Requirement:We might have a situation where we want to customize the error message displayed on the ClearPass weblogin page so that the users are informed about why they are denied access rather than the generic Invalid Username/Password error. This article covers that configuration. This is supported starting from ClearPass version 6.6
Solution:We need to enable pre-auth check on the web login page which is a pre-requisite for this to work.
Configuration:
- Enable pre-authentication on the weblogin page as shown in the screenshot below and set it to App Authentication

- Configure a service of type Application Authentication and the Application Name for pre-auth check should be WebLogin. The service can also be specific to a page and we can use the "Application:ClearPass:Page-Name" attribute to tie it to a specific page.

- Configure an enforcement profile of type Application authentication, and Action Reject. Choose the attribute as ClearPass:Error-Message and put in the attribute value as the desired error message as shown in the screenshot below

- Create an enforcement policy that has the rule that applies to users who are supposed to see that error message

VerificationOnce the above configuration is done we can verify this by trying to login with a user account that should receive the corresponding error message on the weblogin page as shown in the screenshot below
