You can achieve this by using the Aruba VSAs above. For example, on NPS create a newtork policy for the "IT" group and assign VLAN XYZ.
Policy Name - Wireless-IT-VLAN-Assignment
Type of Network Access Server - Unspecified
Conditions - add whatever you typically add; but make sure you have Windows Group matches IT
Acesss Granted
EAP Type - add whatever authentication types you use
Constraints - NONE
RADIUS Attributes
- Click Vendor Specific; click Add
- Choose Vendor Specific from the Vendor choice; click Add
- Click to add attribute information
- Select Vendor Code = 14823 and Yes it conforms, click Configure Attributes
- Choose 2 as your assigned attribute number (for Aruba-User-VLAN in the above table)
- Attribute format = integer (decimal for IAS/NPS)
- Attribute value = XYZ (VLAN number)
- Click OK to close out
On your Server Group that has the NPS servers defined, add a server derived rule that will look for this attribute from NPS and then apply the VLAN. This will set the VLAN to whatever value is sent by NPS for Aruba-User-VLAN (or to NPS, Vendor 14823, attribvute 2).
set vlan condition "Aruba-User-Role" value-of position 1