Why is Web Page Auth on MAC Filter Failure not working on Anchor Controller?

cbeswick · ‎11-02-2011

Hi,

I have implemented a Guest WLAN solution as per the recommended design from Cisco. We have two internal WiSM2 controllers providing services for Internal secure SSIDs. Both these controllers are members of a Mobility and RF management group.

Two 5508 controllers have been installed in our DMZ for resilience and have been placed into a separate Mobility group. All controllers (internal and external) have been linked together as mobility neighbours in a full mesh and a new SSID for Web Guest traffic has been anchored to the controllers in the DMZ.

Web page authentication works perfectly fine, but I cannot for the life of me get the MAC filtering override to work, i.e. if a MAC address is present, do not redirect to the splash page for web auth.

I can get MAC auth working by iteself, but not with the Layer 3 option selected for web page auth on mac filter failure.

I know I can get around this by just creating two separate SSIDs. But the business is used to just having the one SSID for all guest traffic.

Is this a known limitation when anchoring SSIDs to controllers in the DMZ ?

Salil Prabhu · ‎11-02-2011

Hi,

Yes..CSCts54424 Web auth on mac filter failure does not work properly with anchor WLAN

Please open a TAC case and we can see if we can give you an image with the FIX.

Thanks..Salil

tbartush · ‎11-23-2011

I'm hitting this bug too, when can we expect a fix.

Thanks

Nicolas Darchis · ‎11-24-2011

The target is the 7.0 release that will come after 7.0.220. It's targeted for February.

You can probably get a workaround/solution by opening a TAC case

Salil Prabhu · ‎11-24-2011

Hi Nicolas,

I guess they changed their mind to add this fix in 7.0MR3. Now the fix will be in 7.2 release planned to be release in FEB.

There is a documentation bug opened to add this to configuration guide :

CSCtw48727 Document CSCts54424. Limitations webauth on mac filter fail for anchor

Regards..Salil

CSCtw48727

Document CSCts54424. Limitations webauth on mac filter fail for anchor

tbartush · ‎11-28-2011

Documentation bug makes me apprehensive about a proper fix. Will Cisco fix the bug so that this feature works across mobility anchors? Or will they s l e a z e it out and simply update the documentation to say it doesn't work?

tbartush · ‎12-08-2011

FYI

7.2 will not run on the 4400 series WLC.

Only the Documentation will be updated for the 7.0.

Be aware that as it stands the "on MAC failure" feature has more limitations. With the current code the selection of the "on MAC failure" is exclusive to the other options within the Web Policy. For example: You cannot have the client "pass-though" on MAC failure. Feature request CSCtw73512 is opened for this - it is not scheduled for any release yet.

Aparently this feature was added for one specific customer to solve one specific need.

IMHO although this feature is potentally extremly useful - in its current form it should not have been made available in the gereral public release.