This is a followup to my post from a few weeks ago that was titled "Content block when it shouldn't". I believe my issue is more fundamental and want to get some better visibility on it.
That is certainly not the way content blocking is supposed to work on Instant On. This seems like a bug.
Appreciate your patience, please contact support and they will be able to help resolve the issue
Additional background for posterity.
I opened the case with Aruba and recreate the problem on two separate occasions for their engineers (1st level and after I had it escalated). They opened an engineering ticket and asked me to recreate it again.
Unfortunately (or luckily)....I came into some campus APs and a controller and switched to that gear. I still have a pair of the InstantOn APs up, but had disabled the SSIDs. Now Aruba TAC has come to me asking to again duplicate the problem. I've re-enabled some SSIDs but am unable to duplicate the problem yet. I'll keep trying.
I will ask everyone to keep an eye out. The symptoms were very easy to miss. I saw it because a user couldn't access my Sonos system (the problem went away when I disabled wifi and turned it back on). Another case had a user getting only 1mb of upload/download (again...cleared by disabling/re-enabling). I believe these were both cases where an "employee" was placed in a guest role. The last case was as described in my initial post, where an employee was placed in the wrong employee role (again...cleared easily).
I'll add one more point. Aruba engineers were clearly able to see that the wrong role was being assigned to the users. It is NOT a case of misconfiguration or user error.
Per my Aruba engineer...
"Engineering team was able to re-produce the issue, and they found the root cause. It is an issue with ASAP_mod module sending ACL Index.
Engineering working on to fix it. I will keep you posted with update."