So after looking at the user-debug, it looks like initially everything goes fine, the user gets back the VSA from the ClearPass and the user role and vlan are switched accordingly, but still no IP.
Then after a short period of time the device takes a default IP of 192.168.254.254. The messages that then show up in the user-debug would seem to indicate that the devices falls back into the default VLAN for the controller itself (the vlan we use to manage the controller and AP). Not sure why this is happening.
Here is the user-debug log
Apr 3 15:03:59 :501093: <NOTI> |AP 18:64:xx:xx:xx:xx@192.168.xx.xx stm| Auth success: ac:3f:xx:xx:xx:xx: AP 192.168.xx.xx-18:64:xx:xx:xx:xx-18:64:xx:xx:xx:xx
Apr 3 15:03:59 :501095: <NOTI> |AP 18:64:xx:xx:xx:xx@192.168.xx.xx stm| Assoc request @ 15:03:59.346482: ac:3f:xx:xx:xx:xx (SN 43): AP 192.168.xx.xx-18:64:xx:xx:xx:xx-18:64:xx:xx:xx:xx
Apr 3 15:03:59 :501100: <NOTI> |AP 18:64:xx:xx:xx:xx@192.168.xx.xx stm| Assoc success @ 15:03:59.347243: ac:3f:xx:xx:xx:xx: AP 192.168.xx.xx-18:64:xx:xx:xx:xx-18:64:xx:xx:xx:xx
Apr 3 15:03:59 :501100: <NOTI> |stm| Assoc success @ 15:03:59.358091: ac:3f:xx:xx:xx:xx: AP 192.168.xx.xx-18:64:xx:xx:xx:xx-18:64:xx:xx:xx:xx
Apr 3 15:03:59 :522295: <DBUG> |authmgr| Auth GSM : USER_STA event 0 for user ac:3f:xx:xx:xx:xx
Apr 3 15:03:59 :522035: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx Station UP: BSSID=18:64:xx:xx:xx:xx ESSID=COMPANY-SSID VLAN=46 AP-name=18:64:xx:xx:xx:xx
Apr 3 15:03:59 :522077: <DBUG> |authmgr| MAC=ac:3f:xx:xx:xx:xx ingress 0x0x100b8 (tunnel 184), u_encr 64, m_encr 64, slotport 0x0x2100 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 3 15:03:59 :522264: <DBUG> |authmgr| "MAC:ac:3f:xx:xx:xx:xx: Allocating UUID: 0xb102176dc7acbef3
Apr 3 15:03:59 :522258: <DBUG> |authmgr| "VDR - Add to history of user user ac:3f:xx:xx:xx:xx vlan 0 derivation_type Reset VLANs for Station up index 0.
Apr 3 15:03:59 :522255: <DBUG> |authmgr| "VDR - set vlan in user for ac:3f:xx:xx:xx:xx vlan 46 fwdmode 0 derivation_type Default VLAN.
Apr 3 15:03:59 :522258: <DBUG> |authmgr| "VDR - Add to history of user user ac:3f:xx:xx:xx:xx vlan 46 derivation_type Default VLAN index 1.
Apr 3 15:03:59 :522255: <DBUG> |authmgr| "VDR - set vlan in user for ac:3f:xx:xx:xx:xx vlan 46 fwdmode 0 derivation_type Current VLAN updated.
Apr 3 15:03:59 :522258: <DBUG> |authmgr| "VDR - Add to history of user user ac:3f:xx:xx:xx:xx vlan 46 derivation_type Current VLAN updated index 2.
Apr 3 15:03:59 :522158: <DBUG> |authmgr| Role Derivation for user N/A-ac:3f:xx:xx:xx:xx- N/A Set AAA profile defaults.
Apr 3 15:03:59 :522142: <DBUG> |authmgr| Setting default role to denyall for user ac:3f:xx:xx:xx:xx".
Apr 3 15:03:59 :522127: <DBUG> |authmgr| {L2} Update role from logon to denyall for IP=N/A, MAC=ac:3f:xx:xx:xx:xx.
Apr 3 15:03:59 :522049: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx,IP=N/A User role updated, existing Role=logon/none, new Role=denyall/none, reason=Set AAA profile defaults
Apr 3 15:03:59 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC ac:3f:xx:xx:xx:xx.
