Ok so go to the user realm that these people are in. If you look under role mappings you can define how you pick out users. So for me I choose user attributes I then select ou is IT. This will match all users with an ou=IT. For you say vlan 10 people they are sales you would set ou is sales then you would map that to a vlan10_user you would then do a radius return attribute for the vlan_10 user that has tunnel private group id set to what ever the vlan id is. If the users are to in logical groups that you can pull from AD then you can separate the roles out based on radius request attributes of the NAS device. Say like each set of users are on a different switch you can do a radius request attribute to match the ip of the switch. So under the user auth realm again you go under auth policy and look at the radius request policy and match one you have created. Then under role mapping you would then match all users for the role mapping. I do hope this helps.
... View more
A yes the switch needed to be configured with both vlans. B a switch port can have a default vlan set and have the ability to join both vlan 10 and 20 2 802.1x exchange takes place via eap packets which is layer 2 and does not need an ip address 3 not understanding your question but if you are asking how do you map an AD user to a IC role then under role mappings you can say User attribute OU if == ITuser map to IC role IT_staff 4 The IC can be in the same managment vlan as the switch the IC will tell the switch to put a user in whatever vlan their role mapping is maped to I hope this helps.
... View more