03-27-2014 04:52 PM
While implementing ClearPass guest with a Cisco WLC on 7.6 we encountered a problem. Basically it didn't work :)
The solution worked fine without MAC-caching, but for guests having to re-login all the time it's not ideal so thats why we wanted MAC-caching. So we implemented the more or less your MAC-filtering with captive portal fallback.
When connecting any unknown client we just got "Could not connect to the network", and saw this in Access Tracker:
2 seconds between re-tries, and for some reason the WLC ignores the captive portal fallback and just drops the client instead of redirecting.
I doubt that it's expected behaviour from the WLC, but still had to try to find a way around it.
Alot of googling and testing later gave cause to adjust the Radius Reject delay
==> Administration » Server Manager » Server Configuration || Radius Server || Reject Packet Delay = 1
Changed this value to 0 and it started working instantly. We changed it back and forth between 0 and 1 while changing some timing values on the WLC etc, but ended up just leaving it at 0.
If setting this to 0 has any other nasty consequences is yet to be seen, but if any of you guys have any experience with this and have a better solution then please let me know.
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
07-13-2014 02:42 PM
A quick google search will show that others have had this same problem with Cisco in the past. Even in an all-Cisco environment (including ISE) there were problems with MAC On-Failure processing. I don't know if they came to the conclusion about the Reject Delay setting, but it works with Aruba ClearPass.
Thanks John for the post.