Instant On - Wired

I am attempting to set up a 1960 switch (JL807A) to authenticate and then assign a VLAN to a wired endpoint. The authentication portion works and the RADIUS response from Clearpass is as follows:

The switch never assigns vlan 106 to the endpoint. Looking at the Access Control Client Information portion of the Port Access Control menu shows the VLAN ID as 0. I will paste my config below, but to summarize what I've configured so far:

1. Management VLAN with static IP. Uplink port is configured as untagged on this VLAN.
2. Created 20 more VLANs (including the example VLAN 106 which is being assigned in this case) and tagged them on the uplink port.
3. Enabled 802.1x Authentication and Accounting modes in Security>RADIUS Configuration as well as added the Clearpass server as a RADIUS server.
4. Enabled Admin Mode in Security>Port Access Control. Edited the Port Configuration of the port the endpoint is connected to (1/1) and set the Control Mode to Auto and enabled VLAN Assignment.
5. Tagged all VLANs except management VLAN 100 on port 1/1 and untagged to VLAN 1.

Before setting up RADIUS I made sure that my actual VLANs are working if I just untag them on the ports manually, but the goal is to have all the ports configured for automatic VLAN assignment based upon what Clearpass sends back. What am I missing here?

config-file-headerCN20KY63R9vInstantOn_1960_2.9.0.0 (53) / RHPE2.9_932_296_002SKU Description "Aruba Instant On 1960 24G 20p Class4 4p Class6 PoE 2XGT 2SFP+ 370W Switch JL807A"@!unit-type-control-start unit-type unit 1 network fa uplink te unit-type unit 2 network fa uplink te unit-type unit 3 network fa uplink te unit-type unit 4 network fa uplink te unit-type-control-end !vlan databasevlan 100-120 exitvoice vlan oui-table add 0001e3 Siemens_AG_phonevoice vlan oui-table add 00036b Cisco_phonevoice vlan oui-table add 00096e Avayavoice vlan oui-table add 000fe2 3Comvoice vlan oui-table add 0060b9 H3Cvoice vlan oui-table add 64167f Polycomvoice vlan oui-table add 805e0c Yealinkdot1x system-auth-controlpriority-queue out num-of-queues 1 hostname CN20KY63R9radius-server host 10.0.1.75 key [REDACTED]aaa accounting dot1x start-stop group radiususername admin password encrypted 7b20549e03b15656b78e5b0862854729c2851f50 privilege 15 snmp-server engineid local default management vlan 100 !interface vlan 100 name MGMT  ip address 10.0.0.108 255.255.255.0  no ip address dhcp !interface 1/1 dot1x radius-attributes vlan static  dot1x port-control auto  switchport general allowed vlan add 101-120 tagged  switchport general allowed vlan add 1 untagged !interface 1/28 switchport general allowed vlan add 101-120 tagged  switchport general allowed vlan add 100 untagged  switchport general pvid 100 !exitip default-gateway 10.0.0.1 ip ssh-client key rsa key-pair---- BEGIN SSH2 PRIVATE KEY ----Comment: RSA Private Key[REDACTED]---- END SSH2 PRIVATE KEY -------- BEGIN SSH2 PUBLIC KEY ----Comment: RSA Public Key[REDACTED]---- END SSH2 PUBLIC KEY ----.ip ssh-client key dsa key-pair---- BEGIN SSH2 PRIVATE KEY ----Comment: DSA Private Key[REDACTED]---- END SSH2 PRIVATE KEY -------- BEGIN SSH2 PUBLIC KEY ----Comment: DSA Public Key[REDACTED]---- END SSH2 PUBLIC KEY ----.crypto certificate 1 import-----BEGIN RSA PRIVATE KEY-----[REDACTED]-----END RSA PRIVATE KEY----------BEGIN RSA PUBLIC KEY-----[REDACTED]01TwIDAQAB-----END RSA PUBLIC KEY----------BEGIN CERTIFICATE-----[REDACTED]-----END CERTIFICATE-----.crypto certificate 2 import-----BEGIN RSA PRIVATE KEY-----[REDACTED]-----END RSA PRIVATE KEY----------BEGIN RSA PUBLIC KEY-----[REDACTED]-----END RSA PUBLIC KEY----------BEGIN CERTIFICATE-----[REDACTED]-----END CERTIFICATE-----.

