Solved: create acs 5.8 regular expression for command sets

Eric R. Jones · ‎11-11-2018

Hello, I'm struggling with some regex issues on my ACS command sets.

I can of course block access to various commands and had blocked access to various interfaces; however, I'm unable to block access to our trunk interfaces while allowing access to our edge interfaces.

Using:

deny int* g1/1/1

deny int* g1/1/2

worked to keep low level admins out of those interfaces while allowing them access to:

g1/0/1, g1/0/2 etc...

I handled interface commands normally:

deny switchport

Now I need to deny access to those very same interfaces, g1/1/1, g1/1/2 etc..

while allowing access go g1/0/1 - 24, g1/0/1 - 48 and also for stacks.

I worked up a regex that I created from findings Googling around.

permit int* g*([1-4/])*0/([1-4]|1[0-9]|2[0-9]|3[0-9]|4[0-8])$

should this be

permit int* g*([1-4/])0\/1[0-8]|2[0-8]|3[0-8]|4[0-8])$

Our switches are 24 and 48 porters.

So the stacks would range 1/0/1 - 24 or 48 and 2/0/1 - 24 or 48 etc.. up to 4 stacks.

The second value should always be a zero.

kthiruve · ‎11-11-2018

Do not use * operator for everything. It is 0 or more occurance.

There are a few pointers in the community on regular expresssions. Please look at those

https://community.cisco.com/t5/security-documents/acs-command-sets-arguments-regexp-interface-range/ta-p/3126213

https://community.cisco.com/t5/policy-and-access/need-help-in-creating-a-regex-in-acs-5-8/td-p/3221315

I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

-Krishnan

View solution in original post

balaji.bandi · ‎11-11-2018

if you looking to deny regex you can do same way as permit this time we change 0 to 1

Deny interf.*\sgig.*[1]\/2\/[1-2]

good regex tool

https://regex101.com/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Eric R. Jones · ‎11-12-2018

Hi, I created this command set, permit int* g*^([1-4][\/][0][\/][1-4])$, and ran it through regex 101.

It gave me a Full match in the Match Information section on 1/0/1 and other interfaces using 1/0/? format.

It fails on g1/1/? format which is what I want.

However, I'm still not able to access the interface.

I modified the one you sent, .*\sgig.*[1-4]\/[1-4]\/[1-2], and no joy.

They pass regex 101, thanks for that link btw.

ej

kthiruve · ‎11-11-2018

Do not use * operator for everything. It is 0 or more occurance.

There are a few pointers in the community on regular expresssions. Please look at those

https://community.cisco.com/t5/security-documents/acs-command-sets-arguments-regexp-interface-range/ta-p/3126213

https://community.cisco.com/t5/policy-and-access/need-help-in-creating-a-regex-in-acs-5-8/td-p/3221315

I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

-Krishnan

Eric R. Jones · ‎11-13-2018

I tested this one in the regex 101 tester ^([1-4]\/[1-4]\/[1-4])$.

It worked and the group that reappeared shows all 3 sections.

Hopefully this will work following the g* to signify gigabitethernet.

So in my mind the rule should read.

Grant command attribute

deny int* g^([1-4]\/[1-4]\/[1-4])$

So when the user enters:

config t

int g1/1/1

They should see a reply that this command is not authorized.

ej