Wireless Access

I would check the default role under 

"show aaa authentication captive-portal <profile-name>" 

Are the users authenticated using the internal database on the controller?  If so, they will have "guest" as the role by default and a server provided role takes precendence over the default role.

If you want to use a role other than "guest", you will have to edit the internal account roles OR use an external authentication server (AFAIK).

Run the command 'show aaa server-group <server group name>' Do you see: 'set role condition role value-of'? The default server groups applies this Server Rule. Either remove this rule, or if this Sever Group is being referenced by other profiles create a new Server Group, and leave out that Server Rule

I've run into the same issue recently.  What code are you running?

I would probably debug that user and check in the user-debug logs, where these roles are getting derived from.

Sorry for the late reply.  After doing some reading on your code release version, we found the issue.  We are on code 3.3.3.2.  Apparently on this code the default role assigned for guest users via Captive Portal is "guest".  There is nowheere in the CLI or GUI where this shows, we just found it by reading.