Configuring custom messages for failed logins

This feature allows administrators to configure custom messages that are displayed when authentication with the RADIUS server fails. The messages are appended to existing internal web pages that display during the authentication process. Messages can be configured using the CLI, or centrally using the RADIUS server, and can provide a description of the reason for a failure as well as possible steps to take to resolve the authentication issue. There is no change to the current web-based authentication functionality.

Syntax: 


[no] aaa port-access web-based access-denied-message <<access-denied-str>|radius-response>

Specifies the text message (ASCII string) shown on the web page after an unsuccessful login attempt. The message must be enclosed in quotes.

The [no] form of the command means that no message is displayed upon failure to authenticate.

Default: The internal web page is used. No message will be displayed upon authentication failure.

access-denied-str: The text message that is appended to the end of the web page when there is an unsuccessful authentication request. The string can be up to 250 ASCII characters.

radius-response: Use the text message provided in the RADIUS server response to the authentication request.

Configuring an access denied message on the switch

Switch(config)#aaa port-access web-based access-denied-message
“Please contact your system administrator to obtain authentication
privileges.”

Output showing the custom access denied message

Switch(config)#show port-access web-based config

Port Access Web-based Configuration

DHCP Base Address     : 192.168.0.0
DHCP Subnet Mask      : 255.255.248.0
DHCP Lease Length     : 10 seconds
Allow RADIUS-assigned dynamic (GVRP) VLANs[No]: Yes
Access Denied Message : Custom:
  Please contact your system administrator to obtain authentication
  privileges.

       |         Client  Client  Logoff    Re-auth   Unauth  Auth    Ctrl
  Port | Enabled Limit   Moves   Period    Period    VLAN ID VLAN ID Dir
  ---- + ------- ------- ------- --------- --------- ------- ------- -----
  1    | Yes     1       No      300       60        1       2       both
  2    | Yes     18      No      999999999 999999999 0       0       both
  3    | Yes     22      No      999999999 999999999 4096    4096    both

Access denied message when radius-response is configured

Switch(config)#show port-access web-based config

Port Access Web-based Configuration

DHCP Base Address     : 192.168.0.0
DHCP Subnet Mask      : 255.255.248.0
DHCP Lease Length     : 10 seconds
Allow RADIUS-assigned dynamic (GVRP) VLANs[No]: Yes
Access Denied Message : Retrieved from Radius

     |         Client  Client  Logoff    Re-auth   Unauth  Auth    Ctrl
Port | Enabled Limit   Moves   Period    Period    VLAN ID VLAN ID Dir
---- + ------- ------- ------- --------- --------- ------- ------- -----
1    | Yes     1       No      300       60        1       2       both
2    | Yes     18      No      300       999999999 0       0       both
3    | Yes     22      No      300       999999999 4096    4096    both

Unauthenticated clients can be assigned to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients, the port is blocked and no network access is available.