Security

I am trying to pass a custom Post Authentication error message to my guest captive portal after the user fails to authenticate due to a session time restriction.  Right now if a user logs in with a valid/active guest account  during a restricted time period (i.e. no access).  He gets the normal error message "Invalid user name or password".  This is not really an accurate error message since the user name and password are valid.  

What I would like to be able to do here is give an error message that reads "Your account is restricted at this time".  I found radius attribute which can be used for this purpose and while it works for the access tracker logs it does not reflect in the captive portal login error message.

I am guessing the right way to do this is by customizing the error messages shown in the CPGuest Weblogins > my page > header HTML.   

THis is form the HTML header in CPGuest... The options are there...  But I am not sure how I am supposed to trigger the right "$StatusCode" value (??)  Has anyone figured out how to do this from an enforcement profile on CPPM? 

{nwa_cookiecheck}
{if $statusCode == 1}
{nwa_icontext type=info}
You are already logged in.
No further action is required on your part.
{/nwa_icontext}
{elseif $statusCode == 2}
{nwa_icontext type=warn}
You are not configured to authenticate against web portal.
No further action is required on your part.
{/nwa_icontext}
{elseif $statusCode == 3}
{nwa_icontext type=error}
The username specified cannot be used at this time.
Perhaps you are already logged into the system?
{/nwa_icontext}
{elseif $statusCode == 4}
{nwa_icontext type=error}
You cannot log in at this time.
{/nwa_icontext}
{elseif $statusCode == 5}
{nwa_icontext type=error}
Invalid username or password. Please try again.
{/nwa_icontext}
{/if}

It is not possible today to customize the message, no.  Please submit your idea to the ideas portal.

Thanks for that confirmation CJoseph.  I will submit this to the ideas portal. 

Hello guys,

sorry that I pick a this thread.

Is a custom error message over Radius now possible?

Sarah

As of ArubaOS 6.5, you can send a radius reply message attribute that will be displayed both on internal and external captive portals.  You would just have to send a reject as usual from the radius server, but populate the reply-message attribute.

http://www.arubanetworks.com/techdocs/ArubaOS/6.5.x.x/Default.htm#ReleaseNotes/FeaturesIn6.5.xReleases/Features6.5.x.htm%3FTocPath%3D_____2

Here is how a rejection mesage looks on internal cp:

Here's how a rejection message looks on an external captive portal, like clearpass:

You would just have to return the radius reply-message attribute with either a positive or negative auth.

When it is added to a positive authentication, the message is displayed on the "welcome" screen of captive portal:

To enable logging to look at what reply message has been received, you can type:

config t
logging level debugging system process httpd subcat webserver

You would then type "show log system 50", and the message might look like this:

Failure:

Jul 19 02:49:16 :32674: <399828> <DBUG> |httpd| |webserver| aruba-login.c:612) User:2001:470:ed6c:0:a9ac:30c0:359e:903c - Auth result 1 reason Authentication failed, as password is wrong on server1

Success:

Jul 19 02:53:09 :922: <399828> <DBUG> |httpd| |webserver| aruba-login.c:740) User:2001:470:ed6c:0:a9ac:30c0:359e:903c - Internal welcome success message User has authenticated successfully from first server1

I hope that helps.

is that any sample of the internacaptive portals html code???

If you are using the internal captive portal, no HTML is required:  "You would just have to send a reject as usual from the radius server, but populate the reply-message attribute."

is that possible to reply the error message from RADIUS server like password expired, account locked, wrong password etc display on the internal captive portal

Yes.  You can put anything in the Radius Reply Message Attribute, but you still would have to somehow know with the same radius server what the reason is for the rejection.  How you would do that depends on your radius server.