Frequent Contributor I

Assign more than one Tagged VLAN on a Switch Port

Hi all,


I was just running in a problem, but so far I'm not sure if it is a bug in ClearPass, a configuration error or a limitation.


What I try to achieve:

I have an HPE AP which is configured for local bridging. So so static portconfig looks like: VL7 (untagged / management), VL 10-12 (tagged /SSID traffic)


Now I want to assign all VLANs dynamically. So on Clearpass I created one Enforcement Profile per VLAN and bound them on my Enforcement Policy. After successfully authenticating my AP the switchport only gets two VLAN IDs assigned: VL7 untagged and VL10 tagged. The other two VLANs are missing.

In the AccessTracker output I can see that only the two VLANs are forwarded to the switch.


As I read the RFC on the FreeRadius page ( the egress-VLANID attribut can assigned more than one time.

"Times used = 1-*"


Can anyone help me on this beahvior?


thanks i advance folks!

Network Engineer
ACCX #931 | ACMP
MVP Guru

Re: Assign more than one Tagged VLAN on a Switch Port

Not sure how you configured it, however when I try, I see the native VLAN and the tagged vlans assigned:



hp2530# show port-access clients 3 detailed

 Port Access Client Status Detail
  Client Base Details :
   Port            : 3                     Authentication Type : mac-based
   Client Status   : authenticated         Session Time        : 90 seconds
   Client Name     : 94b40fcd0832          Session Timeout     : 10800 seconds
   MAC Address     : 94b40f-cd0832
   IP              : n/a

  Access Policy Details :
   COS Map         : Not Defined           In Limit Kbps       : Not Set
   Untagged VLAN   : 2
   Tagged VLANs    : 32, 34
   Port Mode       : 1000FDx
   RADIUS ACL List : No Radius ACL List

hp2530# show version
Image stamp:    /ws/swbuildm/rel_spokane_qt_qaoff/code/build/lakes(swbuildm_rel_spokane_qt_qaoff_rel_spokane_qt)
                Aug 11 2016 15:32:10

And this is how my response shows in Access Tracker:2016-11-22 16_40_03-ClearPass Policy Manager - Aruba Networks.png


What I did do, and might be a difference is that I have a single enforcement profile for the tagged ports, HP-Tagged-VLANs with the two VLANs in my lab inside. So two profiles in total.


Related posts:


If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Frequent Contributor I

Re: Assign more than one Tagged VLAN on a Switch Port

hi Herman,


thansk for the hint! I have successfully tested it and it works. 

Network Engineer
ACCX #931 | ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: