First make sure your radius server is correctly sending back all three AV pairs: Tunnel-Medium-Type: Choose 802 for the Attribute value Commonly used for 802.1X. Tunnel-Private-Group-ID: Choose String and enter the VLAN desired (ex. "500"). This string will specify the VLAN ID 500. Tunnel-Type: Choose Attribute value Commonly used for 802.1X and select Virtual LANs (VLANs) If so and changing VLAN after authentication there is a slight possibility your client is a bit stuck by not doing dhcp after authentication.  Depends on the software on the client. If for some reason you allow for traffic on a guest VLAN before authentication then you do have a change in VLAN and your client should not be able to communicate on the old VLAN after having the port change to another VLAN. So using packet capture please check if your authentication server is sending all 3 necessary AV pairs. ... View more