Problem:
In IAP we have the following Dynamic VLAN assignment configured in SSID as below
When Clearpass is configured as RADIUS server and Tunnel-Private-Group-Id is returned as 120, clients do not get IP from VLAN 120.
Diagnostics:Clearpass sends the Tunnel-Private-Group-Id and a tag value of 0x01 which doesnt work with IAP
AVP: l=7 t=Tunnel-Private-Group-Id(81) Tag=0x01: v200
Tag: 0x01
Tunnel-Private-Group-Id: v200
To fix this issue, from CPPM, the Tag value need to be sent as 0.
SolutionIn the Enforcement Profile, along with the VLAN Enforcement, we need to send the Tag-id attribute as shown below