That's the problem, there never is another mac auth request after the device was registered, it just sits in the initial-role stupid but content. The WEBAUTH source is setup to do the Aruba Terminate Session, but nothing ever happens.
"You need to use Allow All MAC Auth and add a fail through rule that returns your captive portal role."
The macauth wizard didn't make anything resembling a captive portal role, so I'm flying blind trying to understand your references here and other posts on the subject. I was able to modify the standard enforcement policy from the default days-of-the-week to something that properly sets the authenticated devices into the correct role, but the fail
through rule to a captive portal role doesn't seem to happen.