View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Reply-Message - Device User Limit

This thread has been viewed 26 times
  • 1.  Reply-Message - Device User Limit

    Posted Sep 27, 2023 03:30 PM

    Not sure if I am missing the obvious here, but we are looking to do the following; Customizing Authentication Reply-Message to Captive Portal Users.

    We are running an Aruba Controller and ClearPass, and we authenticate our internal users via Web Login against Active Directory. We have no issues limiting them to the number of devices, but all they get when they exceed that is Authentication Failed, thus they keep trying to authenticate - we would like to return something along the lines of 'Maximum Devices Exceeded'. I came across this older reference that it can be done; Airheads Community

    Airheads Community remove preview
    Airheads Community
    I am trying to pass a custom Post Authentication error message to my guest captive portal after the user fails to authenticate due to a session time restriction
    View this on Airheads Community >

    Along with the following details in another article;

    In AOS-W 6.5, ClearPass can now include the reason why it is rejecting in the Reply-Message. So, ClearPass processes the Reply-Message on the web login form and informs the user that The max. number of sessions has been reached is the reason for authentication failure. So, another RADIUS attribute is added in the reply message to the Captive Portal module from Authentication module ...

    ,but I cannot seem to locate where to make changes to return a Reply-Message to the end user.

    Any assistance would be appreciated on pointing us in the right direction/location.

    Thanks very much,

  • 2.  RE: Reply-Message - Device User Limit

    Posted Sep 27, 2023 04:05 PM

    Curious why captive portal is being used here at all for internal users?  Why not use 802.1X?  Are these not managed devices?  Is this a guest flow?

  • 3.  RE: Reply-Message - Device User Limit

    Posted Sep 27, 2023 04:09 PM

    Thanks for the reply - we are utilizing it for staff bringing personal devices that we allow to authenticate to our Guest network. 

    Thanks very much,

  • 4.  RE: Reply-Message - Device User Limit
    Best Answer

    Posted Sep 27, 2023 04:36 PM


    First time a device is connected you have a default role assigning a captive portal page. As long as the user doesn't have reached the max allowed number of devices you return a role assigning correct permissions, or maybe just accept and let the controller assign the role.

    But to achive what you would like to do you have to return another captive portal enabled role when the user tries to exced the number of devices.

    So the things you need to do is:

    • Create the new captive portal information page, with information that the user is only allowed to have a specific number of devices, and maybe instructions how to contact IT support to remove older devices
    • Create a role with captive portal redirect, similar to the pre logon role, but redirect to the information page instead
    • A Enforcement Profile returning the captive portal role
    • In the Enforcement Policy rule for when max devices has been reach, instead of deny access, return the enforcement profile that assigns the information captive portal role to the user

    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution

  • 5.  RE: Reply-Message - Device User Limit

    Posted Sep 27, 2023 06:09 PM

    Thanks very much for the information and details on this - much appreciated. I have adjusted based on the above, but keep failing as it gets to the final step - if I remove the 'Deny Access'  and leave the Enforcement Policy the user still shows as a successful logon - what have I missed on this step?

    Thanks very much again,

    Edit: I think I got it - had to ensure the role was good and then tweaked a little on ClearPass and we are cooking here!!!

    Thanks so much again for these details - much appreciated