In addition to that, using PEAP-MSCHAPv2 with domain username/password is a very bad idea in general, unless where you have full control over the end-user devices. It's extremely hard for end users to configure the correct certificate settings, and it's likely that some/most of your clients will happily connect to a rogue network and expose the user's AD password, which after being cracked can be used to login to not only the network but also webmail, computers, VPN, etc.
You only have full control over your clients when they are managed by an MDM/EMM solution, in which case it's a small additional step to enroll client certificates, so using PEAP/TTLS is not needed.
For sending mail, you may have a look at this solution, which uses a local API call to trigger an outgoing mail message. You may be able to modify that and use the e-mail attribute pulled from AD, however I don't think there is enforcement when authentications don't succeed. Also, I vaguely remember that that API call has been closed in recent ClearPass versions... I may be wrong on this one.
You may also send the failed authentication (syslog/Insight) to your SIEM solution and trigger an e-mail action from there. As said, and others have said, you should probably not be doing this for several reasons.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Apr 11, 2024 09:25 AM
From: chulcher
Subject: ClearPass API E-mail notifications for byod users
If you've upgraded to a recent version of ClearPass then the user should already be prompted to check the credentials on the device.
What you're trying to do is known as a "bad idea", susceptible to bad actors or just an inordinate amount of email being generated as the trigger will not occur a single time, but will be called for each and every failed attempt.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Apr 11, 2024 08:58 AM
From: ahmetsarikaya
Subject: ClearPass API E-mail notifications for byod users
We do not use onguard. Our question is actually how can we send emails to specific users.
Original Message:
Sent: 4/11/2024 8:40:00 AM
From: ahollifield
Subject: RE: ClearPass API E-mail notifications for byod users
I see. Let me ask a different question. What is the use-case for allowing personal, unmanaged, unknown devices onto the protected internal network? What is the reason for users entering their AD credentials into these same assets? Why not use a guest flow for these assets? Or have them enroll in an MDM solution and push certificates intead?
I guess OnGuard is not being used here then?
Original Message:
Sent: Apr 11, 2024 08:34 AM
From: ahmetsarikaya
Subject: ClearPass API E-mail notifications for byod users
When users change their password they often forget to change their password in their BYOD devices. This means that accounts are blocked and cannot log in to the "normal" network. We therefore want to send an email address to users where the password is incorrectly sent in their byod devices.
Make this sense?
Original Message:
Sent: 4/11/2024 8:09:00 AM
From: ahollifield
Subject: RE: ClearPass API E-mail notifications for byod users
Just curious on the use-case here? How would the BYOD user receive an email if they enter an incorrect password on the BYOD itself that they may or may not be using to check email? What does sending an email accomplish?
Original Message:
Sent: Apr 11, 2024 07:54 AM
From: ahmetsarikaya
Subject: ClearPass API E-mail notifications for byod users
Hello,
We would like to send a notification email to BYOD users who have entered an incorrect password. With the following configuration we can send a notification to a single email.
So we want to send an email to all users who enter an incorrect password and not to a specific email address.
When we look at the attributes in the access tracker it seems that we can only retrieve variables that fall under radius. The email addresses fall under "Authorization Attributes" which we cannot use as variables. Does anyone have an idea how we can solve this?