MAS.
Although most likely it will only be APs accessing Guest, but they don't want Guest to authenticate.
Would the Aruba APs be able to restrict the access?
Reading RN for 7.3 and it talks about
Router ACLs (RACLs)
Router ACLs perform access control on all traffic entering the specified Routed VLAN Interface. Roter ACLs provide
access control based on the Layer 3 addresses or Layer 4 port information and ranges. RACLs can only be applied
to ingress traffic.
Would that not be the same as Cisco VACLs - would have been nice to see example in user guide