Hi, do you have a solution for this topic, have the same problem

I am attempting to set up a 1960 switch (JL807A) to authenticate and then assign a VLAN to a wired endpoint. The authentication portion works and the RADIUS response from Clearpass is as follows:

The switch never assigns vlan 106 to the endpoint. Looking at the Access Control Client Information portion of the Port Access Control menu shows the VLAN ID as 0. I will paste my config below, but to summarize what I've configured so far:

1. Management VLAN with static IP. Uplink port is configured as untagged on this VLAN.
2. Created 20 more VLANs (including the example VLAN 106 which is being assigned in this case) and tagged them on the uplink port.
3. Enabled 802.1x Authentication and Accounting modes in Security>RADIUS Configuration as well as added the Clearpass server as a RADIUS server.
4. Enabled Admin Mode in Security>Port Access Control. Edited the Port Configuration of the port the endpoint is connected to (1/1) and set the Control Mode to Auto and enabled VLAN Assignment.
5. Tagged all VLANs except management VLAN 100 on port 1/1 and untagged to VLAN 1.

Before setting up RADIUS I made sure that my actual VLANs are working if I just untag them on the ports manually, but the goal is to have all the ports configured for automatic VLAN assignment based upon what Clearpass sends back. What am I missing here?

config-file-headerCN20KY63R9vInstantOn_1960_2.9.0.0 (53) / RHPE2.9_932_296_002SKU Description "Aruba Instant On 1960 24G 20p Class4 4p Class6 PoE 2XGT 2SFP+ 370W Switch JL807A"@!unit-type-control-start unit-type unit 1 network fa uplink te unit-type unit 2 network fa uplink te unit-type unit 3 network fa uplink te unit-type unit 4 network fa uplink te unit-type-control-end !vlan databasevlan 100-120 exitvoice vlan oui-table add 0001e3 Siemens_AG_phonevoice vlan oui-table add 00036b Cisco_phonevoice vlan oui-table add 00096e Avayavoice vlan oui-table add 000fe2 3Comvoice vlan oui-table add 0060b9 H3Cvoice vlan oui-table add 64167f Polycomvoice vlan oui-table add 805e0c Yealinkdot1x system-auth-controlpriority-queue out num-of-queues 1 hostname CN20KY63R9radius-server host 10.0.1.75 key [REDACTED]aaa accounting dot1x start-stop group radiususername admin password encrypted 7b20549e03b15656b78e5b0862854729c2851f50 privilege 15 snmp-server engineid local default management vlan 100 !interface vlan 100 name MGMT  ip address 10.0.0.108 255.255.255.0  no ip address dhcp !interface 1/1 dot1x radius-attributes vlan static  dot1x port-control auto  switchport general allowed vlan add 101-120 tagged  switchport general allowed vlan add 1 untagged !interface 1/28 switchport general allowed vlan add 101-120 tagged  switchport general allowed vlan add 100 untagged  switchport general pvid 100 !exitip default-gateway 10.0.0.1 ip ssh-client key rsa key-pair---- BEGIN SSH2 PRIVATE KEY ----Comment: RSA Private Key[REDACTED]---- END SSH2 PRIVATE KEY -------- BEGIN SSH2 PUBLIC KEY ----Comment: RSA Public Key[REDACTED]---- END SSH2 PUBLIC KEY ----.ip ssh-client key dsa key-pair---- BEGIN SSH2 PRIVATE KEY ----Comment: DSA Private Key[REDACTED]---- END SSH2 PRIVATE KEY -------- BEGIN SSH2 PUBLIC KEY ----Comment: DSA Public Key[REDACTED]---- END SSH2 PUBLIC KEY ----.crypto certificate 1 import-----BEGIN RSA PRIVATE KEY-----[REDACTED]-----END RSA PRIVATE KEY----------BEGIN RSA PUBLIC KEY-----[REDACTED]01TwIDAQAB-----END RSA PUBLIC KEY----------BEGIN CERTIFICATE-----[REDACTED]-----END CERTIFICATE-----.crypto certificate 2 import-----BEGIN RSA PRIVATE KEY-----[REDACTED]-----END RSA PRIVATE KEY----------BEGIN RSA PUBLIC KEY-----[REDACTED]-----END RSA PUBLIC KEY----------BEGIN CERTIFICATE-----[REDACTED]-----END CERTIFICATE-----.

