Kevin, We actually did the enable the dynamic vlan on the wlan profile with vlan100 without the dictionary file. The user had a group id of 101 yet it still took the vlan100  dhcp pool.  Should we also define the vlan 101together with 100 on this Wlan?    As per produce reference guide, shouldn't  the radius vlan assignment should override what ever it is on the  controller even though if it is not defined in it ? or I misunderstood it. Thanks for the clarification!

Arnold, You are correct in that the VLAN thats returned from the AAA server will override the static VLAN assigned to the WLAN. For example if the static VLAN is 20 and AAA returns VLAN 23, the user will be assigned to VLAN 23. If no VLAN is returned from AAA, the user will be mapped to VLAN 20. What I would recomend is taking a trace of the RADIUS Access Accept and verifying that you are indeed recieving the tunnel-private-group-id attribute and value. Dynamic VLAN assignments are something that have been around for some time so this is a stable feature. Quick qeuestion - I'm assuming that your using AP300s or AP650s and not Adaptive Access Points with Independent WLANs? If your using Indepdnent WLANs then I don't believe we support Dynamic VLAN assignments. Regards, Kevin Regards, Kevin

the independent wlan on AAP7131  is the culprit,  we need to upgrade to wing5.2 then. Thanks a lot

Arnold, All we require for Dynamic VLANs is the IETF standard RADIUS return attribute 'tunnel-private-group-id' and a numerical VLAN ID (1-4094). As this attrubute is standard you don't need to add a dictionary file to support it as it. The only other configuration that needs to be made is you need to enable 'Dynamic Assignment' in the WLAN. Of course the VLAN also needs to be defined on the Controller. Regards, Kevin