The relevant ports are all allowed on the firewall. Its only after moving the AAA profiles initial role to authenticated, the users on that specific SSID are able to have management access to the controller.
Was wondering if there's an alternate way to gain the management/web access of controller without changing the AAA profile's default parameters.