Wireless Access

I would check the default role under 

"show aaa authentication captive-portal <profile-name>" 

Are the users authenticated using the internal database on the controller?  If so, they will have "guest" as the role by default and a server provided role takes precendence over the default role.

If you want to use a role other than "guest", you will have to edit the internal account roles OR use an external authentication server (AFAIK).

Run the command 'show aaa server-group <server group name>' Do you see: 'set role condition role value-of'? The default server groups applies this Server Rule. Either remove this rule, or if this Sever Group is being referenced by other profiles create a new Server Group, and leave out that Server Rule

I've run into the same issue recently.  What code are you running?

I would probably debug that user and check in the user-debug logs, where these roles are getting derived from.

Sorry for the late reply.  After doing some reading on your code release version, we found the issue.  We are on code 3.3.3.2.  Apparently on this code the default role assigned for guest users via Captive Portal is "guest".  There is nowheere in the CLI or GUI where this shows, we just found it by reading.

you can also check the role by 

show user ip <ip address of client>    or by show user mac <mac of client >

there it will have all the info about the client and look for role and vlan derivation.

also try checking the user table and look for authentication as web that means it went through captive portal , once verified look for the role client is getting , if its not the role u mentioned then , check the default-role you specified in aaa authentication captive <name >.