Apr 3 15:03:59 :524141: <DBUG> |authmgr| clr_pmkcache_ft():987: MAC:ac:3f:xx:xx:xx:xx BSS:18:64:xx:xx:xx:xx
Apr 3 15:03:59 :522287: <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac ac:3f:xx:xx:xx:xx bssid 18:64:xx:xx:xx:xx vlan 46 type 1 data-ready 0
Apr 3 15:03:59 :522254: <DBUG> |authmgr| VDR - mac ac:3f:xx:xx:xx:xx rolename denyall fwdmode 0 derivation_type Initial Role Contained vp not present.
Apr 3 15:03:59 :522258: <DBUG> |authmgr| "VDR - Add to history of user user ac:3f:xx:xx:xx:xx vlan 0 derivation_type Reset Role Based VLANs index 3.
Apr 3 15:03:59 :522083: <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:denyall,pDefRole:0x0x10a360a4
Apr 3 15:03:59 :524124: <DBUG> |authmgr| dot1x_supplicant_up(): MAC:ac:3f:xx:xx:xx:xx, pmkid_present:False, pmkid:N/A
Apr 3 15:03:59 :522128: <DBUG> |authmgr| download-L2: acl=117/0 role=denyall, tunl=0x0x100b8, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Apr 3 15:03:59 :522050: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx,IP=N/A User data downloaded to datapath, new Role=denyall/117, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Apr 3 15:03:59 :522242: <DBUG> |authmgr| MAC=ac:3f:xx:xx:xx:xx Station Created Update MMS: BSSID=18:64:xx:xx:xx:xx ESSID=COMPANY-SSID VLAN=46 AP-name=18:64:xx:xx:xx:xx
Apr 3 15:03:59 :522301: <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xb102176dc7acbef3 mac ac:3f:xx:xx:xx:xx name role denyall devtype wired 0 authtype 0 subtype 0 encrypt-type 10 conn-port 8448 fwd-mode 0
Apr 3 15:03:59 :522038: <INFO> |authmgr| username=qln420 MAC=ac:3f:xx:xx:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=CPPM-C
Apr 3 15:03:59 :522044: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx Station authenticate(start): method=802.1x, role=denyall///denyall, VLAN=46/46, Derivation=1/0, Value Pair=1, flags=0x8
Apr 3 15:03:59 :522158: <DBUG> |authmgr| Role Derivation for user N/A-ac:3f:xx:xx:xx:xx-qln420 N/A station Authenticated with auth type: Unknown auth type.
Apr 3 15:03:59 :522142: <DBUG> |authmgr| Setting cached role to NULL for user ac:3f:xx:xx:xx:xx".
Apr 3 15:03:59 :522266: <DBUG> |authmgr| Calling derive_role2 for user ac:3f:xx:xx:xx:xx
Apr 3 15:03:59 :522016: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx IP=?? Derived role 'PRINTER' from Aruba VSA
Apr 3 15:03:59 :522127: <DBUG> |authmgr| {L2} Update role from denyall to PRINTER for IP=N/A, MAC=ac:3f:xx:xx:xx:xx.
Apr 3 15:03:59 :522049: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx,IP=N/A User role updated, existing Role=denyall/none, new Role=PRINTER/none, reason=station Authenticated with auth type: 802.1x
Apr 3 15:03:59 :522128: <DBUG> |authmgr| download-L2: acl=184/0 role=PRINTER, tunl=0x0x100b8, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Apr 3 15:03:59 :522050: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx,IP=N/A User data downloaded to datapath, new Role=PRINTER/184, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300
Apr 3 15:03:59 :522301: <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xb102176dc7acbef3 mac ac:3f:xx:xx:xx:xx name qln420 role PRINTER devtype wired 0 authtype 4 subtype 0 encrypt-type 10 conn-port 8448 fwd-mode 0
Apr 3 15:03:59 :522258: <DBUG> |authmgr| "VDR - Add to history of user user ac:3f:xx:xx:xx:xx vlan 0 derivation_type Reset Dot1x VLANs index 4.
Apr 3 15:03:59 :522254: <DBUG> |authmgr| VDR - mac ac:3f:xx:xx:xx:xx rolename NULL fwdmode 0 derivation_type Dot1x Aruba VSA vp present.
