Hey, Im following the "Wired Policy Enfocement' guide and have evrything working but it works too well :P (Clearpass 6.6 and Aruba/Procurve 2930F's) When i plug in an AP, MAC-Auth gives it an AP profile (Untagged and tagged vlans) but the issue is the port is in user-mode, so all wireless clients are getting MAC-Authed. There is no way in a user-profile to modify the port-access configuration eg, turn off MAC-Auth or set it to Port mode (All other traffic is then permitted) As we dont know where AP's will be plugged and dont want port specific configuration we need to either: A, use another method like LLDP detection to then override the port-access config. B, Via Radius change the port back to port mode or disable MAC-Auth. Which there is mention of this is in the configuration guide "Dynamic port access auth via Radius" from "ArubaOS-Switch Access Security Guide for WC.16.04" but it doesnt work as im guessing since User-Role mode is globaly enabled it seems to reject these VSA's. No matter what i do i cant get it to override the port-access and disable it even though it looks like it works in the config guide. What does everyone else do for AP's that dont tunnel so the end users will get wired authenticated after being wireless authenticated? Ive tried getting the AP to do 802.1x and send the same VSA's to set 802.1x to port-based and MAC-auth to 0 to disable but the debug log shows it erroring cant "apply role". I really loave having to create specific ports for AP's and manually configure them :( Pretty much everything else is working, captive portal, downloaded user roles etc etc, i just need to sort out the IAP's plugged into the switch and the switch reauthenticating the wireless MAC's.