How to display custom error messages on a weblogin page

By esupport posted Jul 19, 2016 06:53 AM

  
Mark as Inappropriate
Requirement:

We might have a situation where we want to customize the error message displayed on the ClearPass weblogin page so that the users are informed about why they are denied access rather than the generic Invalid Username/Password error. This article covers that configuration. This is supported starting from ClearPass version 6.6



Solution:

We need to enable pre-auth check on the web login page which is a pre-requisite for this to work. 



Configuration:
  • Enable pre-authentication on the weblogin page as shown in the screenshot below and set it to App Authentication 

 

  • Configure a service of type Application Authentication and the Application Name for pre-auth check should be WebLogin. The service can also be specific to a page and we can use the "Application:ClearPass:Page-Name" attribute to tie it to a specific page.

 

  •  Configure an enforcement profile of type Application authentication, and Action Reject. Choose the attribute as ClearPass:Error-Message and put in the attribute value as the desired error message as shown in the screenshot below

 

  • Create an enforcement policy that has the rule that applies to users who are supposed to see that error message 

 



Verification

Once the above configuration is done we can verify this by trying to login with a user account that should receive the corresponding error message on the weblogin page as shown in the screenshot below

10 comments
0 views

Comments

arunnair@arubanetworks.com
Dec 08, 2016 08:44 AM

We cannot modify the mac which is fetched. The mac-address is fetched is from the redirect URL of the client, if we are able to redirect the client to the captive portal page without the delimiters in the Web-URL, it would help.

I would also recommend you to create a support ticket with TAC and they will help you to customize and achieve the requirement.

 

Jordan
Dec 08, 2016 03:20 AM

One last question please.

 

Please do you have any idea how we can exclude the delimiters from the "Application:WebLoginURL:mac" in the query, where the MAC address format in the endpoint is without delimiters, that's why we need to have it from the application request without delim to be properly comapred with the one existing in the endpoint?

Jordan
Dec 08, 2016 02:37 AM

Thank you very much :) that makes sense :)

arunnair@arubanetworks.com
Dec 07, 2016 10:52 AM

Hi,

 

You can use "Application:WebLoginURL:mac" attribute which shows up in Computed attribute instead of "Connection:Client-Mac-Address-NoDelim" in the query.

Jordan
Dec 07, 2016 10:06 AM

Then why its mentioned in this original post that i can include the unique device count to be checked in the application request.

 

 

I just need to have the same scenarin of this post, but in this case the MAC adress is not included in the application request.

 

If we did it in the Radius request will the custom message application enfocemnt profile work and just display the message ?

 

Please Advise.

 

arunnair@arubanetworks.com
Dec 06, 2016 08:32 AM

Hi Zahran,

 

I dont think you will be able to do that in an Appilcation request as you figured out it lacks endpoint mac information, you can implement the same on Radius request generated for the subsequent captive portal and that should work. 

 

Regards,

Arun

Jordan
Dec 06, 2016 04:32 AM

What i am trying to do is to display a message when the unique device count is more than 1. the filter query i am using is the one that is originally existing to fetch the unique device count in the Endpoint attributes.

I am just using the condition : Auth:Endpoint Unique device count greater than one.

i think there is no MAC Address in the application request, that's why this filter query cant be fetched.

 

Please advise if there is any other filter to check the unique device count?? to check it in the application request then display a message.

 

The below is the Filter query that's originally in Clearpass Endpoint.

 

SELECT COUNT(instance_id) + 1 AS num_endpoints FROM tips_endpoint_tag_mappings JOIN tips_endpoints ON tips_endpoint_tag_mappings.instance_id = tips_endpoints.id WHERE tag_value_id IN (SELECT id FROM tips_tag_values WHERE tag_id = 26 AND LOWER(tag_value) = LOWER('%{Authentication:Username}')) AND tips_endpoints.mac_address != '%{Connection:Client-Mac-Address-NoDelim}'

 

 

Thanks,

Zahran

arunnair@arubanetworks.com
Nov 30, 2016 12:37 PM

 Hi,

 

We would like to understand the unique device filter query which you have provided in Endpoint Repository so that we can understand the scenario better. As mentioned by you if the filter query is looking for MAC-Address and in the authentication request we dont have endpoint mac, probably that would be the cause of failure.

Are you using the custom filter query to fetch devices using same username?

If you could let us know what you are trying to achieve using the filter query we could figure out an efficient way to achieve the same.

 

Regards,
Arun

Jordan
Nov 30, 2016 05:51 AM

Thanks a lot for this post its really helpful. I face one issue where the policy server failed to construct the unique device filter from the endpoint. Note that i already used the endpoint repository as an authorization source. I've noticed that there is no MAC address in the application request, and maybe that's why the filter of the unique device cant be constructed. Please Advise

Jordan
Nov 26, 2016 06:11 AM

Thanks a lot for this post its really helpful. I face one issue where the policy server failed to construct the unique device filter from the endpoint. Note that i already used the endpoint repository as an authorization source. I've noticed that there is no MAC address in the application request, and maybe that's why the filter of the unique device cant be constructed. Please Advise.