While Passthrough WebAuth upon MAC authentication failure is not supported on Cisco WLCs, it is easy to workaround this by doing the following.
The first step is to create a user to be used as a dummy account that the web-form will silently submit when the user agrees. This user should be created depending on where you authentication happens (radius or local).
The second step is to modify the passthrough HTML file (login.html, for example) to include a hidden <div> that contains the dummy user’s login details:
<div id="hiddenForm" style="display: none;">
<h4 align=center><font color="#000000">Username<input type="TEXT" name="username" SIZE="25" MAXLENGTH="63" VALUE="webauthdummy"></font></h4>
<h4 align=center><font color="#000000">Password<input type="Password" name="password" SIZE="25" MAXLENGTH="63" VALUE="webauthdummy"></font></h4>
</div>
Just make sure the above is within the <form> block. The above can be simplified; I got lazy and just modified Cisco’s webauth examples.
<h4 align=center><font size="5" color="#000000"><input type="button" name="Submit" value="ACCEPT" class="button" onclick="submitAction();"></h4></font><p></p>
As above I also modified the submit button slightly to say “ACCEPT” as the passthrough form does.
And that’s it. You can now set the “On MAC Filter failure” when using the Web Policy Layer 3 Security feature.