[c-nsp] CISCO ACS 4.2 command pattern matching

M Usman Ashraf musmanashraf at gmail.com
Sun Apr 5 13:59:02 EDT 2009


Hi List,

I have been testing pattern matching with ACS shell command auth sets and it
doesn't seem to work like the ACS documentation says.

Quote from the Cisco ACS user guide:

*For permit or deny command arguments, ACS applies pattern matching. That
is, the argument permit wid matches any argument that contains the string
wid. Thus, for example, permit wid would allow not only the argument wid but
also the arguments anywid and widget.*

*To limit the extent of pattern matching you can add the following
expressions:*

*• Dollarsign ($)*

*—Expresses that the argument must end with what has gone before. Thus
permit wid$ would match wid or anywid, but not widget.*

*• Caret (^)*

*—Expresses that the argument must begin with what follows. Thus permit ^wid
would match wid or widget, but not anywid. You can combine these expressions
to specify absolute matching. In the example given, you would use permit
^wid$ to ensure that only wid was permitted, and not anywid or widget.*

*To permit or deny commands that carry no arguments, you can use absolute
matching to specify the null argument condition. For example, you use permit
^$ to permit a command with no arguments. Alternatively, entering permit
<cr> has the same effect. You can use either method, with the Permit
Unmatched Args option unchecked, to match and, therefore, permit or deny
commands that have no agrument.*

----------------------------------------------------------------------------------------
So from this I take that if I want to deny configuration of certain
interfaces say Loopback0, while allowing configuration of Loopback99, I
will, permit "interface" , with the sub-command arguments: permit*^Loopback99$
*,  unmatched commands are "deny" and "Permit Unmatched Args" is unchecked.

Thinking that would allow the command interface Loopback99 but actually the
"interface Loopback99" commands, fails authorization. On the other side, if
I permit *^Loopback* only, all loopbacks get permitted. It seems like the
"^" pattern matching works but the "$" doesn't. Anyone have any experience
with pattern matching that can help me out? --

Regards,

M Usman Ashraf


More information about the cisco-nsp mailing list