Thanks clembo. We want this to occur before authentication because many of these devices can't join an 802.1x network and don't have browsers for use with a capitve portal.
This is working but I'm concerned about page 391 in the 6.4.x manual. It says that the order of rules is important and the first match condition is applied. In my example, the same MAC address is in two rules. The first rule sets the vlan, the second sets the user role. So it's being matched twice.
"Working with User-Derived VLANs
Attributes derived from the client’s association with an AP can be used to assign the client to a specific role or VLAN, as user-derivation rules are executed before the client is authenticated.
You configure the user role or VLAN to be assigned to the client by specifying condition rules; when a condition is met, the specified user role or VLAN is assigned to the client. You can specify more than one condition rule; the order of rules is important as the first matching condition is applied. You can optionally add a description of the user rule."
Again, this is working well and I just want to make sure that the behavior I'm seeing is legit.