Yes, that is correct. The role user gets is authenticated which has all the default permissions. The only modification is redirect to a tunnel-group for allowall.
Just to clarify, the same controller terminates CAPs with a VAP that uses the same auth profile that is attached as wired to the incoming VLAN. And this setup works flawlessly.
Also to note, once the client receives an ARP-R either because it saw a reply to someone else's ARP-Q or a grat-arp, everything starts working wonders. Thus, I doubt it's relevant to the user role. It seems that the controller is trying to be too smart about broadcast propagation from tunnel-node, but excludes the conversion logic that it applies to the VAP.
Thanks.
Sent with Good (
www.good.com)