How are you trying to replace the role? Is that with Change of Authorization? Does the initial authentication apply a role correctly?
What does the switch say about the authentication (show port-access clients # detail; with # the port number)?
Anything in the switch logs (show log -r)?