Solved: ISE profiling - match on endpoint FQDN

Brian Schultz · ‎05-03-2013

I'm trying to come up with a profiling condition to match on FQDN. In this particular example, all corporate workstations have the following common FQDN:

abcd-machinename.xyz.com

I would like to match on everything except the machinename which can be a wildcard. The profiling condition I've attempted to configure is

IP:FQDN CONTAINS ^(abcd)*(\.xyz\.com)$

I never get any matches on this or any variation that I've tried. When I look at the Endpoint in Identity, I do see the full FQDN as an attribute.

Can anyone help me with the correct syntax to match a FQDN in this manner?

Thanks,

Brian

askhuran · ‎05-17-2013

Hello Brian,

Upcoming ISE 1.2 which is to be released soon, has the additional operators "Starts With" & "Ends With" operators that will be useful,

For DHCP host-name you can use Starts With

and

For domain name Ends With

View solution in original post

askhuran · ‎05-03-2013

I think you should use "Ends with" operator against the domain name "xyz.com" instead of using "contains" operator against entire FQDN

For more detail, the following link may be helpful:

Creating a New Authorization Policy

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html#wp1082656

In the above link, review the Note:The "Matches" operator supports and uses regular expressions (REGEX) not wildcards.

From my understanding, regular expressions can't be used against all operators

Brian Schultz · ‎05-03-2013

"Ends with" does not appear to be an operator. My choices are EQUALS, NOTEQUALS, GREATERTHAN, LESSTHAN or CONTAINS. I will most likely need to use the EQUALS operator to match on my regular expression, but can't figure out what the proper syntax is to match on first few characters and domain.

askhuran · ‎05-03-2013

Regardless of Ends With operator, your filter may focus on the domain name xyz.com instead of entire FQDN.

Regular expressions pattern varies among different platforms. Writing perfect and precise regex is a tricky method that can't be discussed at forum.

But the best way out is you try these online editors:

http://gskinner.com/RegExr/

http://myregexp.com/

http://www.regexplanet.com/

You may also search for Regular Expressions Editor / Tester

askhuran · ‎05-17-2013

Hello Brian,

Upcoming ISE 1.2 which is to be released soon, has the additional operators "Starts With" & "Ends With" operators that will be useful,

For DHCP host-name you can use Starts With

and

For domain name Ends With

Brian Schultz · ‎05-17-2013

Thanks Ashok. Until 1.2 gets released, we will use the CONTAINS operator as we discussed over the phone earlier this week. Thanks for your assistance.

Jatin Katyal · ‎05-17-2013

Hi Brian,

Just wanted to add what all you discussed so far;

A new defect has bee filed on the same topic

CSCug82199 Profiler Conditions Using REGEX as Attribute Value Don't Work Correctly

Symptom: Profiling condition does not match a REGEX configured in the Attribute Value text box when set to EQUAL the contents

Conditions: REGEX configured with a wildcard portion in the middle fail the be profiled.

Workaround: Use a simple text value in the Attribute Value Box matched with the CONTAINS operator.

Jatin Katyal
- Do rate helpful posts -

~Jatin

askhuran · ‎05-17-2013

Hello Jatin,

At the time of writing this message, the bug detail page is not accessible. Please confirm the URL

And I wanted to share my views on the operators' use:

Although, ISE does not seem to be functioning in this way but logically EQUALS, GREATER THAN, LESS THAN operators (should) call for mathematical evaluation of the expression, whereas the textual operation, comparison, analysis etc. would require the following operators:

MATCHES

STARTS WITH

ENDS WITH

CONTAINS

DOESNT CONTAIN

etc.

I have also noticed that in earlier ISE versions, FQDN was displayed in hex form with 4 hex digits (3 leading zeros) followed by FQDN name. I shall try to check the raw FQDN value returned in AV pairs. This may be the reason of failure of EQUALS operator