Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Can we send any attributes with Access-Reject

This thread has been viewed 0 times

  • 1.  Can we send any attributes with Access-Reject

    Posted Aug 16, 2019 04:30 AM

    Hello,

     

    Suppose I have a client connected to a switch port and tries MAC authentication and gets an access-reject, can i send some radius attribute with that access-reject message using CPPM and if yes can you point me to how I can configure that.

     

    Thanks



  • 2.  RE: Can we send any attributes with Access-Reject

    EMPLOYEE
    Posted Aug 16, 2019 07:56 AM

    could you elaborate more on your requirment, do you want to integrate switch with CPPM server to do wired mac authentication?

     



  • 3.  RE: Can we send any attributes with Access-Reject

    Posted Aug 18, 2019 11:40 PM

    Yes, we're doing wired mac authentication, the idea is that if an unknown endpoint tries mac authentication, the CPPM can send an access-reject with a redirect url for web authentication. I know we can configure CPPM to send a redirect url attribute with an access-accept message even for uknown clients but there is a slight limitation on the switch side which currently requires the attribute to come with a reject message. I also checked the RFC which allows sending any number of attributes with a reject message. 

    Thanks