I'm working on the advanced toubleshooting lab and have run into an issue with the role derivation. Support isn't helping much. I think it may be over their head.
My client is not receiving a DHCP address and the packet is getting dropped. Looking a little further up, you can see the controller running through the vendor options, but even though option 60 is matched, the controller will not put it in the new role. The UDR hit counter is increasing but the role is not being applied. I've also tried changing the case of the vendor option but it did not help.
Here is the debug log for my client:
Feb 1 04:01:40 :124004: <4504> <DBUG> |authmgr| match_rule Value Pair to match essid : P4-wificams14
Feb 1 04:01:40 :124004: <4504> <DBUG> |authmgr| match_rule Value Pair to match encryption-type : static-wpa2-aes
Feb 1 04:01:40 :124004: <4504> <DBUG> |authmgr| match_rule Value Pair to match macaddr : 70:4d:7b:10:9e:c6
Feb 1 04:01:40 :124004: <4504> <DBUG> |authmgr| match_rule Value Pair to match fw_mode : 0
Feb 1 04:01:40 :124004: <4504> <DBUG> |authmgr| Matching `user' rules to derive vlan ...
Feb 1 04:01:40 :124004: <4504> <DBUG> |authmgr| dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:40 :124046: <4504> <DBUG> |authmgr| VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:40 :124004: <4504> <DBUG> |authmgr| User (70:4d:7b:10:9e:c6): Do dot1x supplicant up
Feb 1 04:01:40 :124004: <4504> <DBUG> |authmgr| user_download: User N/A Router Acl(0)
Feb 1 04:01:40 :124234: <4504> <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 352 1 user messages bundled, actions
= 17
Feb 1 04:01:40 :124105: <4504> <DBUG> |authmgr| MM: mac=70:4d:7b:10:9e:c6, state=4, name=, role=deny-all, dev_type=, ip=0.0.0.0, new_rec=1.
Feb 1 04:01:40 :124004: <4504> <DBUG> |authmgr| User (70:4d:7b:10:9e:c6): User auth done
Feb 1 04:01:40 :124105: <4504> <DBUG> |authmgr| MM: mac=70:4d:7b:10:9e:c6, state=6, name=, role=deny-all, dev_type=, ip=0.0.0.0, new_rec=0.
Feb 1 04:01:41 :124524: <3602> <DBUG> |authmgr| DHCP pkt received of len=378
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| Matching `user' rules to derive role ...
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| rule: set role condition dhcp-option equals "3c4d53465420352e30" set-value wificams description "wi
ficams-option60"
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| match_rule Value Pair to match dhcp-option : 3D01704D7B109EC6
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| Matching `user' rules to derive vlan ...
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124046: <3602> <DBUG> |authmgr| VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| Matching `user' rules to derive role ...
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| rule: set role condition dhcp-option equals "3c4d53465420352e30" set-value wificams description "wi
ficams-option60"
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| match_rule Value Pair to match dhcp-option : 0C776972656C6573733134
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| Matching `user' rules to derive vlan ...
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124046: <3602> <DBUG> |authmgr| VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| Matching `user' rules to derive role ...
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| rule: set role condition dhcp-option equals "3c4d53465420352e30" set-value wificams description "wi
ficams-option60"
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| match_rule Value Pair to match dhcp-option : 3C4D53465420352E30
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| logging role event for 0x25c3654: 0x10f68e4,0xc000d, index 2
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| Matching `user' rules to derive vlan ...
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124046: <3602> <DBUG> |authmgr| VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| Matching `user' rules to derive role ...
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| rule: set role condition dhcp-option equals "3c4d53465420352e30" set-value wificams description "wificams-option60"
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| match_rule Value Pair to match dhcp-option : 370103060F1F212B2C2E2F79F9FC
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| Matching `user' rules to derive vlan ...
Feb 1 04:01:41 :124004: <3602> <DBUG> |authmgr| dhcp-option 'equals' 3c4d53465420352e30
Feb 1 04:01:41 :124046: <3602> <DBUG> |authmgr| VLAN derivation. New rule position=0, Old rule position=0.
Feb 1 04:01:41 :124080: <3602> <DBUG> |authmgr| Dropping dhcp packet for 70:4d:7b:10:9e:c6 vlan derivation.