Ricardo,
Here are a couple of tips from the soon to be released updated VBN VRD document that might help.
"Regardless of the forwarding mode, all the settings that are related to captive portal reside at the controller and are not pushed to the RAPs. So to present the guest users with the captive portal page, they have to connect to the controller. Hence in remote deployments, the guest network at branch offices cannot be deployed in bridge forwarding mode if captive portal authentication is required.
The guest network at branch offices is usually deployed in split-tunnel forwarding mode for captive portal authentication. In this case, user roles are used to achieve the same behavior as bridge forwarding mode while providing captive portal authentication. The initial role assigned to the guests allow them to reach the captive portal page through the controller. After the guests pass the captive portal authentication, the authenticated role that is assigned to them can be designed to behave like a bridge forwarding mode.
Caution! When captive portal authentication is provided via split-tunnel forwarding mode, the controller must be the default gateway for the VLAN (subnet) used for guest users. Aruba recommends using the controller as the DHCP server for the guest VLAN. This guest VLAN, which is local to the controller, should be source-NATed by the controller."
Sample initial role that allows access to the Amigopod and default captiveportal policy.
user-role guest-branch-logon
captive-portal "default"
access-list session amigopod
access-list session captiveportal
access-list session guest-logon-access
!
Hope this helps
Cam.