no the controller is not local to the branch. its at central location. the VAP is in tunneled mode. the client is in "portal-logon" mode. here's the output:
#show rights portal-logon
Derived Role = 'portal-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 49/0
Max Sessions = 65535
Captive Portal profile = captive-guest
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 captive-guest_list_operations session
2 logon-control session
3 captiveportal session
captive-guest_list_operations
-----------------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user ocsp.usertrust.com svc-http permit Low 4
2 user ocsp.usertrust.com svc-https permit Low 4
logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
Expired Policies (due to time constraints) = 0
the nslookup to www.arubanetworks.com does give 2 ip addresses but https://1.1.1.1 doesnot work.