cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1905
Views
15
Helpful
7
Replies
Highlighted
Enthusiast

ISE profiling - match on endpoint FQDN

I'm trying to come up with a profiling condition to match on FQDN.  In this particular example, all corporate workstations have the following common FQDN:

abcd-machinename.xyz.com

I would like to match on everything except the machinename which can be a wildcard.  The profiling condition I've attempted to configure is

IP:FQDN CONTAINS ^(abcd)*(\.xyz\.com)$

I never get any matches on this or any variation that I've tried.  When I look at the Endpoint in Identity, I do see the full FQDN as an attribute.

Can anyone help me with the correct syntax to match a FQDN in this manner?

Thanks,

Brian

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

ISE profiling - match on endpoint FQDN

Hello Brian,

Upcoming ISE 1.2 which is to be released soon, has the additional operators "Starts With" & "Ends With" operators that will be useful,

For DHCP host-name you can use Starts With

and

For domain name Ends With

View solution in original post

7 REPLIES 7
Beginner

ISE profiling - match on endpoint FQDN

I think you should use "Ends with" operator against the domain name "xyz.com" instead of using "contains" operator against entire FQDN

For more detail, the following link may be helpful:

Creating a New Authorization Policy

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html#wp1082656

In the above link, review the Note:The "Matches" operator supports and uses regular expressions (REGEX) not wildcards.

From my understanding, regular expressions can't be used against all operators

Enthusiast

ISE profiling - match on endpoint FQDN

"Ends with" does not appear to be an operator.  My choices are EQUALS, NOTEQUALS, GREATERTHAN, LESSTHAN or CONTAINS.  I will most likely need to use the EQUALS operator to match on my regular expression, but can't figure out what the proper syntax is to match on first few characters and domain.

Beginner

ISE profiling - match on endpoint FQDN

Regardless of  Ends With operator, your filter may focus on the domain name xyz.com instead of entire FQDN.

Regular expressions pattern varies among different platforms. Writing perfect and precise regex is a tricky method that can't be discussed at forum.

But the best way out is you try these online editors:

http://gskinner.com/RegExr/

http://myregexp.com/

http://www.regexplanet.com/

You may also search for Regular Expressions Editor / Tester

Beginner

ISE profiling - match on endpoint FQDN

Hello Brian,

Upcoming ISE 1.2 which is to be released soon, has the additional operators "Starts With" & "Ends With" operators that will be useful,

For DHCP host-name you can use Starts With

and

For domain name Ends With

View solution in original post

Enthusiast

ISE profiling - match on endpoint FQDN

Thanks Ashok.  Until 1.2 gets released, we will use the CONTAINS operator as we discussed over the phone earlier this week.  Thanks for your assistance.

Cisco Employee

ISE profiling - match on endpoint FQDN

Hi Brian,

Just wanted to add what all you discussed so far;

A new defect has bee filed on the same topic

CSCug82199    Profiler Conditions Using REGEX as Attribute Value Don't Work Correctly

Symptom: Profiling condition does not match a REGEX configured in the Attribute Value text box when set to EQUAL the contents

Conditions: REGEX configured with a wildcard portion in the middle fail the be profiled.

Workaround: Use a simple text value in the Attribute Value Box matched with the CONTAINS operator.

Jatin Katyal
- Do rate helpful posts -

~Jatin Katyal
Beginner

Re: ISE profiling - match on endpoint FQDN

Hello Jatin,

At the time of writing this message, the bug detail page is not accessible. Please confirm the URL

And I wanted to share my views on the operators' use:

Although, ISE does not seem to be functioning in this way but logically EQUALS, GREATER THAN, LESS THAN operators (should) call for mathematical evaluation of the expression, whereas the textual operation, comparison, analysis etc. would require the following operators:

MATCHES

STARTS WITH

ENDS WITH

CONTAINS

DOESNT CONTAIN

etc.

I have also noticed that in earlier ISE versions, FQDN was displayed in hex form with 4 hex digits (3 leading zeros) followed by FQDN name. I shall try to check the raw FQDN value returned in AV pairs. This may be the reason of failure of EQUALS operator