I have a simple configuration consisting of aruba controller and clearpass.
What I want to achieve is if clearpass accept the request the client gets the same vlan id and subnet as the accesspoint.
My problem that I can't find the reason for is that clients get guest role instead of employee sent from clearpass.
Client receives ACCEPT in access tracker and it hits enforcement profile "Accept Employee"
Radius Response from access tracker:
Radius:Aruba:Aruba-User-Role Employee
WLAN is configured as Forwarding mode Bridge and vlan id 1
I have tried Forwarding mode tunnel and another vlan id, still guest role.
Debug log inluding client-mac-adress
authmgr[3576]: <522049> <3576> <INFO> |authmgr| MAC=<client-mac-adress>,IP=N/A User role updated, existing Role=logon/none, new Role=guest/none, reason=Set bridge-role
authmgr[3576]: <522049> <4698> <INFO> |authmgr| MAC=00:00:00:00:00:00,IP=N/A User role updated, existing Role=none/none, new Role=logon/none, reason=mac user created
authmgr[3576]: <522066> <3576> <DBUG> |authmgr| AP-Bridge-Wired User: Updating current role from logon/n/a to guest/NULL for user <client-mac-adress>
authmgr[3576]: <522083> <4698> <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:logon,pDefRole:0x0x27d62e4
authmgr[3576]: <522127> <3576> <DBUG> |authmgr| {L2} Update role from logon to guest for IP=N/A, MAC=<client-mac-adress>.
authmgr[3576]: <522127> <4698> <DBUG> |authmgr| {L2} Update role from NULL to logon for IP=N/A, MAC=00:00:00:00:00:00.
authmgr[3576]: <522142> <4698> <DBUG> |authmgr| Setting default role to logon for user 00:00:00:00:00:00".
authmgr[3576]: <522158> <3576> <DBUG> |authmgr| Role Derivation for user N/A-<client-mac-adress>- guest Set bridge-role.
authmgr[3576]: <522254> <4698> <DBUG> |authmgr| VDR - mac <client-mac-adress> rolename logon fwdmode 1 derivation_type Initial Role Contained vp not present.
authmgr[3576]: <522301> <3576> <DBUG> |authmgr| Auth GSM : USER publish for uuid <uuid> mac <client-mac-adress> name role guest devtype wired 0 authtype 0 subtype 0 encrypt-type 10 conn-port 0 fwd-mode 1 roam 0 repkey 7
authmgr[3576]: <522301> <4698> <DBUG> |authmgr| Auth GSM : USER publish for uuid <uuid> mac <client-mac-adress> name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 10 conn-port 8448 fwd-mode 1 roam 0 repkey 7
authmgr[3576]: <522016> <3576> <INFO> |authmgr| MAC=<client-mac-adress> IP=?? Derived role 'Employee' from Aruba VSA
authmgr[3576]: <522029> <3576> <INFO> |authmgr| MAC=<client-mac-adress> Station authenticate: method=8021x-Machine, role=guest///logon, VLAN=1/1, Derivation=8/1, Value Pair=1
authmgr[3576]: <522044> <3576> <INFO> |authmgr| MAC=<client-mac-adress> Station authenticate(start): method=8021x-Machine, role=guest///logon, VLAN=1/1, Derivation=1/0, Value Pair=1, flags=0x1
authmgr[3576]: <522049> <3576> <INFO> |authmgr| MAC=<client-mac-adress>,IP=N/A User role updated, existing Role=guest/none, new Role=guest/none, reason=station Authenticated with auth type: 802.1x Machine Authentication
authmgr[3576]: <522053> <3576> <DBUG> |authmgr| PMK Cache getting updated for <client-mac-adress>, (def, cur, vhow) = (1, 1, 1) with vlan=0 vlanhow=0 essid=DoggyWifiAruba role=guest rhow=8
authmgr[3576]: <522127> <3576> <DBUG> |authmgr| {L2} Update role from guest to guest for IP=N/A, MAC=<client-mac-adress>.
authmgr[3576]: <522142> <3576> <DBUG> |authmgr| Setting cached role to NULL for user <client-mac-adress>".
authmgr[3576]: <522142> <3576> <DBUG> |authmgr| Setting cached role to guest for user <client-mac-adress>".
authmgr[3576]: <522158> <3576> <DBUG> |authmgr| Role Derivation for user N/A-<client-mac-adress>-host/<client-hostname>.local guest Set bridge-role.
authmgr[3576]: <522266> <3576> <DBUG> |authmgr| Calling derive_role2 for user <client-mac-adress>
I hope someone can point me in the right direction.