Security

If a user tries to authenticate to clearpass -> Active Directory, and is using the wrong username, or bad password, is the users automatically rejected because they failed auth or are they given the default user role for the profile?   I see the default Radius:Aruba:Aruba-User-Role in the Output> Radius Response in the logs, and was a bit confused. I would think it would not receive any user-role, or a Reject one by default.

It depends of what do you have defined as your default Enforcemet profile (Action) under the Enforcement Policy (Decision)

The enforcement policy is for authorization ONLY. Authentication has to succeed first before the enforcement policy is being evaluated.

Bottom-line: if you enter an incorrect username and/or password you will always be rejected.

Thanks for the clarification,  the problem I was having was  that users with clearly bad usernames were showing up on my network.  The issue turned out to be not about authentication vs authorization but instead about  inner and outer Identities,  Androids have the builtin settings to auth with one set of credentials but make visible in the logs a different set.  Here is a post with same issue:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Inner-and-outer-identity-802-1x/m-p/139107#M9775