For the WC4110, we have them set up in a NAC appliance group:
Switch type: Layer 2 O-O-B
Secondary gateway: none
Auth Access Type: Network Access
Gateway RADIUS Attributes to Send: Extreme IndentiFi Wireless
The rule is set as follows:
Authentication method: 802.1x
User group: LDAP-USERS
End-system group: Any
Device Type Group: Any
Location group: ENTERPRISE (this is the name of the VNS on the controller)
Time group: Any
This works perfectly with our old controller. The users authenticate via 802.1x, LDAP lookup works, they come back and hit the right rule on the NAC and the correct role is returned to the controller.
However, with this same setup in the NAC for the C35, it does not correctly identify the location group and the rule fails, thus returning the default profile rather than ENTERPRISE_BYOD which is what we want.
I believe this is related to how the C35 switch entry is defined on the NAC. I believe the C35 must need a different setup for the Auth Access Type and Gateway RADIUS Attributes to Send fields than how it is defined for the WC4110.
I realize that's somewhat confusing so if you need more info please ask.