Hi,
If i understand it correctly you have a SSID with 802.1x and you want to be able to assign a role based on mac-address? But why use 802.1x? With 802.1x you also need to pass the 802.1x part succesfully. If you use ClearPass you can mix 802.1x with mac-address as ClearPass gets the mac-address in the radius request.
As i found people online answering differently, SDR take precedence over UDR or UDR always takes over SDR. I want back to the course guides to make sure.
This is what the courseware states :
The methods of assigning user roles are, from lowest to highest precedence:
1. The initial user role or VLAN for unauthenticated clients is configured in the AAA profile for a virtual AP
2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a user-derived role).User-derivation rules are executed before client authentication.
3. The user role can be the default user role configured for an authentication method.
4. The user role can be derived from attributes returned by the authentication server and certain
client attributes (this is known as a server-derived role).
5. The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server
authentication. A role derived from an Aruba VSA takes precedence over any other user roles.
So as it now works for you it is matching the courseware.
I would look at a setup with ClearPass or another Radius server which can also use the mac adress in the 802.1x, and that way only use server devired rules.
Good luck.