Apr 3 15:03:59 :522021: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx Derived VLAN '47' from Aruba VSA
Apr 3 15:03:59 :522255: <DBUG> |authmgr| "VDR - set vlan in user for ac:3f:xx:xx:xx:xx vlan 47 fwdmode 0 derivation_type Dot1x Aruba VSA.
Apr 3 15:03:59 :522258: <DBUG> |authmgr| "VDR - Add to history of user user ac:3f:xx:xx:xx:xx vlan 47 derivation_type Dot1x Aruba VSA index 5.
Apr 3 15:03:59 :522253: <DBUG> |authmgr| VDR - mac ac:3f:xx:xx:xx:xx derivation_type Dot1x Aruba VSA derived vlan 47.
Apr 3 15:03:59 :522254: <DBUG> |authmgr| VDR - mac ac:3f:xx:xx:xx:xx rolename NULL fwdmode 0 derivation_type Dot1x MSFT Attributes vp present.
Apr 3 15:03:59 :522254: <DBUG> |authmgr| VDR - mac ac:3f:xx:xx:xx:xx rolename NULL fwdmode 0 derivation_type Dot1x Server Rule vp present.
Apr 3 15:03:59 :522259: <DBUG> |authmgr| "VDR - Do Role Based VLAN Derivation user ac:3f:xx:xx:xx:xx role PRINTER rolehow ROLE_DERIVATION_DOT1X_VSA.
Apr 3 15:03:59 :522254: <DBUG> |authmgr| VDR - mac ac:3f:xx:xx:xx:xx rolename PRINTER fwdmode 0 derivation_type Dot1x Aruba VSA Role Contained vp not present.
Apr 3 15:03:59 :522258: <DBUG> |authmgr| "VDR - Add to history of user user ac:3f:xx:xx:xx:xx vlan 0 derivation_type Reset Role Based VLANs index 6.
Apr 3 15:03:59 :522161: <DBUG> |authmgr| Valid Dot1xct, remote:0, assigned:46, default:46, current:46,termstate:0, wired:0, dot1x enabled:1, psk:0 static:0 bssid=18:64:xx:xx:xx:xx.
Apr 3 15:03:59 :522255: <DBUG> |authmgr| "VDR - set vlan in user for ac:3f:xx:xx:xx:xx vlan 47 fwdmode 0 derivation_type Current VLAN updated.
Apr 3 15:03:59 :522258: <DBUG> |authmgr| "VDR - Add to history of user user ac:3f:xx:xx:xx:xx vlan 47 derivation_type Current VLAN updated index 7.
Apr 3 15:03:59 :522260: <DBUG> |authmgr| "VDR - Cur VLAN updated ac:3f:xx:xx:xx:xx mob 0 inform 1 remote 0 wired 0 defvlan 46 exportedvlan 0 curvlan 47.
Apr 3 15:03:59 :522257: <DBUG> |authmgr| "VDR - send current vlan for user ac:3f:xx:xx:xx:xx vlan 47 derivation_type Dot1x Aruba VSA trace new vlan: dot1x.
Apr 3 15:03:59 :522287: <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac ac:3f:xx:xx:xx:xx bssid 18:64:xx:xx:xx:xx vlan 47 type 1 data-ready 0
Apr 3 15:03:59 :522095: <DBUG> |authmgr| ac:3f:xx:xx:xx:xx: Sending STM new vlan info: vlan 47, AP 18:64:xx:xx:xx:xx caller user_send_current_vlan_update
Apr 3 15:03:59 :522255: <DBUG> |authmgr| "VDR - set vlan in user for ac:3f:xx:xx:xx:xx vlan 47 fwdmode 0 derivation_type VLAN exported.
Apr 3 15:03:59 :522258: <DBUG> |authmgr| "VDR - Add to history of user user ac:3f:xx:xx:xx:xx vlan 47 derivation_type VLAN exported index 8.
Apr 3 15:03:59 :522029: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx Station authenticate: method=802.1x, role=PRINTER///denyall, VLAN=46/47, Derivation=9/17, Value Pair=1
Apr 3 15:03:59 :522301: <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xb102176dc7acbef3 mac ac:3f:xx:xx:xx:xx name qln420 role PRINTER devtype wired 0 authtype 4 subtype 9 encrypt-type 10 conn-port 8448 fwd-mode 0
Apr 3 15:03:59 :522142: <DBUG> |authmgr| Setting cached role to PRINTER for user ac:3f:xx:xx:xx:xx".
