Security

Reply
New Contributor
Posts: 2
Registered: ‎10-01-2014

ClearPass - return error code in radius response

Hi All,

 

Does anybody know if there is a variable you can call up in a RADIUS reject response that represents the TIPS Error Code?

 

Eg i want to return Error Code 216 to my downstream device so it knows that password failure was the cause.

 

I can't seem to find anything in the standard variables. 

 

Scott

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass - return error code in radius response

There’s no official way, but you can send anything in a filter-ID as long as the downstream device can receive/parse it.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 358
Registered: ‎02-22-2011

Re: ClearPass - return error code in radius response

my problem is in getting the error code. 

 

When i create an enforcement profile i can specify the filterid to return however i can't find a variable that selects the error code. 

 

i guess i could do it with role derivation so that any tips error code 216 = role "password failed" and then return the role name but this seems overly complex. 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass - return error code in radius response

On second thought, it may not be possible to send attributes back with a RADIUS reject for a 1X request.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 358
Registered: ‎02-22-2011

Re: ClearPass - return error code in radius response

these are just standard radius proxy requests

Super Contributor II
Posts: 358
Registered: ‎02-22-2011

Re: ClearPass - return error code in radius response

ok so it doesn't look like there is any clean way to do this so i came up with a workaround which involved the use of role mapping and specific enforcement profiles. Essentially you need to assign a role to devices that fail with a certain code and then map that to an enforcement profile / policy that send the required information back to the NAD.

 

See below:

 

snip1.JPGsnip2.JPGsnip3.JPG

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass - return error code in radius response

And you see that message in NAD device?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 358
Registered: ‎02-22-2011

Re: ClearPass - return error code in radius response

yes it gets returned with the reject. 

Super Contributor II
Posts: 358
Registered: ‎02-22-2011

Re: ClearPass - return error code in radius response

snip4.JPG

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass - return error code in radius response

If you know what the error codes mean and don't care about the text, you can create an enforcement profile that returns %{Authentication:ErrorCode}. This way you'll get all errors, not just incorrect password.

 

Enforcement rule would read:

 

Authentication       Status      EQUALS       Failed

<ErrorCode-enforcement-profile>


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: