Hi everyone,
I'm having a problem with a Guest SSID on Mobility Controllers, with a captive portal with sponsor and MAC caching on ClearPass
SSID is on bridge mode, and as the official documentation says, I have enabled the ageout-bridge-user parameter in the aaa profile.

Controllers are on another site different that APs, and controllers don't have an IP on guest VLAN network, so I have enabled the Allow tri-session with DNAT parameter on Firewall Controllers settings.

I also changed default controllers captive portal certificate for a wildcard of my domain (*.mydomain.es).
On ClearPass Policy Manager, I have two services created by default from the wizard, one of them for MAC authentication and the other one for MAC caching.
On ClearPass Guest, I set up Self-Registration. First, with Controller-Initiated login method, but it wasn't working the redirection to captiveportal-login.mydomain.es, so now I have Server-Initiated login method. Furthermore, according to official documentation, is necessary the CoA sent to controller, and Server-Initiated is the method which supports this.

I created a WebAuth service on ClearPass that is working, but with this service I can't to assing guest Aruba-User-Role to controller, so when a user logins correctly, captive portal redirects to Self-Registration page again (I think because the guest role is not being sent to the controller).
So, I don't know if this is a problem with Clearpass, Controllers, certificates, networking, or something else...
Thank you so much,