Security

Reply
MVP
Posts: 517
Registered: ‎05-11-2011

Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

 

While implementing ClearPass guest with a Cisco WLC on 7.6 we encountered a problem. Basically it didn't work :)

 

The solution worked fine without MAC-caching, but for guests having to re-login all the time it's not ideal so thats why we wanted MAC-caching. So we implemented the more or less your MAC-filtering with captive portal fallback.

 

When connecting any unknown client we just got "Could not connect to the network", and saw this in Access Tracker:

28.03.png

 

2 seconds between re-tries, and for some reason the WLC ignores the captive portal fallback and just drops the client instead of redirecting. 

 

I doubt that it's expected behaviour from the WLC, but still had to try to find a way around it.

 

Alot of googling and testing later gave cause to adjust the Radius Reject delay

==> Administration » Server Manager » Server Configuration || Radius Server || Reject Packet Delay = 1

 

Changed this value to 0 and it started working instantly. We changed it back and forth between 0 and 1 while changing some timing values on the WLC etc, but ended up just leaving it at 0.

 

If setting this to 0 has any other nasty consequences is yet to be seen, but if any of you guys have any experience with this and have a better solution then please let me know.

 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Aruba Employee
Posts: 1
Registered: ‎11-28-2012

Re: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

A quick google search will show that others have had this same problem with Cisco in the past.  Even in an all-Cisco environment (including ISE) there were problems with MAC On-Failure processing.  I don't know if they came to the conclusion about the Reject Delay setting, but it works with Aruba ClearPass.

 

Thanks John for the post.

 

Richard.

Highlighted
Aruba
Posts: 1,287
Registered: ‎08-29-2007

Re: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

Further to this and for my own benefit when I revisit much later, I had to do the following.

 

MAC Filtering --> Radius Compatibility = Cisco ACS

Snip20170124_6.png

 

Radius Authentication Servers --> Call Station ID Type = System MAC Address

Snip20170125_9.png


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: