Recommend:
a) look at Radius logs (if you are using ClearPass, look at Access Tracker) to determine whats coming up and going back to the Controller
b) turn on radius/aaa debug on the controller and watch the transaction. Role derivation will be visible there.(or lack thereof)
JF