Ok, this is what I have done.
1. I have setup the Pre-Authentication rule with an 'any - source', 'any-destination' - 'any-service' - deny rule.
2. I got ot to work by adding other IPv4 rules that were in the policies below (within the same pre-auth role) that were automatically created and named
a. logon-control
b. Captive portal
Then it worked!!. And it works quirte well. The problem is with the Post-authetication Role.
I was told by Aruba Support and it is true that for post authetication policies one wil need a permit any, any, any rule at the bottom for the policy (in the post auth role). That permit rule is required because if I remove it then no internet or anything (ssh, apps on the phone) will work at all.
I even added a few any-source, any-destination, - Service-http(& https) - permit in place of the any permit rule and that did not help. The captive portal needed the any, any, any, permit rule. Is there anything else I can try?
What I did before was add a couple of 'network deny' rules above the any, any, any permit rule. But that was before I found out that we have hundreds of different network subnets. Is there a better way to protect our network in the post authenticated role?
There are no other policies below the policy that I created for Post authenticaiton in the captive portal Post Auth Role. Any suggestions?