Re: Regex in ISE 3.1 Authorization Policy

PatWruk · ‎03-24-2023

I'm trying to setup an authorization policy that matches on the PC name for certain devices and I can't seem to figure out the syntax properly. The computer names I'm trying to match on would be PC01Client .. PC999Client

So the regex I have tried is:

PC\d{2,3}Client
*PC\d{2,3}Client
*(PC\d{2,3}Client)*
PC[0-9]{2,3}Client
*PC[0-9]{2,3}Client*
*(PC[0-9{2,3}Client)*

Any ideas? This is driving me a little crazy

Octavian Szolga · ‎03-24-2023

Hi,

Wouldn't be easier to group those PCs in an AD group and map that group in an authorization policy instead?

Just my 2 cents.

BR,

Octavian

PatWruk · ‎03-24-2023

The AD group could be an option, I've tried that initially and it was trying to match the user instead of the computer to the group. Secondly, we would have to make sure that group stays updated when new computers were deployed so the regex would leave less administrative overhead in the long term.

On the group when doing the rewrite I couldn't get it to match only on computer names so it was adding host/ to usernames for TACACS/Wireless Radius and breaking the rest of the authorization policies

Octavian Szolga · ‎03-25-2023

Hi,

It cannot match the user for an AD machine group. Still, it's normal to try to match a request to a condition, that is to check if X identity (user or machine) belongs to groups Y Z.

Regarding the username, it's absolutely normal for a machine identity to have host/ prepended. After all, this is how you know it is a machine identity and not a user identity.

You know the details, but this is the easiest option. Each time a new machine is deployed, its group membership it's only one click away.

BR,

Octavian