Please apologize the rant in advance. I'll try to be as constructive as possible.
Once again I'm faced with a customer intending to do multiple manipulations off the guest portal regarding endpoint caching (remember me functionality), as well as endpoint mac differentiation for employees authenticating off guest portals.
I've seen in the communities really valuable contributions from Jason Kunst and other community members where the generalized accepted solution is use the CoA mechanisms to redirect users after authentication yet again to a hotspot portal just for endpoint registration into a correct group, just because there's no way to tie external db lookups into guest portals.
This method is in my view an ugly workaround. It is not scalable (many guest types/endpoint groups/external DB groups imply a portal per type; any change needs to be reflected in all portals)
Would there be the possibility of adding directly off of the authorization policy a "Post-Authorization Action" result where an Endpoint would simply be updated with the correct static endpoint group based on External User group mapping and then CoA'd? The possibility of manipulation of the internal endpoint DB on the fly would be a really nice addition as it would overcome a major limitation of not being able to distinguish "remember me" configurations.
I understand the proper channel argument. Yet often, when going through the channel, we are faced with a "Please explain your business case and which and how many customers are interested" type of answer.
If enough people in the community would be interested by such type of feature, it would make for a good business case on its own.