cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
519
Views
0
Helpful
4
Replies
Beginner

create acs 5.8 regular expression for command sets

Hello, I'm struggling with some regex issues on my ACS command sets.

I can of course block access to various commands and had blocked access to various interfaces; however, I'm unable to block access to our trunk interfaces while allowing access to our edge interfaces.

Using:

deny int* g1/1/1

deny int* g1/1/2

worked to keep low level admins out of those interfaces while allowing them access to:

g1/0/1, g1/0/2 etc...

I handled interface commands normally:

deny switchport 

Now I need to deny access to those very same interfaces, g1/1/1, g1/1/2 etc..

while allowing access go g1/0/1 - 24, g1/0/1 - 48 and also for stacks.

I worked up a regex that I created from findings Googling around.

permit int* g*([1-4/])*0/([1-4]|1[0-9]|2[0-9]|3[0-9]|4[0-8])$

should this be

permit int* g*([1-4/])0\/1[0-8]|2[0-8]|3[0-8]|4[0-8])$

Our switches are 24 and 48 porters.

So the stacks would range 1/0/1 - 24 or 48 and 2/0/1 - 24 or 48 etc.. up to 4 stacks.

The second value should always be a zero.

 

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: create acs 5.8 regular expression for command sets

Do not use * operator for everything. It is 0 or more occurance.

There are a few pointers in the community on regular expresssions. Please look at those

https://community.cisco.com/t5/security-documents/acs-command-sets-arguments-regexp-interface-range/ta-p/3126213

 

https://community.cisco.com/t5/policy-and-access/need-help-in-creating-a-regex-in-acs-5-8/td-p/3221315

I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.

 

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

-Krishnan

 

 

View solution in original post

4 REPLIES 4
VIP Advisor

Re: create acs 5.8 regular expression for command sets

if you looking to deny regex you can do same way as permit this time we change 0 to 1

 

Deny interf.*\sgig.*[1]\/2\/[1-2]

 

good regex tool

 

https://regex101.com/

BB
*** Rate All Helpful Responses ***
Beginner

Re: create acs 5.8 regular expression for command sets

Hi, I created this command set, permit int* g*^([1-4][\/][0][\/][1-4])$, and ran it through regex 101.

It gave me a Full match in the Match Information section on 1/0/1 and other interfaces using 1/0/? format.

It fails on g1/1/? format which is what I want.

However, I'm still not able to access the interface.

I modified the one you sent, .*\sgig.*[1-4]\/[1-4]\/[1-2], and no joy.

They pass regex 101, thanks for that link btw.

 

ej

 

Highlighted
Cisco Employee

Re: create acs 5.8 regular expression for command sets

Do not use * operator for everything. It is 0 or more occurance.

There are a few pointers in the community on regular expresssions. Please look at those

https://community.cisco.com/t5/security-documents/acs-command-sets-arguments-regexp-interface-range/ta-p/3126213

 

https://community.cisco.com/t5/policy-and-access/need-help-in-creating-a-regex-in-acs-5-8/td-p/3221315

I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.

 

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

-Krishnan

 

 

View solution in original post

Beginner

Re: create acs 5.8 regular expression for command sets

I tested this one in  the regex 101 tester ^([1-4]\/[1-4]\/[1-4])$.

It worked and the group that reappeared shows all 3 sections.

Hopefully this will work following the g* to signify gigabitethernet.

So in my mind the rule should read.

Grant                command                            attribute

deny                 int*                                      g^([1-4]\/[1-4]\/[1-4])$

So when the user enters:

config t

int g1/1/1 

They should see a reply that this command is not authorized.

 

ej