Thanks very much for the information and details on this - much appreciated. I have adjusted based on the above, but keep failing as it gets to the final step - if I remove the 'Deny Access' and leave the Enforcement Policy the user still shows as a successful logon - what have I missed on this step?
Edit: I think I got it - had to ensure the role was good and then tweaked a little on ClearPass and we are cooking here!!!
Original Message:
Sent: Sep 27, 2023 04:35 PM
From: jonas.hammarback
Subject: Reply-Message - Device User Limit
Hi
First time a device is connected you have a default role assigning a captive portal page. As long as the user doesn't have reached the max allowed number of devices you return a role assigning correct permissions, or maybe just accept and let the controller assign the role.
But to achive what you would like to do you have to return another captive portal enabled role when the user tries to exced the number of devices.
So the things you need to do is:
- Create the new captive portal information page, with information that the user is only allowed to have a specific number of devices, and maybe instructions how to contact IT support to remove older devices
- Create a role with captive portal redirect, similar to the pre logon role, but redirect to the information page instead
- A Enforcement Profile returning the captive portal role
- In the Enforcement Policy rule for when max devices has been reach, instead of deny access, return the enforcement profile that assigns the information captive portal role to the user
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Sep 27, 2023 03:29 PM
From: Shadow101
Subject: Reply-Message - Device User Limit
Not sure if I am missing the obvious here, but we are looking to do the following; Customizing Authentication Reply-Message to Captive Portal Users.
We are running an Aruba Controller and ClearPass, and we authenticate our internal users via Web Login against Active Directory. We have no issues limiting them to the number of devices, but all they get when they exceed that is Authentication Failed, thus they keep trying to authenticate - we would like to return something along the lines of 'Maximum Devices Exceeded'. I came across this older reference that it can be done; Airheads Community
| Airheads Community |
remove preview |
 |
| Airheads Community |
| I am trying to pass a custom Post Authentication error message to my guest captive portal after the user fails to authenticate due to a session time restriction |
| View this on Airheads Community > |
|
|
Along with the following details in another article;
In AOS-W 6.5, ClearPass can now include the reason why it is rejecting in the Reply-Message. So, ClearPass processes the Reply-Message on the web login form and informs the user that The max. number of sessions has been reached is the reason for authentication failure. So, another RADIUS attribute is added in the reply message to the Captive Portal module from Authentication module ...
,but I cannot seem to locate where to make changes to return a Reply-Message to the end user.
Any assistance would be appreciated on pointing us in the right direction/location.
Thanks very much,