On Aruba WLAN this works different, if you search for DUR (Downloadable User Role), you probably will find what you need. Here's a video on DUR for Aruba Instant: kzbin.info/www/bejne/fqi2eYOur5x1a9E . For controllers it's slightly different.

@@hermanrobers Brilliant - Thank you. I actually just worked on a Role-Based Access, and assigned the role using Clearpass, using the 'If Aruba-User-Role equals then assign role ' then the role has access rules defined on the AP. I have yet to test it. I'll review your way too. At least your way I don't have to set up 'x' roles on all the APs, just do it through ClearPass. THANK YOU!

Andrew, good question. The thing is that authentication, both 802.1X or MAC is done on a per mac address basis. So you can put a very limited ACLs on the phone, but still allow full access for the laptop connected through that phone. On the Aruba switches, this is the default behavior and if you want you can put the port in 'port mode' where the first device on the switch will determine the authentication. Other types of switches might have different names and support for it, but with many enterprise switches you can configure it like this. Bottom line is that in most cases you don't have to bother as the switch will handle the two devices on one port as they were single devices on multiple ports.

Thanks Herman - Just tried it out. Works as advertised.