Apr 3 15:03:59 :522053: <DBUG> |authmgr| PMK Cache getting updated for ac:3f:xx:xx:xx:xx, (def, cur, vhow) = (46, 47, 17) with vlan=47 vlanhow=17 essid=COMPANY-SSID role=PRINTER rhow=9
Apr 3 15:03:59 :524129: <DBUG> |authmgr| dot1x_gsm_set_keycache(): MAC:ac:3f:xx:xx:xx:xx GSM: Successfully published Key-cache object.
Apr 3 15:03:59 :524134: <DBUG> |authmgr| dot1x_gsm_set_pmkcache(): MAC:ac:3f:xx:xx:xx:xx BSS:18:64:xx:xx:xx:xx GSM: Successfully published PMK-cache object.
Apr 3 15:03:59 :524139: <DBUG> |authmgr| add_pmkcache():862: MAC:ac:3f:xx:xx:xx:xx BSS:18:64:xx:xx:xx:xx Update:
Apr 3 15:03:59 :522297: <DBUG> |authmgr| Auth GSM : MAC_USER response event for user ac:3f:xx:xx:xx:xx
Apr 3 15:08:05 :522026: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx IP=192.168.254.254 User miss: ingress=0x100b8, VLAN=47 flags=0x40
Apr 3 15:08:05 :522122: <DBUG> |authmgr| Reset BWM contract: IP=0.0.0.0 role=PRINTER, contract= (0/0), type=Per role.
Apr 3 15:08:05 :522125: <DBUG> |authmgr| Could not create/find bandwidth-contract for user, return code (-11).
Apr 3 15:08:05 :522122: <DBUG> |authmgr| Reset BWM contract: IP=0.0.0.0 role=PRINTER, contract= (0/0), type=Per role.
Apr 3 15:08:05 :522125: <DBUG> |authmgr| Could not create/find bandwidth-contract for user, return code (-11).
Apr 3 15:08:05 :522006: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx IP=192.168.254.254 User entry added: reason=Sibtye
Apr 3 15:08:05 :522270: <DBUG> |authmgr| During User miss marking the user ac:3f:xx:xx:xx:xx with ingress 0x100b8, connection-type 2 as wireless, muxtunnel = no
Apr 3 15:08:05 :522318: <DBUG> |authmgr| Client ac:3f:xx:xx:xx:xx idle timeout 300 profile global
Apr 3 15:08:05 :527004: <INFO> |mdns| mdns_parse_auth_useradd_message 226 Auth User ADD: MAC:ac:3f:xx:xx:xx:xx, IP:192.168.254.254, VLAN:46, Role:PRINTER Name:qln420 APName:18:64:72:c6:f8:10 Type:1. Groups:
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_client_create 226 MDNS Client created - ip:192.168.254.254 mac:ac:3f:xx:xx:xx:xx. AP-name: 18:64:72:c6:f8:10
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_auth_userinfo_req_message 345 mac(ac:3f:xx:xx:xx:xx), ip(192.168.254.254)
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_discover_service_client 5102 Discover client ac:3f:xx:xx:xx:xx for a particular service
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_send_generic_refresh_query_packet 6760 record expiry: send generic refresh query for server mac: ac:3f:xx:xx:xx:xx. Num packets: 1
Apr 3 15:08:05 :527000: <DBUG> |mdns| ag_send_packet_unicast 747 Pkt to SOS: pkt_len=387, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:05 :527000: <DBUG> |mdns| ag_send_packet_unicast 785 MDNS Pkt len=387; src_mac=ac:3f:xx:xx:xx:xx, src_vlan=46, source_ip=192.168.xx.xxx
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_send_generic_refresh_query_packet 6777 Sending refresh request: mac ac:3f:xx:xx:xx:xx
Apr 3 15:08:05 :527000: <DBUG> |mdns| ssdp_discover_service_client 666 SSDP:Discover client ac:3f:xx:xx:xx:xx for a particular service
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_send_packet_pseudo_mcast 511 MDNS Pkt to SOS: pkt_len=121, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_send_packet_pseudo_mcast 511 MDNS Pkt to SOS: pkt_len=120, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:05 :522128: <DBUG> |authmgr| download-L2: acl=184/0 role=PRINTER, tunl=0x0x100b8, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Apr 3 15:08:05 :522050: <INFO> |authmgr| MAC=ac:3f:xx:xx:xx:xx,IP=192.168.254.254 User data downloaded to datapath, new Role=PRINTER/184, bw Contract=0/0, reason=New user IP processing, idle-timeout=300
