Can I derive vlan based on roles in 6.3?
The answer is Yes Role based vlan derivation is still possible in 6.3. However if you have 8021x authentication enabled , it would not work in intermediary roles in 6.3.
(Aruba) (config) #user-role guest
(Aruba) (config-role) #vlan ?
STRING VLAN ID or Named VLAN
Role Based VLANs from the intermediate Machine Roles “Machine Authentication: Default Machine Role” and “Machine Authentication: Default User Role” will not be supported.
In case both Machine Authentication and User Authentication succeeds, derivations of all the VLANs as of today will continue to be supported.
If Machine Authentication is configured and during Machine Authentication or User Authentication without passing Machine Authentication, none of the server attributes are honored. Once Machine Authentication passes, a User gets the “Machine Authentication: Default Machine Role” and if User Authentication passes without Machine Authentication passing, a User gets “Machine Authentication: Default User Role”. As far as VLAN derivation is concerned for the above two cases, the only derivations possible are the Role Based VLANs from the above two roles. In case of both Machine Authentication and User Authentication Pass, the server attributes during the User Authentication are honored.
In 6.3 the design has been changed:-
With machine authentication enabled, the VLAN to which a client is assigned (and from which the client obtains its IP address) depends upon the success or failure of the machine and user authentications. The VLAN that is ultimately assigned to a client can also depend upon attributes returned by the authentication server or server derivation rules configured on the controller. If machine authentication is successful, the client is assigned the VLAN configured in the virtual AP profile. However, the client can be assigned a derived VLAN upon successful user authentication.
Refer for derivation process: