Issue with Dynamic VLAN Assignment with Clearpass

Hello,

I am trying to test out dynamic VLAN assignment with a Clearpass NAC solution to my MS510TX switches. I see the switches forward the EAP messages to Clearpass but unfortunately whatever attributes I send back to the switch, it refuses to accept the attributes.

First I responded with this:

Radius:IETF:Tunnel-Medium-Type: 802

Radius:IETF:Tunnel-Private-Group-Id: 25

Radius:IETF:Tunnel-Type: VLAN

The switch responded with the following logs:

08 Mar 2025 17:54:04 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

I deciced the remove the two attributes Medium-Type and Tunnel-Type. Unfortunately then I received the error below :

08 Mar 2025 18:12:26 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 18:12:26 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - tag should be 0 or greater then 31

Anyone have an idea what I am missing here?

Thank you!