Not to correct you, but you would configure that in an Enforcement Profile in Clearpass.
In the "Output" and "Alerts" tab in the Access Tracker, does it show that ClearPass is returning that attribute to the controller? If it is, you need to type "show user ip <ip address of user> | include Role" on the controller to see how the role was set on the user:
(Babarella) #show user ip 192.168.1.114 | include Role
This operation can take a while depending on number of users. Please be patient ....
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 96/0
Lastly, you need to do a "aaa user delete <ip address of user>", and disconnect the user's WLAN card after you make changes on ClearPass, so that you will not be using cached information.
The flow:
ClearPass returns an "Accept" and the Aruba-User-Role attribute. That will be reflected in the access tracker in the "output" and maybe the "alerts" tab in ClearPass. That Attribute automatically sets the role on the controller and you don't need to do anything on the controller side.
"show user ip" should show you how the user obtained the role.
use "aaa user delete" between changes to disconnect the user so that you are not using cached info"