Thank you for the reply. We have now resolved this - it was the wired port configuration
1. If the RAP Eth1 port is configured as trusted, the ping reply will never reach back to the split tunnel device. The packet is bridged and has no chance to be translated back to the wireless client.
2. When putting the RAP Eth1 port as not trusted, the wired user will show in the user table with the logon role.
3. It is necessary to create an AAA profile and a new role for the wired device.
4. The wired role needs to allow incoming traffic
The new role firewall policy was defined as follows:
Position Source Destination Service Action
-------- ---------- ---------------- ----------- ----------
1 any any svc-dhcp permit
2 user any udp 68 deny
3 any network 192.168.1.0 255.255.255.0 any permit
The source in the 3rd rule has to be 'any' and not 'user'