Apr 3 15:08:05 :522301: <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xb102176dc7acbef3 mac ac:3f:xx:xx:xx:xx name qln420 role PRINTER devtype wired 0 authtype 4 subtype 9 encrypt-type 10 conn-port 8448 fwd-mode 0
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_parse_userinfo 376 UserInfo resp=1 ip=192.168.254.254, mac=ac:3f:xx:xx:xx:xx, apname=18:64:72:c6:f8:10, role=PRINTER, username=qln420, vlan=46
Apr 3 15:08:05 :527000: <DBUG> |mdns| ag_mdns_get_token_list_for_mac 654 AirGroup user exists but token_list does not: mac=ac:3f:xx:xx:xx:xx
Apr 3 15:08:05 :527000: <DBUG> |mdns| ag_ssdp_get_token_list_for_mac 360 AirGroup user exists but ssdp_token_list does not: mac=ac:3f:xx:xx:xx:xx
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_client_update 394 MDNS Client exists - flag wifi ap_name 18:64:72:c6:f8:10 client role - PRINTER
Apr 3 15:08:05 :527000: <DBUG> |mdns| mdns_parse_auth_userinfo_resp_message 401 UserInfo response completed for ip=192.168.254.254 mac=ac:3f:xx:xx:xx:xx
Apr 3 15:08:05 :522038: <INFO> |authmgr| username=qln420 MAC=ac:3f:xx:xx:xx:xx IP=192.168.254.254 Authentication result=Authentication Successful method=radius-accounting server=CPPM-C
Apr 3 15:08:10 :527000: <DBUG> |mdns| ssdp_discover_service_client 666 SSDP:Discover client ac:3f:xx:xx:xx:xx for a particular service
Apr 3 15:08:10 :527000: <DBUG> |mdns| mdns_send_packet_pseudo_mcast 511 MDNS Pkt to SOS: pkt_len=121, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:10 :527000: <DBUG> |mdns| mdns_send_packet_pseudo_mcast 511 MDNS Pkt to SOS: pkt_len=120, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:15 :527000: <DBUG> |mdns| ssdp_discover_service_client 666 SSDP:Discover client ac:3f:xx:xx:xx:xx for a particular service
Apr 3 15:08:15 :527000: <DBUG> |mdns| mdns_send_packet_pseudo_mcast 511 MDNS Pkt to SOS: pkt_len=121, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:15 :527000: <DBUG> |mdns| mdns_send_packet_pseudo_mcast 511 MDNS Pkt to SOS: pkt_len=120, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:20 :527000: <DBUG> |mdns| ssdp_discover_service_client 666 SSDP:Discover client ac:3f:xx:xx:xx:xx for a particular service
Apr 3 15:08:20 :527000: <DBUG> |mdns| mdns_send_packet_pseudo_mcast 511 MDNS Pkt to SOS: pkt_len=121, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:20 :527000: <DBUG> |mdns| mdns_send_packet_pseudo_mcast 511 MDNS Pkt to SOS: pkt_len=120, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:42 :527000: <DBUG> |mdns| mdns_discover_service_client 5102 Discover client ac:3f:xx:xx:xx:xx for a particular service
Apr 3 15:08:42 :527000: <DBUG> |mdns| mdns_send_generic_refresh_query_packet 6760 record expiry: send generic refresh query for server mac: ac:3f:xx:xx:xx:xx. Num packets: 1
Apr 3 15:08:42 :527000: <DBUG> |mdns| ag_send_packet_unicast 747 Pkt to SOS: pkt_len=387, buf_len=14336. To=ac:3f:xx:xx:xx:xx, vlan=46
Apr 3 15:08:42 :527000: <DBUG> |mdns| ag_send_packet_unicast 785 MDNS Pkt len=387; src_mac=ac:3f:xx:xx:xx:xx, src_vlan=46, source_ip=192.168.xx.xxx
Apr 3 15:08:42 :527000: <DBUG> |mdns| mdns_send_generic_refresh_query_packet 6777 Sending refresh request: mac ac:3f:xx:xx:xx:xx