Hi Chris
I have never configured this on CX without ClearPass and Downloadable User Roles. But I found this:
https://www.arubanetworks.com/techdocs/AOS-S/16.10/ASG/KB/content/asg%20kb/tag-untag-vla-att.htm
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/527f6edb36e94d37bb885c335192bf91.png)
Maybe it can guide you.
The link below is for AOS switches, if someone needs the informaiton on this switch family:
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=98535679-1bba-4952-9e00-cffd2638487d&CommunityKey=2fd943a6-8898-4dbe-915f-4f09e4d3c317&tab=librarydocuments
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Jul 05, 2024 06:00 AM
From: chris.nottenkaemper
Subject: Aruba IAP - dot1x tagged / untagged vlan
Hello together,
I need an advice how to approach this the best practice way.
I have the following sceneraio.
We ar currently implementing NAC for our network.
I've configured aaa dot1x on out CX switch and recieve policies for our clients. (which vlan is assigned and so on)
Now I want to do the same with our WiFi.
I want the AccessPoint to authenticate on the switch like the clients and the clients authenticate over the AccessPoint.
I wanted to use auth-mode device-mode for this case. So far so good.
But we use different VLANs for our users and I need to assign tagged vlans to an authenticated AccessPoint.
Currently I can't find the correct RADIUS Attributes or VSAs for this. I'm only able to assign one untagged vlan for the AccessPoint, but the Clients get a different VLAN in the SSID.
Do you know how to solve this. We are currently using Microsoft NPS as RADIUS solution (maybe ClearPass in the future).
If someone has an advice for me, it would be great. :)
Thanks alot in advance.
Best Regards
Chris