Clearpass Version 6.1 and higher
Cisco WLC 7.0 and higher
Client connects to guest SSID. Cisco WLC sends a MAC authentication request to clearpass. Clearpass sends a Access-Reject since the MAC address is unknown. The captive portal redirection does not happen on the client device. The captive portal page is accessible if we manually type the login page URL.
The fact that the page loads fine when we manually type the URL informs us that the ACLs and the http/ https connection to Clearpass server is fine.
Reject delay is usually used to slow down any DOS / password guessing attacks and Clearpass uses a default value of 1 second. Cisco WLC does not seem to keep track of the RADIUS session for more than a second. Hence when Clearpass sends the MAC auth Reject after a delay of 1 second, the redirection upon MAC Filter failure does not work.
We have to reduce the RADIUS REJECT delay from the default value of 1 second to 0 for each server in the cluster. This can be configured from Administration > Server Configuration > Select the server to make the change > Select Service parameters tab > Select RADIUS server from the drop down > Change REJECT Packet Delay value to 0