayed in hex form with 4 hex digits (3 leading zeros) followed by FQDN name. I shall try to check the raw FQDN value returned in AV pairs. This may be the reason of failure of EQUALS operator
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide