someone may be willing to share their goods, but the question is quite wide in scope, what kind of opmode is it, what kind of forwarding mode, how are you deriving vlan (if any).
Consider the following flowchart of role derivation
https://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/63564/1/Role-Derivation.pdf
chapter 7 of this document may also give you some insight
http://community.arubanetworks.com/aruba/attachments/aruba/Aruba-VRDs/15/1/Aruba%20802.11n%20Networks.pdf
You can use "show auth-tracebuf" on the controller to get more info into the EAP <> radius exchange (if you're using dot1x), generally it's glossed over in most diagrams just as <--- eap exchange --->
The user and security logs may also help, you can try enabling some more verbose logs and/or setting up a per-user debug log (conf t logging level debugging user-debug <mac>) -- but beware it also filters the output of 'show auth-tracebuf'
finally, you can check into "show ap remote debug mgmt-frames" as a way to see the lower level things taking place down at the AP (probe, auth, association).