Security

Reply

ClearPass - return error code in radius response

Hi All,

 

Does anybody know if there is a variable you can call up in a RADIUS reject response that represents the TIPS Error Code?

 

Eg i want to return Error Code 216 to my downstream device so it knows that password failure was the cause.

 

I can't seem to find anything in the standard variables. 

 

Scott

 

Guru Elite

Re: ClearPass - return error code in radius response

There’s no official way, but you can send anything in a filter-ID as long as the downstream device can receive/parse it.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor II

Re: ClearPass - return error code in radius response

my problem is in getting the error code. 

 

When i create an enforcement profile i can specify the filterid to return however i can't find a variable that selects the error code. 

 

i guess i could do it with role derivation so that any tips error code 216 = role "password failed" and then return the role name but this seems overly complex. 

Guru Elite

Re: ClearPass - return error code in radius response

On second thought, it may not be possible to send attributes back with a RADIUS reject for a 1X request.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor II

Re: ClearPass - return error code in radius response

these are just standard radius proxy requests

Super Contributor II

Re: ClearPass - return error code in radius response

ok so it doesn't look like there is any clean way to do this so i came up with a workaround which involved the use of role mapping and specific enforcement profiles. Essentially you need to assign a role to devices that fail with a certain code and then map that to an enforcement profile / policy that send the required information back to the NAD.

 

See below:

 

snip1.JPGsnip2.JPGsnip3.JPG

Guru Elite

Re: ClearPass - return error code in radius response

And you see that message in NAD device?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor II

Re: ClearPass - return error code in radius response

yes it gets returned with the reject. 

Super Contributor II

Re: ClearPass - return error code in radius response

snip4.JPG

Guru Elite

Re: ClearPass - return error code in radius response

If you know what the error codes mean and don't care about the text, you can create an enforcement profile that returns %{Authentication:ErrorCode}. This way you'll get all errors, not just incorrect password.

 

Enforcement rule would read:

 

Authentication       Status      EQUALS       Failed

<ErrorCode-enforcement-profile>


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: