Returning multiple tagged VLANS and untagged VLAN from ClearPass on HPE Switches

By esupport posted Apr 10, 2018 09:03 AM


If we have an Aruba IAP(Instant Access Point) or any device that can tag multiple VLAN traffic and you want to authenticate that device on the Switch port either using MAC-Auth or 802.1x  you can return all the tagged vlans and the untagged vlan from ClearPass.


We make use of a combination of 2 Radius attributes for this to work. The HPE-Egress-VLAN-ID(64) and also the Tunnel-Private-Group ID which is typically used to return VLANs from the  Radius Server.

We have tested this with Clearpass version 6.6.9 and an Aruba-2930F running WC.16.04.0011 but this should also work with other firmware versions on the switch and CPPM as long as you are returning the attributes in the right format.


The Radius attributes we need to return for VLAN assignment are below

For tagged VLANs 

RADIUS Attribute Times Used Description Value String Value
Egress-VLANID 1-* Allow egress traffic for specified VID - <tagged/untagged(0x31 or 0x32)>000<VLAN_ID (as hex)>


For Untagged VLANs

RADIUS Attribute Times Used Description Value String Value
Tunnel-Type 1 Type of tunnel VLAN 13
Tunnel-Medium-Type 1 Tunnel transport medium IEEE-802 6
Tunnel-Private-Group-Id 1 Numeric ingress/egress VLAN ID to be assigned  


Here is an example of how we arrive at a Hex value for a tagged VLAN 30 we want to return to the Switch

0x31<000><VLAN-ID in Hex>  the value of 30 in Hex is 1E and we need to pad that value with another 0 making it 01E.

Finally the Hex value for a tagged VLAN 30 is  0x3100001E.

Now in ClearPass to return the HPE-Egress-VLANID attribute we need to convert the Hex value back to decimal

You can use any online tool to convert from Hex to Decimal like

and 0x3100001E converts to 822083614 in Decimal which is what we need to configure on the ClearPass.

The same attribute can be used to return multiple VLANs by sending it with appropriate values for the corresponding VLANs.

In our testing we also returned another tagged VLAN 150 which comes to

0x31<000><VLAN-ID in Hex>

Vlan 150 in Hex which is 96 padded with a leading zero 096 which comes to 0x31000096

Converting that value back to Integer gives 822083734.

In ClearPass we are configuring the HPE-Egress-VLAN-ID attribute with ID (64) in the Hewlett-Packard-Enterprise Radius Dictionary with a Vendor ID 11.

Along with tagged VLANs we are also returning the untagged VLAN of 20 using the Radius:IETF    Tunnel-Private-Group-Id attribute which needs some other attributes along with it as shown below

Radius:IETF    Tunnel-Type    =    VLAN (13)
Radius:IETF    Tunnel-Private-Group-Id    =   <VLAN-ID>
Radius:IETF    Tunnel-Medium-Type    =    IEEE-802 (6)

Please find the configuration snap-shot of the ClearPass enforcement below

Once this enforcement profile is configured it should return 30 and 150 as tagged VLANs and 20 as the untagged as explained above.

You can configure this is an enforcement profile for any port access authentication 802.1x or MAC-auth.

Also note that the same configuration can be replicated on other Radius servers to return tagged and untagged VLANs to the HPE switch as long as we are configuring the right attributes and values.







We can verify from the access tracker of CPPM that we are indeed returning the attributes by observing the Output tab of ClearPass as shown below

Once you return the attributes in the switch you should be able to see that the switch accepts it and assigns the appropriate VLANs by executing the command shown below


Aruba-2930F-24G-PoEP-4SFP# show port-access clients detailed

 Port Access Client Status Detail

  Client Base Details :
   Port            : 21                    Authentication Type : mac-based
   Client Status   : authenticated         Session Time        : 523 seconds
   Client Name     : f05c19ca3cf6          Session Timeout     : 0 seconds
   MAC Address     : f05c19-ca3cf6
   IP              :

  Access Policy Details :
   COS Map         : Not Defined           In Limit Kbps       : Not Set
   Untagged VLAN   : 20                    Out Limit Kbps      : Not Set
   Tagged VLANs    : 30, 150
   Port Mode       : 1000FDx
   RADIUS ACL List : No Radius ACL List

  Captive Portal Details :
   URL             :



May 09, 2019 04:14 PM

@hp1 , @dirkve 

You would change the port auth mode from user/session based to port based and push all the needed vlans with the AP authentication.


  • HP-Port-Auth-Mode-Dot1x: This VSA temporarily alters the 802.1X authentication mode to be either port-based or user-based depending on the value in the VSA. A port-based VSA is set with a value of 1; a user-based VSA is set with a value of 2. This is an HP proprietary VSA with a value of 13.

    If an 802.1X port is operating in port-based mode, it is invalid to set the 802.1X client limit using the HP-Port-Client-Limit VSA.


Nov 08, 2018 02:25 PM



I do have the same issue as hp1 his comment. How could you authenticated the IAP on a switch port by mac-auth, but the wireless client not, because they are already authenticated by the IAP and cleatrpass for example. The switch port that doing mac-authentication will do it also for the wireless client traffic.

Do arubanetworks have a guide line for such setup ?

Nov 05, 2018 04:33 AM

I have the same issue, Instant cluster on Aruba switches, using clearpass with AD. 


I am looking for the same solution to authenticating the AP and not the clients attached to the AP. Clearpass has already authenticated them and assigned a vlan for the clients.


I tried the solution provided and I see a problem, the clients are already authenticated by Clearpass, using Instant-ssid authentication. but the Switch tries to authenticate them again and fails.


how can I fix this ?

is it possible to authenticate only vlan 1, and not the client vlans?

I tried this solution using mac-based authentication on the switch and the ap is authenticated but then the client do not get connected.