Hi
thanks for getting back to me. Just had a session going through the setup on Clearpass and there a couple of things. And - you're correct - some of it originated from Enforcement Profile.
1. the MAC auth enforcement policy was correct, apart from that ROLE MAPPING for guest had an enforcement profile giving the station an non-existing Aruba User Role - so the aruba role giving Captive Portal access wasn't added and user was placed in a default user role with no CP
2. When that was fixed we noticed that the initial role in Aruba Controller had the wrong CP Profile added - wizard had changed this; so default guest user role was added rather than the customized guest role
WIth those two tweaks - it worked
lessons learned
thank you