Become a Member
We might have a situation where we want to customize the error message displayed on the ClearPass weblogin page so that the users are informed about why they are denied access rather than the generic Invalid Username/Password error. This article covers that configuration. This is supported starting from ClearPass version 6.6
We need to enable pre-auth check on the web login page which is a pre-requisite for this to work.
Once the above configuration is done we can verify this by trying to login with a user account that should receive the corresponding error message on the weblogin page as shown in the screenshot below
We cannot modify the mac which is fetched. The mac-address is fetched is from the redirect URL of the client, if we are able to redirect the client to the captive portal page without the delimiters in the Web-URL, it would help.
I would also recommend you to create a support ticket with TAC and they will help you to customize and achieve the requirement.
One last question please.
Please do you have any idea how we can exclude the delimiters from the "Application:WebLoginURL:mac" in the query, where the MAC address format in the endpoint is without delimiters, that's why we need to have it from the application request without delim to be properly comapred with the one existing in the endpoint?
Hi,
You can use "Application:WebLoginURL:mac" attribute which shows up in Computed attribute instead of "Connection:Client-Mac-Address-NoDelim" in the query.
Then why its mentioned in this original post that i can include the unique device count to be checked in the application request.
I just need to have the same scenarin of this post, but in this case the MAC adress is not included in the application request.
If we did it in the Radius request will the custom message application enfocemnt profile work and just display the message ?
Please Advise.
Hi Zahran,
I dont think you will be able to do that in an Appilcation request as you figured out it lacks endpoint mac information, you can implement the same on Radius request generated for the subsequent captive portal and that should work.
Regards,
Arun
What i am trying to do is to display a message when the unique device count is more than 1. the filter query i am using is the one that is originally existing to fetch the unique device count in the Endpoint attributes.
I am just using the condition : Auth:Endpoint Unique device count greater than one.
i think there is no MAC Address in the application request, that's why this filter query cant be fetched.
Please advise if there is any other filter to check the unique device count?? to check it in the application request then display a message.
The below is the Filter query that's originally in Clearpass Endpoint.
SELECT COUNT(instance_id) + 1 AS num_endpoints FROM tips_endpoint_tag_mappings JOIN tips_endpoints ON tips_endpoint_tag_mappings.instance_id = tips_endpoints.id WHERE tag_value_id IN (SELECT id FROM tips_tag_values WHERE tag_id = 26 AND LOWER(tag_value) = LOWER('%{Authentication:Username}')) AND tips_endpoints.mac_address != '%{Connection:Client-Mac-Address-NoDelim}'
Thanks,
Zahran
We would like to understand the unique device filter query which you have provided in Endpoint Repository so that we can understand the scenario better. As mentioned by you if the filter query is looking for MAC-Address and in the authentication request we dont have endpoint mac, probably that would be the cause of failure.
Are you using the custom filter query to fetch devices using same username?
If you could let us know what you are trying to achieve using the filter query we could figure out an efficient way to achieve the same.
Regards,Arun