Yes, the CAP and RAP are in different AP groups.
The users that connect either to RAP or CAP are getting the same server derived role because they are authenticated
by the same network policy on the radius server. So by specifying different AAA profie with different default role does not help
because the default role will not be assigned if the server derived role is present.
If i move the RAP to a different controller then based on the NAS ID i can specify different value to the radius attribute on the
network policy and then the server derived role will be different. I tested this by moving the CAP to another controller and it works.
Is it possible to move the RAP from the master to a local controller?
Thanks.