Not sure where you got this Role Mapping from.
The problem here is that the Guest User Repository is based on username, where the MAC Authentication service is based on MAC address. The attributes AccountEnables and AccountExpired are on the username.
You only map those in the captive portal service, which is on username; and have a separate mapping on the MAC Authentication service for MAC Caching.
What may help, is to have a look at this workshop video series, where in the Guest part a service, including MAC Caching is created.
For the MAC Caching, only the endpoint repository is queried in the role-mapping:
(Authorization:[Endpoints Repository]:Unique-Device-Count EXISTS ) AND (Authorization:[Time Source]:Now DT LESS_THAN %{Endpoint:MAC-Auth Expiry}) AND (Authorization:[Guest User Repository]:AccountExpired EQUALS false) AND (Authorization:[Guest User Repository]:AccountEnabled EQUALS true) |
[MAC Caching] |
That field MAC-Auth Expiry is set in the captive portal authentication:
Endpoint |
MAC-Auth Expiry |
= |
%{Authorization:[Guest User Repository]:ExpireTime} |
So please check your policies, and where you got them from. To me, it looks like you can just remove the two lines that check the Guest User Database. However, that check needs to be done in the Captive Portal service, so make sure you have that rules in place (with separate role-mapping).