Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass


While implementing ClearPass guest with a Cisco WLC on 7.6 we encountered a problem. Basically it didn't work :)


The solution worked fine without MAC-caching, but for guests having to re-login all the time it's not ideal so thats why we wanted MAC-caching. So we implemented the more or less your MAC-filtering with captive portal fallback.


When connecting any unknown client we just got "Could not connect to the network", and saw this in Access Tracker:



2 seconds between re-tries, and for some reason the WLC ignores the captive portal fallback and just drops the client instead of redirecting. 


I doubt that it's expected behaviour from the WLC, but still had to try to find a way around it.


Alot of googling and testing later gave cause to adjust the Radius Reject delay

==> Administration » Server Manager » Server Configuration || Radius Server || Reject Packet Delay = 1


Changed this value to 0 and it started working instantly. We changed it back and forth between 0 and 1 while changing some timing values on the WLC etc, but ended up just leaving it at 0.


If setting this to 0 has any other nasty consequences is yet to be seen, but if any of you guys have any experience with this and have a better solution then please let me know.



John Solberg

-ACMX #316 :: ACCP :: ACSA
Aruba Partner Ambassador
Intelecom Group - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Aruba Employee

Re: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

A quick google search will show that others have had this same problem with Cisco in the past.  Even in an all-Cisco environment (including ISE) there were problems with MAC On-Failure processing.  I don't know if they came to the conclusion about the Reject Delay setting, but it works with Aruba ClearPass.


Thanks John for the post.



Re: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

Further to this and for my own benefit when I revisit much later, I had to do the following.


MAC Filtering --> Radius Compatibility = Cisco ACS



Radius Authentication Servers --> Call Station ID Type = System MAC Address


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
Showing results for 
Search instead for 
Did you mean: