Security

Reply
MVP

Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

 

While implementing ClearPass guest with a Cisco WLC on 7.6 we encountered a problem. Basically it didn't work :)

 

The solution worked fine without MAC-caching, but for guests having to re-login all the time it's not ideal so thats why we wanted MAC-caching. So we implemented the more or less your MAC-filtering with captive portal fallback.

 

When connecting any unknown client we just got "Could not connect to the network", and saw this in Access Tracker:

28.03.png

 

2 seconds between re-tries, and for some reason the WLC ignores the captive portal fallback and just drops the client instead of redirecting. 

 

I doubt that it's expected behaviour from the WLC, but still had to try to find a way around it.

 

Alot of googling and testing later gave cause to adjust the Radius Reject delay

==> Administration » Server Manager » Server Configuration || Radius Server || Reject Packet Delay = 1

 

Changed this value to 0 and it started working instantly. We changed it back and forth between 0 and 1 while changing some timing values on the WLC etc, but ended up just leaving it at 0.

 

If setting this to 0 has any other nasty consequences is yet to be seen, but if any of you guys have any experience with this and have a better solution then please let me know.

 

 


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Aruba Employee

Re: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

A quick google search will show that others have had this same problem with Cisco in the past.  Even in an all-Cisco environment (including ISE) there were problems with MAC On-Failure processing.  I don't know if they came to the conclusion about the Reject Delay setting, but it works with Aruba ClearPass.

 

Thanks John for the post.

 

Richard.

Re: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

Further to this and for my own benefit when I revisit much later, I had to do the following.

 

MAC Filtering --> Radius Compatibility = Cisco ACS

Snip20170124_6.png

 

Radius Authentication Servers --> Call Station ID Type = System MAC Address

Snip20170125_9.png


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Contributor I

Re: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

Can you explain why you would choose colon over hyphen for delimeter?

 

Thanks,

Chris

MVP

Re: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

Hi!

Clearpass doesn't care if it's Hyphen og Colon (unless you specificy this in your policy), but just use the same on both settings.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: