- A 802.1x SSID has a default or set vlan that user end up in when they authenticate successfully. That is set in the SSID configuration. The Instant AP needs to be on a trunk that has that VLAN tagged.
- Optionally the radius server that authenticates them can send back an attribute, Aruba-User-Vlan, that will give them an alternate VLAN. When the optional VLAN is sent back the Instant AP needs to have a trunk that corresponds to that VLAN.
- The Aruba-User-Vlan attribute can be sent back using NPS with modification or you can use ClearPass, that has the capability already built in.
- First get 802.1x working with your clients on NPS. Then, make sure you have trunking working between your switch and IAP, by changing the VLAN in the SSID. Lastly, configure NPS to send back a different Aruba-User-Vlan attribute with radius responses to see if that is working.
Please see the post here: http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Setup-Dynamic-Vlans/m-p/91788#M2542 to see how to return a vlan attribute using NPS.