jokohanho,
You mention in your post that the Android and HP computers are getting assigned the wrong role, correct? Colin's upgrade suggestion is likely to help if you have VLAN assignment problems, but if the role itself is not being applied properly it could be elsewhere. Your goal is the following correct?
- If computer certificate authentication; hit NET-SPC NPS policy which has NET-SPC filter-ID returned and server group rule assigns NET-SPC-X role which has VLAN 400 assigned within the role
- If user authentication; hit NET NPS policy which has no VSAs returned; and the user is assigned the default role and VLAN in the AAA and VAP profiles
If it is only the role misapplying, then run the following to determine the role derivation source of the systems getting the wrong role.
show user ip x.x.x.x
Look for the Role Derivation field. If it says Aruba VSA, then the role was applied by NPS during authentication. If that was the case (should not be for your NET policy based on your initial post) review the NPS logs to ensure the proper policy is being hit for those logins.
Example:
Name: tom, IP: 172.16.13.10, MAC: 40:0e:85:01:b5:69, Role: secure.user.all, ACL: 63/0, Age: 00:10:47
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: cppm-1.lab.net
Authentication Servers: dot1x authserver: cppm-1.lab.net, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: Dot1x Aruba VSA Role Contained
vs
Name: joe, IP: 192.168.13.143, MAC: 5c:f9:38:1c:f0:c0, Role: authenticated, ACL: 61/0, Age: 01:11:26
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: cppm-1.lab.net
Authentication Servers: dot1x authserver: cppm-1.lab.net, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: default for authentication type 802.1x
VLAN Derivation: Default VLAN