Not sure if I am missing the obvious here, but we are looking to do the following; Customizing Authentication Reply-Message to Captive Portal Users.
We are running an Aruba Controller and ClearPass, and we authenticate our internal users via Web Login against Active Directory. We have no issues limiting them to the number of devices, but all they get when they exceed that is Authentication Failed, thus they keep trying to authenticate - we would like to return something along the lines of 'Maximum Devices Exceeded'. I came across this older reference that it can be done; Airheads Community
Along with the following details in another article;
In AOS-W 6.5, ClearPass can now include the reason why it is rejecting in the Reply-Message. So, ClearPass processes the Reply-Message on the web login form and informs the user that The max. number of sessions has been reached is the reason for authentication failure. So, another RADIUS attribute is added in the reply message to the Captive Portal module from Authentication module ...
,but I cannot seem to locate where to make changes to return a Reply-Message to the end user.
Any assistance would be appreciated on pointing us in the right direction/location.
Thanks very much,
Curious why captive portal is being used here at all for internal users? Why not use 802.1X? Are these not managed devices? Is this a guest flow?
Thanks for the reply - we are utilizing it for staff bringing personal devices that we allow to authenticate to our Guest network.
First time a device is connected you have a default role assigning a captive portal page. As long as the user doesn't have reached the max allowed number of devices you return a role assigning correct permissions, or maybe just accept and let the controller assign the role.
But to achive what you would like to do you have to return another captive portal enabled role when the user tries to exced the number of devices.
So the things you need to do is:
Thanks very much for the information and details on this - much appreciated. I have adjusted based on the above, but keep failing as it gets to the final step - if I remove the 'Deny Access' and leave the Enforcement Policy the user still shows as a successful logon - what have I missed on this step?
Thanks very much again,
Edit: I think I got it - had to ensure the role was good and then tweaked a little on ClearPass and we are cooking here!!!
Thanks so much again for these details - much appreciated
------------------------------Best RegardsJonas HammarbäckMVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSAAranya ABIf you find my answer useful, consider giving kudos and/or mark as solutionOriginal Message:Sent: Sep 27, 2023 03:29 PMFrom: Shadow101Subject: Reply-Message - Device User Limit
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.