cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

570
Views
0
Helpful
4
Replies
Beginner

create acs 5.8 regular expression for command sets

Hello, I'm struggling with some regex issues on my ACS command sets.

I can of course block access to various commands and had blocked access to various interfaces; however, I'm unable to block access to our trunk interfaces while allowing access to our edge interfaces.

Using:

deny int* g1/1/1

deny int* g1/1/2

worked to keep low level admins out of those interfaces while allowing them access to:

g1/0/1, g1/0/2 etc...

I handled interface commands normally:

deny switchport 

Now I need to deny access to those very same interfaces, g1/1/1, g1/1/2 etc..

while allowing access go g1/0/1 - 24, g1/0/1 - 48 and also for stacks.

I worked up a regex that I created from findings Googling around.

permit int* g*([1-4/])*0/([1-4]|1[0-9]|2[0-9]|3[0-9]|4[0-8])$

should this be

permit int* g*([1-4/])0\/1[0-8]|2[0-8]|3[0-8]|4[0-8])$

Our switches are 24 and 48 porters.

So the stacks would range 1/0/1 - 24 or 48 and 2/0/1 - 24 or 48 etc.. up to 4 stacks.

The second value should always be a zero.

 

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: create acs 5.8 regular expression for command sets

Do not use * operator for everything. It is 0 or more occurance.

There are a few pointers in the community on regular expresssions. Please look at those

https://community.cisco.com/t5/security-documents/acs-command-sets-arguments-regexp-interface-range/ta-p/3126213

 

https://community.cisco.com/t5/policy-and-access/need-help-in-creating-a-regex-in-acs-5-8/td-p/3221315

I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.

 

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

-Krishnan

 

 

View solution in original post

4 REPLIES 4
VIP Advisor

Re: create acs 5.8 regular expression for command sets

if you looking to deny regex you can do same way as permit this time we change 0 to 1

 

Deny interf.*\sgig.*[1]\/2\/[1-2]

 

good regex tool

 

https://regex101.com/

BB
*** Rate All Helpful Responses ***
Beginner

Re: create acs 5.8 regular expression for command sets

Hi, I created this command set, permit int* g*^([1-4][\/][0][\/][1-4])$, and ran it through regex 101.

It gave me a Full match in the Match Information section on 1/0/1 and other interfaces using 1/0/? format.

It fails on g1/1/? format which is what I want.

However, I'm still not able to access the interface.

I modified the one you sent, .*\sgig.*[1-4]\/[1-4]\/[1-2], and no joy.

They pass regex 101, thanks for that link btw.

 

ej

 

Cisco Employee

Re: create acs 5.8 regular expression for command sets

Do not use * operator for everything. It is 0 or more occurance.

There are a few pointers in the community on regular expresssions. Please look at those

https://community.cisco.com/t5/security-documents/acs-command-sets-arguments-regexp-interface-range/ta-p/3126213

 

https://community.cisco.com/t5/policy-and-access/need-help-in-creating-a-regex-in-acs-5-8/td-p/3221315

I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.

 

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

-Krishnan

 

 

View solution in original post

Beginner

Re: create acs 5.8 regular expression for command sets

I tested this one in  the regex 101 tester ^([1-4]\/[1-4]\/[1-4])$.

It worked and the group that reappeared shows all 3 sections.

Hopefully this will work following the g* to signify gigabitethernet.

So in my mind the rule should read.

Grant                command                            attribute

deny                 int*                                      g^([1-4]\/[1-4]\/[1-4])$

So when the user enters:

config t

int g1/1/1 

They should see a reply that this command is not authorized.

 

ej