After searching the forum, I did not find the exact same issue.
For some reason 1 of many aruba 2930M stacks is failing to apply the downloaded roles for every known device type.
We are running WC.16.05.0011.
Clearpass 6.7.9.109195
Output of security debug:
0084:03:50:16.81 RAD mRadiusCtrl:Received RADIUS MSG: DATA, session: 1838640.
0084:03:50:16.81 RAD mRadiusCtrl:Framed IP Address attribute for the client 000000-000000 on port 1/1 is not available
0084:03:50:16.81 RAD mRadiusCtrl:ACCESS REQUEST id: 32 to CLEARPASSVIP session: 1838640, access method: MAC-AUTH, User-Name: 000da00b2a0f, Calling-Station-Id: 000da0-0b2a0f, NAS-Port-Id: 1/1, NAS-IP-Address: STACK-IP.
0084:03:50:16.83 RAD tRadiusR:ACCESS ACCEPT id: 32 from CLEARPASSVIP received.
0084:03:50:16.83 UMIB tRadiusR:Received cppm downloadable user role vsa for client with request-id 1838640 and assigned user role is : ROLENAME_AOS_S_DUR-3148-5
0084:03:50:16.83 MAC mWebAuth:Failed to apply user role ROLENAME_AOS_S_DUR-3148-5_7Z4q to macAuth client 000DA00B2A0F on port 1/1: user role is invalid.
0084:03:50:16.83 MAC mWebAuth:Port: 1/1 MAC: 000da0-0b2a0f [1838640] assigned role 'ROLENAME_AOS_S_DUR-3148-5_7Z4q' failed, attempting to apply initial role.
We have this role working on 100+ other stacks.
Yes the role is effectively being downloaded as you can see above, so the certificate and ntp time are correctly set.
Our supplier already checked the same steps with me.
After this he created exact duplicates of the clearpass service/enforcement profile/enforcement policie and applied this for only the stack-ip. These roles worked! Completely baffled...
He's is contacting Aruba support, but I'm interested if anyone else has encountered this. Known bug?