Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

This thread has been viewed 8 times

  • 1.  Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

    Posted Mar 27, 2014 07:52 PM

     

    While implementing ClearPass guest with a Cisco WLC on 7.6 we encountered a problem. Basically it didn't work :)

     

    The solution worked fine without MAC-caching, but for guests having to re-login all the time it's not ideal so thats why we wanted MAC-caching. So we implemented the more or less your MAC-filtering with captive portal fallback.

     

    When connecting any unknown client we just got "Could not connect to the network", and saw this in Access Tracker:

    28.03.png

     

    2 seconds between re-tries, and for some reason the WLC ignores the captive portal fallback and just drops the client instead of redirecting. 

     

    I doubt that it's expected behaviour from the WLC, but still had to try to find a way around it.

     

    Alot of googling and testing later gave cause to adjust the Radius Reject delay

    ==> Administration » Server Manager » Server Configuration || Radius Server || Reject Packet Delay = 1

     

    Changed this value to 0 and it started working instantly. We changed it back and forth between 0 and 1 while changing some timing values on the WLC etc, but ended up just leaving it at 0.

     

    If setting this to 0 has any other nasty consequences is yet to be seen, but if any of you guys have any experience with this and have a better solution then please let me know.

     

     



  • 2.  RE: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

    EMPLOYEE
    Posted Jul 13, 2014 05:42 PM

    A quick google search will show that others have had this same problem with Cisco in the past.  Even in an all-Cisco environment (including ISE) there were problems with MAC On-Failure processing.  I don't know if they came to the conclusion about the Reject Delay setting, but it works with Aruba ClearPass.

     

    Thanks John for the post.

     

    Richard.



  • 3.  RE: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

    EMPLOYEE
    Posted Jan 25, 2017 04:07 AM

    Further to this and for my own benefit when I revisit much later, I had to do the following.

     

    MAC Filtering --> Radius Compatibility = Cisco ACS

    Snip20170124_6.png

     

    Radius Authentication Servers --> Call Station ID Type = System MAC Address

    Snip20170125_9.png



  • 4.  RE: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

    Posted Apr 09, 2018 11:55 AM

    Can you explain why you would choose colon over hyphen for delimeter?

     

    Thanks,

    Chris



  • 5.  RE: Trick to get MAC Caching working on Cisco WLC 7.6 with ClearPass

    Posted Apr 09, 2018 12:13 PM

    Hi!

    Clearpass doesn't care if it's Hyphen og Colon (unless you specificy this in your policy), but just use the same on both settings.