MAC Exception for Web Authentication

Unanswered Question
Mar 5th, 2010
User Badges:

Hello folks.  I currently have a guest network setup using guest tunneling and an anchor controller.  I have it configured for web authentication.   So basically, a client associates to the SSID, obtains an DHCP IP from the guest anchor controller, and then when the browser is launched the client is redirected to and receives the splash page where they are required to click "OK" to proceed and begin surfing the internet.

I am being told from a vendor that it's possible to use a mac-address exception method so specific clients (based on mac address) will not have to web authenticate.  So basically they bypass the splash screen and can immediately begin surfing the internet. 

From what I can tell it's all or nothing per SSID.

Has anyone ever heard of this and if so do you know how it is accomplished.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Fri, 03/05/2010 - 07:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I don't think they gave you the right info.  You can use MAC filters to allow devices access, but this is guest, so why even bother.  If you want certain people to bypass the pass-through splash page, then create another ssid that is just open.... not a good idea though.  The reason for a splash page is that you can provide a term of use to protect yourself legally.  Just my opinion.

weterry Tue, 03/09/2010 - 22:16
User Badges:
  • Silver, 250 points or more

I've seen people ask for something like this for like an XBOX in a dorm (appearently XBOX doesn't have a browser?).....

Bottom line though is that on the WLC, all wireless clients on a WebAuth/WebPassthrough SSID must pass layer3 authentication. There is no way around this on this SSID.  You'd have to create a different SSID as Scott suggested, which I'd probably suggest doing some kind of PSK on it, so only a few priveledged devices can associate.... you could even through in mac-filtering if you really wanted to complicate it....

Now, I understand that switches may have such a feature called mac-bypass, but it isn't on the WLC.

c.fuller Wed, 03/10/2010 - 09:01
User Badges:

Thanks for the input guys.  This is my take on it as well.   I have not been able to find a feature on the guest anchor WLC to allow certain client mac addresses to bypass the splash page.  I have no intention of standing up a separate SSID and leaving it wide open.  I also have no intention of using PSK for a separate SSID.  I try to avoid creating a new SSID for every application each department wants to trial.  The system could get unmanageable very quickly by doing that.   I'll see what the vendor comes back with.

I have a customer that does this with Bluesocket.  We are in the process of installing WLC's to replace their Bluesocket and I've come to the realization that I'll have to standup one SSID that group A uses with webauth and group B will use with MAC filtering/authentication.  The idea is that group B needs the same "guest" type access but they don't want to log into the spash page when they use the WLAN.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode