vlanauthorization must be enabled or the VLAN tunnel attributes are ignored and the default VLAN is used.
When policy maptable response is set to both and only Tunnel ID is returned from RADIUS server, tunnel ID takes precedence and FDB is learned on Tunnel ID if policy maptable is not configured on the switch. If policy maptable is configured, then the policy profile assigned to that VLAN ID takes precedence and FDB is learned on policy profile PVID and not VLAN tunnel ID if invalid action is set to default-policy/drop.
configure policy profile 60 name test pvid 2 pvid-status enable configure policy maptable 1234 60From RADIUS VLAN tunnel ID 1234 exclusively is sent. Now FDB after successful authentication is learned on PVID 2 and not on 1234.
Hybrid Mode support eliminates the dependency of VLAN assignment based on roles. As a result, VLANs can be assigned via the tunnel-private-group-ID, as defined per RFC3580, while assigning roles via the filter-ID. This separation gives administrators more flexibility to segment their networks for efficiency beyond the role limits.