Controllerless Networks

Client connecting different sside can communicate with each other,

configuration as follow

aaa profile "Aruba-A"

   initial-role "Aruba-A"

!

aaa profile "Aruba-B"

   initial-role "Aruba-B"

!

wlan virtual-ap "Aruba-A"

   aaa-profile "Aruba-A"

   ssid-profile "Aruba-A"

   vlan 4

!

wlan virtual-ap "Aruba-B"

   aaa-profile "Aruba-B"

   ssid-profile "Aruba-B"

   vlan 3

Under normal circumstances  ，Clients can communicate with each other 

I want clients belong to vlan3 only with server (10.10.4.19)communicate,Can not communicate with other IPs inside vlan 4

I configuration  one policy as follow

netdestination server

  host 10.10.4.19

!

netdestination subnet_Local

  network 10.10.3.0 255.255.255.0

 !

ip access-list session Wifi_user

  alias subnet_Local alias server any permit

  alias subnet_Local user any deny

!

user-role Aruba-A

 access-list session global-sacl

 access-list session apprf-cisco-sacl

 access-list session Wifi_user

 access-list session allowall

After the configuration is complete，Vlan 3 IP can communicate with server 

 I have a question  

User-role Aruba-B  

Why not access-list session Wifi_user under user-role aruba-B?

How are your wifi users authenticating?  The initial-role parameter in the AAA profile is only for Open, WEP, or WPA2-PSK users.  If you are using 802.1x you would need to assign the default 802.1x role in the AAA profile to whatever role you want your clients to have.