Hello!
We got this working eventually, so I thought I'd just close to thread with some final input.
Atleast in 6.2.x using login-method "Controller initiated" doesn't work towards IOS XE (5760, 3850).
Need to use login-method "Server initiated" which means CoA. This method is used for wired switches and referenced as MAB or MAC-filtering.
There is no guide available anywhere that has this described in detail for IOS XE. On the ClearPass side the best guide I've come across is actually created by Alcatel-Lucent:
http://www.youtube.com/watch?v=gVUUE59ptPI
Cisco as created it's share of guides with 5760 and ISE, but they won't work directly off the bat for ClearPass:
https://supportforums.cisco.com/document/147096/converged-access-%E2%80%93-configure-ssid-central-web-authentication-cwa-using-ise-catalyst
That said - I still don't know what setting on Cisco that got things working since I wasn't the one troubleshooting that end. We had an Aruba engineer remote control the Cisco WLC and tried things back and forth until it worked. It was just too messy to get a final idea of what solved it ;(
Important notes on the cisco config
* If you're not getting passed the initial mac-auth to trigger the redirect try this line highlighted in bold:
aaa group server radius clearpass_guest
server name clearpass.domain.com
subscriber mac-filtering security-mode mac
!
* Redirect is triggered, but client is unable to open the CP page.
Go through the redirect-acl in detail. This is what worked for us and is a variation of what you find on the cisco forums:
ip access-list extended allowclearpass
deny ip any host <clearpass-ip>
permit tcp any any
deny udp any any eq domain
permit udp any any eq bootpc
permit udp any eq bootpc any
permit udp any eq domain any log
permit udp any any log
!
Good luck!