[c-nsp] CISCO ACS 4.2 command pattern matching

M Usman Ashraf musmanashraf at gmail.com
Mon Apr 6 12:45:24 EDT 2009


Thanks Peter.You were right, explicit "<cr>" was missing. It is ok now.

On Mon, Apr 6, 2009 at 12:40 AM, Peter Rathlev <peter at rathlev.dk> wrote:

> On Sun, 2009-04-05 at 22:59 +0500, M Usman Ashraf wrote:
> > So from this I take that if I want to deny configuration of certain
> > interfaces say Loopback0, while allowing configuration of Loopback99,
> > I will, permit "interface" , with the sub-command arguments:
> > permit*^Loopback99$*,  unmatched commands are "deny" and "Permit
> > Unmatched Args" is unchecked.
> >
> > Thinking that would allow the command interface Loopback99 but
> > actually the "interface Loopback99" commands, fails authorization. On
> > the other side, if I permit *^Loopback* only, all loopbacks get
> > permitted. It seems like the "^" pattern matching works but the "$"
> > doesn't. Anyone have any experience with pattern matching that can
> > help me out? --
>
> Your TACACS+ log should tell you the reason, even the ACS must have
> one. ;-)
>
> The reason could be that many end points add an explicit "<cr>" string
> to the request. If that is the case you would have to allow this
> instead:
>
> permit "^Loopback99 <cr>$"
>
> Regards,
> Peter
>
>
>


-- 
Regards,

M Usman Ashraf


More information about the cisco-nsp mailing list