Security

Reply
Contributor I

Is it possible to customize the error message after failed authentication

I am trying to pass a custom Post Authentication error message to my guest captive portal after the user fails to authenticate due to a session time restriction.  Right now if a user logs in with a valid/active guest account  during a restricted time period (i.e. no access).  He gets the normal error message "Invalid user name or password".  This is not really an accurate error message since the user name and password are valid.  

 

What I would like to be able to do here is give an error message that reads "Your account is restricted at this time".  I found radius attribute which can be used for this purpose and while it works for the access tracker logs it does not reflect in the captive portal login error message.

Radius:IETF:Reply-Message'Account testuser@testco.com is restricted'

I am guessing the right way to do this is by customizing the error messages shown in the CPGuest Weblogins > my page > header HTML.   

 

THis is form the HTML header in CPGuest... The options are there...  But I am not sure how I am supposed to trigger the right "$StatusCode" value (??)  Has anyone figured out how to do this from an enforcement profile on CPPM? 

 

{nwa_cookiecheck}
{if $statusCode == 1}
{nwa_icontext type=info}
You are already logged in.
No further action is required on your part.
{/nwa_icontext}
{elseif $statusCode == 2}
{nwa_icontext type=warn}
You are not configured to authenticate against web portal.
No further action is required on your part.
{/nwa_icontext}
{elseif $statusCode == 3}
{nwa_icontext type=error}
The username specified cannot be used at this time.
Perhaps you are already logged into the system?
{/nwa_icontext}
{elseif $statusCode == 4}
{nwa_icontext type=error}
You cannot log in at this time.
{/nwa_icontext}
{elseif $statusCode == 5}
{nwa_icontext type=error}
Invalid username or password. Please try again.
{/nwa_icontext}
{/if}

Guru Elite

Re: Is it possible to customize the error message after failed authentication

It is not possible today to customize the message, no.  Please submit your idea to the ideas portal.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Is it possible to customize the error message after failed authentication

Thanks for that confirmation CJoseph.  I will submit this to the ideas portal. 

New Contributor

Re: Is it possible to customize the error message after failed authentication

Hello guys,

sorry that I pick a this thread.

 

Is a custom error message over Radius now possible?

Sarah

Guru Elite

Re: Is it possible to customize the error message after failed authentication

As of ArubaOS 6.5, you can send a radius reply message attribute that will be displayed both on internal and external captive portals.  You would just have to send a reject as usual from the radius server, but populate the reply-message attribute.

http://www.arubanetworks.com/techdocs/ArubaOS/6.5.x.x/Default.htm#ReleaseNotes/FeaturesIn6.5.xReleases/Features6.5.x.htm%3FTocPath%3D_____2

Screenshot 2017-07-19 at 09.14.58.png

Here is how a rejection mesage looks on internal cp:

Screenshot 2017-07-19 at 09.16.00.png

Here's how a rejection message looks on an external captive portal, like clearpass:

Screenshot 2017-07-19 at 09.16.24.png

You would just have to return the radius reply-message attribute with either a positive or negative auth.

 

When it is added to a positive authentication, the message is displayed on the "welcome" screen of captive portal:

Screenshot 2017-07-19 at 09.19.18.png

To enable logging to look at what reply message has been received, you can type:

config t
logging level debugging system process httpd subcat webserver

You would then type "show log system 50", and the message might look like this:

Failure:

Jul 19 02:49:16 :32674: <399828> <DBUG> |httpd| |webserver| aruba-login.c:612) User:2001:470:ed6c:0:a9ac:30c0:359e:903c - Auth result 1 reason Authentication failed, as password is wrong on server1

Success:

Jul 19 02:53:09 :922: <399828> <DBUG> |httpd| |webserver| aruba-login.c:740) User:2001:470:ed6c:0:a9ac:30c0:359e:903c - Internal welcome success message User has authenticated successfully from first server1

 

I hope that helps.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: Is it possible to customize the error message after failed authentication

is that any sample of the internacaptive portals html code???

Guru Elite

Re: Is it possible to customize the error message after failed authentication

If you are using the internal captive portal, no HTML is required:  "You would just have to send a reject as usual from the radius server, but populate the reply-message attribute."



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: Is it possible to customize the error message after failed authentication

is that possible to reply the error message from RADIUS server like password expired, account locked, wrong password etc display on the internal captive portal

 

Guru Elite

Re: Is it possible to customize the error message after failed authentication

Yes.  You can put anything in the Radius Reply Message Attribute, but you still would have to somehow know with the same radius server what the reason is for the rejection.  How you would do that depends on your radius server.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: