Security

Hi All,

 

Does anybody know if there is a variable you can call up in a RADIUS reject response that represents the TIPS Error Code?

 

Eg i want to return Error Code 216 to my downstream device so it knows that password failure was the cause.

 

I can't seem to find anything in the standard variables. 

 

Scott

 

There’s no official way, but you can send anything in a filter-ID as long as the downstream device can receive/parse it.

my problem is in getting the error code. 

 

When i create an enforcement profile i can specify the filterid to return however i can't find a variable that selects the error code. 

 

i guess i could do it with role derivation so that any tips error code 216 = role "password failed" and then return the role name but this seems overly complex. 

On second thought, it may not be possible to send attributes back with a RADIUS reject for a 1X request.

these are just standard radius proxy requests

ok so it doesn't look like there is any clean way to do this so i came up with a workaround which involved the use of role mapping and specific enforcement profiles. Essentially you need to assign a role to devices that fail with a certain code and then map that to an enforcement profile / policy that send the required information back to the NAD.

 

See below:

 

And you see that message in NAD device?

yes it gets returned with the reject. 

If you know what the error codes mean and don't care about the text, you can create an enforcement profile that returns %{Authentication:ErrorCode}. This way you'll get all errors, not just incorrect password.

 

Enforcement rule would read:

 

Authentication       Status      EQUALS       Failed

<ErrorCode-enforcement-profile>

That is exactly what i was looking for!

 

I checked the user guide but it didn't show that as a defined variable, likewise when i tried to use the drop down options in the UI none of the {Authentication:XXX} options came up.

 

Thanks Tim!

 

Any attribute in the devices list can be used. Sometimes you need to add the endpoints repository in the authz section to get all the attributes.

 

For exapmle in my lab I am sending back the guest username, device name or the host name so I can see that info in the controller or airwave.

 

Just copy the section you want in the format that Tim showed you. It can be an authz attribute or a computed attribute.