Switch – Regarding Dot1X dynamic VLAN assignment

Situation:

I am trying to get 802.1X working for me. I want RADIUS server to dynamically assign VLANs to ports based on RADIUS reply attribute for particular user. I have an HP E2620 switch and a FreeRADIUS server. The supplicant is a Windows 8.1 machine

I referred to this document on freeradius website.

What I've done so far:

On FreeRADIUS I created a user with such parameters:

dot1xtest    User-Password := "secret"
             Tunnel-Type = "VLAN",
             Tunnel-Medium-Type = "IEEE-802",
             Tunnel-Private-Group-ID = "100"

I also tried Tunnel-Pvt-Group-ID instead, but it doesn't work on FreeRADIUS, just barks at me (I saw this on resources for configuring on Microsoft NPS, one of these)
. Also I tried values "802", 802, 6 for tunnel medium type.

Also I tried to use actual VLAN name instead of VLAN-ID as Group ID value. Anyway its datatype is string.

I configured the HP switch to use this RADIUS server for AAA and set this up for port 10:

aaa port-access gvrp-vlans
aaa authentication port-access eap-radius
aaa port-access authenticator 10
aaa port-access authenticator 10 auth-vid 150
aaa port-access authenticator 10 unauth-vid 200
aaa port-access authenticator active

VLANs:

VLAN 100 - VLAN which I want to get after authentication.
VLAN 150 - VLAN which I get now, because my config is not working
VLAN 200 - Unauthorized VLAN which is used on auth. failure

Notes:

• Port 10 also has untagged VLAN 150 assigned to it: vlan 150 untagged 10. And I can't get rid of the static assignment

• All VLANs listed above are present in switch's VLAN database.

• Whenever I plug into this port it asks me for credentials; after I succeed with authentication it just sends me to VLAN150 and if I try to fail I get to VLAN200.

• I enabled 802.1X authentication on Windows connection just like described here.

• I tried enabling GVRP – it doesn't change anything

Diagnostic/show command output:

Static VLAN assignment for Port 10. VLAN 150 untagged

 SW # show vlans ports 10 detail

 Status and Counters - VLAN Information - for ports 10

  VLAN ID Name                             | Status     Voice Jumbo Mode
  ------- -------------------------------- + ---------- ----- ----- --------
  150     VLAN150                          | Port-based No    No    Untagged

In show logging I see this:

I 08/28/14 08:29:24 00077 ports: port 10 is now off-line
I 08/28/14 08:29:29 00435 ports: port 10 is Blocked by AAA
I 08/28/14 08:29:29 00435 ports: port 10 is Blocked by STP
I 08/28/14 08:29:29 00076 ports: port 10 is now on-line
I 08/28/14 08:29:29 00001 vlan: VLAN200 virtual LAN enabled
I 08/28/14 08:29:29 00435 ports: port 10 is Blocked by AAA
I 08/28/14 08:29:29 00002 vlan: UNUSED virtual LAN disabled
I 08/28/14 08:29:29 00435 ports: port 10 is Blocked by STP
I 08/28/14 08:29:29 00076 ports: port 10 is now on-line
I 08/28/14 08:29:29 00001 vlan: UNUSED virtual LAN enabled
I 08/28/14 08:29:47 00002 vlan: UNUSED virtual LAN disabled

show port-access authenticator output:

SW # show port-access authenticator

 Port Access Authenticator Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes

       Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl
  Port Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir
  ---- ------- ------- -------- ------ --------- ----- ------ -----
  10   1/0     0       150      No     No        No    No     both

RADIUS user test:

Linux-server # radtest dot1xtest secret localhost 0 secretkey
Sending Access-Request of id 158 to 127.0.0.1 port 1812
        User-Name = "dot1xtest"
        User-Password = "secret"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=158, length=37
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = 802
        Tunnel-Private-Group-Id:0 = "100"

This is what I saw in TCPdump on the RADIUS server. I was capturing outgoing UDP traffic with source port 1812. It's what my switch gets (if it does actually, not sure how to check that…)

      Tunnel Type Attribute (64), length: 6, Value: Tag[Unused]#13
        0x0000:  0000 000d
      Tunnel Medium Attribute (65), length: 6, Value: Tag[Unused]802
        0x0000:  0000 0006
      Tunnel Private Group Attribute (81), length: 5, Value: 100
        0x0000:  3130 30

Debug:

debug security radius-server
debug security port-access authenticator
debug destination buffer

After that I unplugged and plugged in the cable and did show debug buffer and here is the copy-paste of it. It's weird, nothing is said about any attributed related to VLAN.

Questions:

What am I doing wrong?

I've read in a bunch of resources that if the RADIUS assigns a VLAN ID switch uses that in the first place. Then it falls back to Authorized VLAN configured for Port-Access Authenticator if authentication succeeds. If that is not present it assigns Untagged VLAN configured on the port. Why don't I get that behavior?

I kind of start to think the attribute Tunnel-Private-Group-Id is not supported on these switches. It seems every resource refers to Tunnel-Pvt-Group-Id instead (configuring on Microsoft). Too bad I don't have Windows Server to check.

Maybe it's firmware related? Didn't try to upgrade yet, I use RA_15_06_0009.swi and there's RA_15_14_0007.swi out there already

Update

Just tried on a 3500yl-24G-PWR model and still doesn't work. So.. I'd guess, switches just don't get the config from the RADIUS server (or did I use incorrect attributes or operators?). How can I troubleshoot that?