Thanks Jibran Bhai,
Jibran bhai i am doing authentication from AD. Yesterday i search the solution and i found the below stuff.
------------------------------------------------------------------------------------
I am assming you are doing PEAP on your SSID, right? If so, have your RADIUS server pass back an attribute that includes "Engineering", "Sales" or "IT" (based on group membership). Then, setup your Server Derivation Rule (SDR) like this:
Attribute: Class (or whatever other RADIUS attribute you are passing back, but Class is a good one)
Operation: value-of
Type: string
Action: set role
What that means is that upon successful authenticaiton, the controller will take what ever the RADIUS server sends back in the Class attribute (or which ever attribute you selected) and use it as the role for that user.
If you have the Aruba dictionary loaded on your RADIUS server, you can pass back Aruba-User-Role and the controller will automatically use that value as the user role without having to create an SDR.
--------------------------------------------------------------------------------------
Jibran bhai what i understood from this post. When my user authenticate against AD, the AD will return some attributes and one of them is the group information. Let say i received the group "Finance", now the further i don't understand what i will do. How i will associate firewall policy with the new role (finance).