Hi guys
The customer in question do have machine authentication setup on the SSID were this derivation rule is used.
The AAA profile for the employee does have the "machine authentication" boxed checked.
The rule in use looks like this
aaa derivation-rules user iOS
set role condition dhcp-option equals "370103060F77FC" set-value iOS_dummy
Normally it picks up iOS based devices and places them in a different vlan, in my example it's placed in a role, but at the moment its placed in a vlan.
This works great for keeping iOS devices out of the employee network.
With 6.3.1.6, all devices, not only iOS are placed in the VLAN. Hence nobody could use the employee network as all their MAC's and PC's were moved to the iOS vlan.
This is the explanation i got from Aruba TAC.
The reason why it is not working in 6.3.1.6 is that in order to match the rule the controller should go through the list of attributes received form radius server one by one
In this case due to as software defect in the logic controller is not going through the entire list hence rule is not matched.
In my head it should have been the other way around. It will match anything, not just the iOS fingerprint.
As opposed to normal behavior, on let's say a HP computer, nothing is matched, computer connects normally and are placed in the correct employee VLAN.
Anyway, it's not working correctly in 6.3.1.6 towards iOS DHCP fingerprint. If this is the case for other fingerprint devices, i do not know.
Mosher