Pattern matching syntax
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Pattern matching syntax
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition support regular expressions for pattern matching, which is widely used in UNIX environments. You can use this syntax to specify the conditions of remote access policy attributes and RADIUS realms, as specified in the following table.
| Character | Description | Example |
|---|---|---|
\ |
Marks the next character as a character to match. |
/n/ matches the character "n". The sequence /\n/ matches a line feed or newline character. |
^ |
Matches the beginning of the input or line. |
|
$ |
Matches the end of the input or line. |
|
* |
Matches the preceding character zero or more times. |
/zo*/ matches either "z" or "zoo." |
+ |
Matches the preceding character one or more times. |
/zo+/ matches "zoo" but not "z." |
? |
Matches the preceding character zero or one times. |
/a?ve?/ matches the "ve" in "never." |
. |
Matches any single character except a newline character. |
|
(pattern) |
Matches pattern and remembers the match. To match ( ) (parentheses), use "\(" or "\)". |
|
x|y |
Matches either x or y. |
/z|food?/ matches "zoo" or "food." |
{n} |
Matches exactly n times (n is a nonnegative integer). |
/o{2}/ does not match the "o" in "Bob," but matches the first two instances of the letter o in "foooood." |
{n,} |
Matches at least n times (n is a nonnegative integer). |
/o{2,}/ does not match the "o" in "Bob" but matches all of the instances of the letter o in "foooood." /o{1,}/ is equivalent to /o+/. |
{n,m} |
Matches at least n and at most m times (m and n are nonnegative integers). |
/o{1,3}/ matches the first three instances of the letter o in "fooooood." |
[xyz] |
Matches any one of the enclosed characters (a character set). |
/[abc]/ matches the "a" in "plain." |
[^xyz] |
Matches any characters that are not enclosed (a negative character set). |
/[^abc]/ matches the "p" in "plain." |
\b |
Matches a word boundary (for example, a space). |
/ea*r\b/ matches the "er" in "never early." |
\B |
Matches a nonword boundary. |
/ea*r\B/ matches the "ear" in "never early." |
\d |
Matches a digit character (equivalent to [0-9]). |
|
\D |
Matches a nondigit character (equivalent to [^0-9]). |
|
\f |
Matches a form feed character. |
|
\n |
Matches a line feed character. |
|
\r |
Matches a carriage return character. |
|
\s |
Matches any white space character including space, tab, and form feed (equivalent to [ \f\n\r\t\v]). |
|
\S |
Matches any non-white space character (equivalent to [^ \f\n\r\t\v]). |
|
\t |
Matches a tab character. |
|
\v |
Matches a vertical tab character. |
|
\w |
Matches any word character, including underscore (equivalent to [A-Za-z0-9_]). |
|
\W |
Matches any nonword character, excluding underscore (equivalent to [^A-Za-z0-9_]). |
|
\num |
Refers to remembered matches (?num, where num is a positive integer). For example, \1 replaces what is stored in the first remembered match. This option can be used only in the Replace text box when configuring attribute manipulation. |
|
/n/ |
Allows the insertion of ASCII codes into regular expressions (?n, where n is an octal, hexadecimal, or decimal escape value). |
|
Examples for remote access policy attributes
The following examples describe the use of the pattern matching syntax to specify remote access policy attributes:
To specify all phone numbers within the 899 area code, the syntax is:
899.*
To specify a range of all IP addresses that begin with 192.168.1, the syntax is:
192\.168\.1\..+
Examples for manipulation of the realm name in the User-Name attribute
The following examples describe the use of the pattern matching syntax to manipulate realm names for the User-Name attribute, which is located on the Attribute tab in the properties of a connection request policy. For more information, see Configure attribute manipulation.
To remove the realm portion of the User-Name attribute
In the outsourced dial scenario, the Internet service provider (ISP) might require a realm name to route the authentication request. However, the IAS server might not recognize the realm name portion of the user name. Therefore, the realm name must be removed before it is forwarded to the IAS server.
Find: @microsoft\\.com
Replace:
To replace user@example.microsoft.com with example.microsoft.com\user
Find: (.*)@(.*)
Replace: $2\$1
To replace domain\user with specific_domain\user
Find: (.*)\\(.*)
Replace: specific_domain\$2
To replace user with user@specific_domain
Find: $
Replace: @specific_domain
Example for RADIUS message forwarding by a proxy server
You can create routing rules that forward RADIUS messages with a specific realm name to a specific set of RADIUS servers when IAS is used as a RADIUS proxy. Following is a recommended syntax for routing requests based on realm name.
| NetBIOS name | Pattern |
|---|---|
WCOAST |
^wcoast\\ |
In the following example, wcoast.microsoft.com is a unique user principal name (UPN) suffix for the DNS or Active Directory domain wcoast.microsoft.com. Using the supplied pattern, the IAS proxy can route messages based on domain NetBIOS name or UPN suffix.
| NetBIOS name | UPN suffix | Pattern |
|---|---|---|
WCOAST |
wcoast.microsoft.com |
^wcoast\\|@wcoast\.microsoft\.com$ |
Ping user-name
Some RADIUS proxy servers and network access servers periodically send authentication and accounting requests (known as ping requests) to verify that the IAS server is present on the network. These ping requests include fictional user names. When IAS processes these requests, the event and accounting logs become filled with access reject records, making it more difficult to keep track of valid records.
When you configure a registry entry for ping user-name, IAS matches the registry entry value against the user name value in ping requests by other servers. A ping user-name registry entry specifies the fictional user name (or a user name pattern, with variables, that matches the fictional user name) sent by RADIUS proxy servers and network access servers. When IAS receives ping requests that match the ping user-name registry entry value, IAS rejects the authentication requests without processing the request. IAS does not record transactions involving the fictional user name in any log files, which makes the event log easier to interpret.
Note
- Ping user-name is not installed by default. You must add ping user-name to the registry. You can add an entry to the registry using Registry Editor. For more information, see Registry Editor.
Caution
- Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Adding ping user-name to the registry
Ping user-name can be added to the following registry key as a string value by a member of the local Administrators group:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IAS\Parameters
| Name | Type | Data |
|---|---|---|
ping user-name |
REG_SZ |
User name |
Note
- To indicate more than one user name for a ping user-name value, enter a name pattern, such as a Domain Name System (DNS) name including wildcard characters, in Data.