[c-nsp] CISCO ACS 4.2 command pattern matching
Peter Rathlev
peter at rathlev.dk
Sun Apr 5 15:40:09 EDT 2009
On Sun, 2009-04-05 at 22:59 +0500, M Usman Ashraf wrote:
> So from this I take that if I want to deny configuration of certain
> interfaces say Loopback0, while allowing configuration of Loopback99,
> I will, permit "interface" , with the sub-command arguments:
> permit*^Loopback99$*, unmatched commands are "deny" and "Permit
> Unmatched Args" is unchecked.
>
> Thinking that would allow the command interface Loopback99 but
> actually the "interface Loopback99" commands, fails authorization. On
> the other side, if I permit *^Loopback* only, all loopbacks get
> permitted. It seems like the "^" pattern matching works but the "$"
> doesn't. Anyone have any experience with pattern matching that can
> help me out? --
Your TACACS+ log should tell you the reason, even the ACS must have
one. ;-)
The reason could be that many end points add an explicit "<cr>" string
to the request. If that is the case you would have to allow this
instead:
permit "^Loopback99 <cr>$"
Regards,
Peter
More information about the cisco-nsp
mailing list