I am attempting to set up a 1960 switch (JL807A) to authenticate and then assign a VLAN to a wired endpoint. The authentication portion works and the RADIUS response from Clearpass is as follows:

The switch never assigns vlan 106 to the endpoint. Looking at the Access Control Client Information portion of the Port Access Control menu shows the VLAN ID as 0. I will paste my config below, but to summarize what I've configured so far:

1. Management VLAN with static IP. Uplink port is configured as untagged on this VLAN.
2. Created 20 more VLANs (including the example VLAN 106 which is being assigned in this case) and tagged them on the uplink port.
3. Enabled 802.1x Authentication and Accounting modes in Security>RADIUS Configuration as well as added the Clearpass server as a RADIUS server.
4. Enabled Admin Mode in Security>Port Access Control. Edited the Port Configuration of the port the endpoint is connected to (1/1) and set the Control Mode to Auto and enabled VLAN Assignment.
5. Tagged all VLANs except management VLAN 100 on port 1/1 and untagged to VLAN 1.

Before setting up RADIUS I made sure that my actual VLANs are working if I just untag them on the ports manually, but the goal is to have all the ports configured for automatic VLAN assignment based upon what Clearpass sends back. What am I missing here?

config-file-headerCN20KY63R9vInstantOn_1960_2.9.0.0 (53) / RHPE2.9_932_296_002SKU Description "Aruba Instant On 1960 24G 20p Class4 4p Class6 PoE 2XGT 2SFP+ 370W Switch JL807A"@!unit-type-control-start unit-type unit 1 network fa uplink te unit-type unit 2 network fa uplink te unit-type unit 3 network fa uplink te unit-type unit 4 network fa uplink te unit-type-control-end !vlan databasevlan 100-120 exitvoice vlan oui-table add 0001e3 Siemens_AG_phonevoice vlan oui-table add 00036b Cisco_phonevoice vlan oui-table add 00096e Avayavoice vlan oui-table add 000fe2 3Comvoice vlan oui-table add 0060b9 H3Cvoice vlan oui-table add 64167f Polycomvoice vlan oui-table add 805e0c Yealinkdot1x system-auth-controlpriority-queue out num-of-queues 1 hostname CN20KY63R9radius-server host 10.0.1.75 key [REDACTED]aaa accounting dot1x start-stop group radiususername admin password encrypted 7b20549e03b15656b78e5b0862854729c2851f50 privilege 15 snmp-server engineid local default management vlan 100 !interface vlan 100 name MGMT  ip address 10.0.0.108 255.255.255.0  no ip address dhcp !interface 1/1 dot1x radius-attributes vlan static  dot1x port-control auto  switchport general allowed vlan add 101-120 tagged  switchport general allowed vlan add 1 untagged !interface 1/28 switchport general allowed vlan add 101-120 tagged  switchport general allowed vlan add 100 untagged  switchport general pvid 100 !exitip default-gateway 10.0.0.1 ip ssh-client key rsa key-pair---- BEGIN SSH2 PRIVATE KEY ----Comment: RSA Private Key[REDACTED]---- END SSH2 PRIVATE KEY -------- BEGIN SSH2 PUBLIC KEY ----Comment: RSA Public Key[REDACTED]---- END SSH2 PUBLIC KEY ----.ip ssh-client key dsa key-pair---- BEGIN SSH2 PRIVATE KEY ----Comment: DSA Private Key[REDACTED]---- END SSH2 PRIVATE KEY -------- BEGIN SSH2 PUBLIC KEY ----Comment: DSA Public Key[REDACTED]---- END SSH2 PUBLIC KEY ----.crypto certificate 1 import-----BEGIN RSA PRIVATE KEY-----[REDACTED]-----END RSA PRIVATE KEY----------BEGIN RSA PUBLIC KEY-----[REDACTED]01TwIDAQAB-----END RSA PUBLIC KEY----------BEGIN CERTIFICATE-----[REDACTED]-----END CERTIFICATE-----.crypto certificate 2 import-----BEGIN RSA PRIVATE KEY-----[REDACTED]-----END RSA PRIVATE KEY----------BEGIN RSA PUBLIC KEY-----[REDACTED]-----END RSA PUBLIC KEY----------BEGIN CERTIFICATE-----[REDACTED]-----END CERTIFICATE-----.

------------------------------
Chris Bruck
------------------------------