Security

Not sure if I am missing the obvious here, but we are looking to do the following; Customizing Authentication Reply-Message to Captive Portal Users.

We are running an Aruba Controller and ClearPass, and we authenticate our internal users via Web Login against Active Directory. We have no issues limiting them to the number of devices, but all they get when they exceed that is Authentication Failed, thus they keep trying to authenticate - we would like to return something along the lines of 'Maximum Devices Exceeded'. I came across this older reference that it can be done; Airheads Community

Airheads Community		remove preview
Airheads Community I am trying to pass a custom Post Authentication error message to my guest captive portal after the user fails to authenticate due to a session time restriction View this on Airheads Community >

Along with the following details in another article;

In AOS-W 6.5, ClearPass can now include the reason why it is rejecting in the Reply-Message. So, ClearPass processes the Reply-Message on the web login form and informs the user that The max. number of sessions has been reached is the reason for authentication failure. So, another RADIUS attribute is added in the reply message to the Captive Portal module from Authentication module ...

,but I cannot seem to locate where to make changes to return a Reply-Message to the end user.

Any assistance would be appreciated on pointing us in the right direction/location.

Thanks very much,

Curious why captive portal is being used here at all for internal users?  Why not use 802.1X?  Are these not managed devices?  Is this a guest flow?

Not sure if I am missing the obvious here, but we are looking to do the following; Customizing Authentication Reply-Message to Captive Portal Users.

We are running an Aruba Controller and ClearPass, and we authenticate our internal users via Web Login against Active Directory. We have no issues limiting them to the number of devices, but all they get when they exceed that is Authentication Failed, thus they keep trying to authenticate - we would like to return something along the lines of 'Maximum Devices Exceeded'. I came across this older reference that it can be done; Airheads Community

Airheads Community		remove preview
Airheads Community I am trying to pass a custom Post Authentication error message to my guest captive portal after the user fails to authenticate due to a session time restriction View this on Airheads Community >

Along with the following details in another article;

In AOS-W 6.5, ClearPass can now include the reason why it is rejecting in the Reply-Message. So, ClearPass processes the Reply-Message on the web login form and informs the user that The max. number of sessions has been reached is the reason for authentication failure. So, another RADIUS attribute is added in the reply message to the Captive Portal module from Authentication module ...

,but I cannot seem to locate where to make changes to return a Reply-Message to the end user.

Any assistance would be appreciated on pointing us in the right direction/location.

Thanks very much,

Not sure if I am missing the obvious here, but we are looking to do the following; Customizing Authentication Reply-Message to Captive Portal Users.

We are running an Aruba Controller and ClearPass, and we authenticate our internal users via Web Login against Active Directory. We have no issues limiting them to the number of devices, but all they get when they exceed that is Authentication Failed, thus they keep trying to authenticate - we would like to return something along the lines of 'Maximum Devices Exceeded'. I came across this older reference that it can be done; Airheads Community

Airheads Community		remove preview
Airheads Community I am trying to pass a custom Post Authentication error message to my guest captive portal after the user fails to authenticate due to a session time restriction View this on Airheads Community >

Along with the following details in another article;

In AOS-W 6.5, ClearPass can now include the reason why it is rejecting in the Reply-Message. So, ClearPass processes the Reply-Message on the web login form and informs the user that The max. number of sessions has been reached is the reason for authentication failure. So, another RADIUS attribute is added in the reply message to the Captive Portal module from Authentication module ...

,but I cannot seem to locate where to make changes to return a Reply-Message to the end user.

Any assistance would be appreciated on pointing us in the right direction/location.

Thanks very much,

Hi

First time a device is connected you have a default role assigning a captive portal page. As long as the user doesn't have reached the max allowed number of devices you return a role assigning correct permissions, or maybe just accept and let the controller assign the role.

But to achive what you would like to do you have to return another captive portal enabled role when the user tries to exced the number of devices.

So the things you need to do is:

• Create the new captive portal information page, with information that the user is only allowed to have a specific number of devices, and maybe instructions how to contact IT support to remove older devices
• Create a role with captive portal redirect, similar to the pre logon role, but redirect to the information page instead
• A Enforcement Profile returning the captive portal role
• In the Enforcement Policy rule for when max devices has been reach, instead of deny access, return the enforcement profile that assigns the information captive portal role to the user

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Sep 27, 2023 03:29 PM
From: Shadow101
Subject: Reply-Message - Device User Limit

Not sure if I am missing the obvious here, but we are looking to do the following; Customizing Authentication Reply-Message to Captive Portal Users.

We are running an Aruba Controller and ClearPass, and we authenticate our internal users via Web Login against Active Directory. We have no issues limiting them to the number of devices, but all they get when they exceed that is Authentication Failed, thus they keep trying to authenticate - we would like to return something along the lines of 'Maximum Devices Exceeded'. I came across this older reference that it can be done; Airheads Community

Airheads Community		remove preview
Airheads Community I am trying to pass a custom Post Authentication error message to my guest captive portal after the user fails to authenticate due to a session time restriction View this on Airheads Community >

Along with the following details in another article;

In AOS-W 6.5, ClearPass can now include the reason why it is rejecting in the Reply-Message. So, ClearPass processes the Reply-Message on the web login form and informs the user that The max. number of sessions has been reached is the reason for authentication failure. So, another RADIUS attribute is added in the reply message to the Captive Portal module from Authentication module ...

,but I cannot seem to locate where to make changes to return a Reply-Message to the end user.

Any assistance would be appreciated on pointing us in the right direction/location.

Thanks very much,