Im not sure what the commands I need are offhand as I dont really use the command line a lot either. I do most stuff from the GUI but I can read the config and easily see if it is correct or not.
Log into the command line of your controller (use putty). Before logging in, change the logging option of putty to "All session output" (it is on the left hand side of the putty configuration). This will save your output to a text log.
Once you have a text copy of your config, do a find and look for "rap-operation backup". This will give us the virtual-ap profile that you are using. We need to find the aaa-profile for that virtual-ap profile and seach for that in the config.
Do a search again and look for the aaa-profile that you found in the step beforehand. You should find an "aaa profile "XXXXXXXX"" with roles tied to it. Look for the "initial-role" in the aaa profile and copy that.
Do a search again and look for the initial-role that you found beforehand. This will give you a list of ACLs tied to that role. Search your config for each one of the ACLs to find what the rules are.
Here is my config for our backup RAP config:
vlan 188
ap system-profile "default"
rap-dhcp-server-vlan 188
rap-dhcp-server-id 192.168.188.1
rap-dhcp-default-router 192.168.188.1
rap-dhcp-dns-server 8.8.8.8
rap-dhcp-dns-server 4.2.2.2
rap-dhcp-pool-start 192.168.188.25
rap-dhcp-pool-end 192.168.188.254
rap-local-network-access
ap-console-password
(REMOVED)
bkup-passwords
(REMOVED)
wlan virtual-ap "XXXXX_Backup_Profile"
aaa-profile "XXXXX_External_Access"
ssid-profile "XXXXX_Backup_SSID_Profile"
vlan 188
forward-mode bridge
rap-operation backup
aaa profile "XXXXX_External_Access"
initial-role "XXXXX_External_Users"
authentication-dot1x "XXXXX_External_Auth_Profile"
user-role XXXXX_External_Users
access-list session global-sacl
access-list session apprf-XXXXX_External_Users-sacl
access-list session XXXXX_External_User_Policy
ip access-list session XXXXX_External_User_Policy
alias XXXXX_Backup_Network alias XXXXX_Backup_Network any permit
user any any route src-nat
That last part "user any any route src-nat" might be what you are missing but that is just a guess on my part. If you can send me your config in the same way that I sent mine, then I can easily look at it and tell you want is wrong/missing. Just start with searching for "rap-operation backup" from your config and copy the virtual-ap profile and search for every profile attached to it in the config and copy that info here.