So I'm configuring an eduroam network here.
Proxying off the unknown domains into the eduroam cloud. This works just fine. My test user gets authenticated, receives an accept and gets network access in the default vlan.
Now I need to push these other institutions users into different vlans depending on what AP-groups their request originated from.
Seemed simple enough.. so I created a rolemapping and then used a simply "tips role equals" in my enforcement profole hoping that would get enforced but no such luck.
Access tracker has all the correct roles, but gives me an error "No radius enforcement profiles applicable for this device. Allowing Access".
Even after enabling "Use cached Roles and Posture attributes from previous sessions" I still cannot get anything enforced.
So what am I missing here? How can I get those eduroam clients forced into the correct vlans?