While implementing ClearPass guest with a Cisco WLC on 7.6 we encountered a problem. Basically it didn't work :)
The solution worked fine without MAC-caching, but for guests having to re-login all the time it's not ideal so thats why we wanted MAC-caching. So we implemented the more or less your MAC-filtering with captive portal fallback.
When connecting any unknown client we just got "Could not connect to the network", and saw this in Access Tracker:
2 seconds between re-tries, and for some reason the WLC ignores the captive portal fallback and just drops the client instead of redirecting.
I doubt that it's expected behaviour from the WLC, but still had to try to find a way around it.
Alot of googling and testing later gave cause to adjust the Radius Reject delay
==> Administration » Server Manager » Server Configuration || Radius Server || Reject Packet Delay = 1
Changed this value to 0 and it started working instantly. We changed it back and forth between 0 and 1 while changing some timing values on the WLC etc, but ended up just leaving it at 0.
If setting this to 0 has any other nasty consequences is yet to be seen, but if any of you guys have any experience with this and have a better solution then please let me know.