Skipping Web Passthrough for a single client

Unanswered Question
Apr 13th, 2012

Is it possible to set one client up so that it can go online and does not have to open up a web page and click on the "Accept" button?

Trying to get this working for Apple TV which does not have a browser.  So since until a client clicks on the "Accept" button no traffic is passed clients can't see the Apple TV and connect to it.  However I don't want to disable the web passthrough option for every one.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Scott Fella Fri, 04/13/2012 - 13:39

Why not create a new SSID for the Apple TV and use AP Groups to specify what APs will broadcast that SSID. Well you will not broadcast it to the clients but the AP will have it:). Then map that SSID for Apple TV to the same subnet as the iPad users, etc. You can't exclude devices from webauth.


Scott Fella

Sent from my iPhone

Mohammad Ali Fri, 04/13/2012 - 15:29

Unfortunately that is not possible due to our setup.  I do have a different SSID for the Apple TV and both SSID's are mapped to the same network.  However the issue is that the first SSID have "p2p blocking enabled" and second one doesn't.  So all the clients are connecting to that too.

What I tried was the following:

Setup MAC Filtering, then setup "MAC Failure Action" to go to the web pass through redirect page and added Apple TV's MAC to the allowed MAC list however.  That sort of works but the clients after they hit accept it just keeps bringing that page up and does not finish the authentication.

Scott Fella Fri, 04/13/2012 - 15:50

I don't know why SSID is doing what. What I'm saying is that you create a new SSID just for the Apple TV (I think it supports WPA2-AES psk) and then that would map to the same vlan as the iPad users. So the Apple TV and iPads would be on a seperate WLAN SSID.


Scott Fella

Sent from my iPhone

Mohammad Ali Fri, 04/13/2012 - 16:03

Already done that but then the iPad users if they do not connec to the same SSID they won't be able to see the Apple TV because that particular SSID have "P2P Block Action" set to "Drop".

Scott Fella Fri, 04/13/2012 - 16:08

Do you require that... If P2P is enabled and even if the Apple TV and iPads are on the same subnet, you are preventing the devices from communicating.


Scott Fella

Sent from my iPhone

Mohammad Ali Fri, 04/13/2012 - 16:11

It is not enabled on the second SSID where Apple TV and the iPad users are connected

SSID1 -------------> --------------> Regular guest users (p2p actions drop)


SSID2 -------------> --------------> Apple TV and users who are connecting to Apple TV only (p2p blocking disabled)

Scott Fella Fri, 04/13/2012 - 16:19

This is what I'm trying to describe:

SSID1 -------------> --------------> Regular guest users (p2p actions drop)


SSID2 -------------> --------------> Apple TV users who are connecting to Apple TV only (p2p blocking disabled)  WebAuth


SSID3 -------------> --------------> Apple TV only (p2p blocking disabled) WPA2-AES psk

Mohammad Ali Fri, 04/13/2012 - 16:25

Just tried that scenario too but iPad won't see the Apple TV still.

I'm just surprised that there is no option to exclude a client if we want and if there isn't how come that other scenario with the MAC filtering isn't working.  May be I should create a case with Cisco.

Scott Fella Fri, 04/13/2012 - 16:30

Okay... do you have the following configured:

Multicast mode set to multicast

Global multicast enabled

IGMP Snooping enabled

Broadcast forwarding enabled

Mohammad Ali Fri, 04/13/2012 - 16:36

No I'm going to configure that and test it next week and post back the results thank you for your help and if that does not work I'll try wiring it too and see if that helps.

Scott Fella Fri, 04/13/2012 - 16:38

No problem... I assumed that you had the multicast stuff already enabled.  Give it a try... there are other post regarding the Apple TV that you might want to look at, but it works with some configuration changes.

Mohammad Ali Mon, 04/16/2012 - 06:21

Good morning Scott, just a quick question.  I have enabled all those.  But I do get a message that the multicast IP is reserved by IANA it might not work properly.  I have the IP set as  Should I just ignore that message?

Stephen Rodriguez Mon, 04/16/2012 - 07:31

that address shouldn't be configured anywhere.  It is the address that a device will send packets too.  When you configure multicast in your network, you should use a 239.x.x.x address, as this is reserved for locally scoped multicast groups.  Think of it like an RFC 1918 address for the clients.


Mohammad Ali Tue, 04/17/2012 - 16:49

Update, tried this with all the multicast settings configured on the WLC but still doesn't work if clients are on a different SSID.     

Scott Fella Tue, 04/17/2012 - 21:09

Okay... So if they are on the same SSID it works?

Sent from Cisco Technical Support iPhone App

Scott Fella Wed, 04/18/2012 - 04:44

Well I just tested my Apple TV and I put my iPhone and iPad on a different SSID but on the same subnet as the Apple TV and it worked for me.

Mohammad Ali Wed, 04/18/2012 - 05:36

Yes but one of the SSID where clients are has p2p blocking enabled so when I try to connect to the Apple TV from the clients that are on the SSID where the p2p blocking is enabled they can't see the ATV. 

Scott Fella Wed, 04/18/2012 - 05:40

Well that feature "P2P Blocking" is doing what it does. Not allowing communication with other wireless devices. You will need to remove that if you want the devices to communicate with the other devices... Apple TV.


Scott Fella

Sent from my iPhone


This Discussion