Security

I have no idea how this is happening but this could lead to be a bigger issue in our network. Our printers are segmented on vlan 210. One of our printers was being assigned our server vlan which is 100.. even though our enforcement profile 210 was being passed. Afterwards it was assigned to our voice vlan which is 240 Anyone have any idea what could cause this to happen? This is the strangest anomaly I have seen with ClearPass to date. Pictures below.

-------------------------------------------

No anomalies are visible in the screenshots. In both cases, the Tunnel-Private-Group-ID attribute was sent with the value 210, meaning that Clearpass assigned VLAN-ID 210.
Was the VLAN on the switch possibly overridden by a device profile or aruba-user-role?

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Agreeing with this. ClearPass does not appear to be an anomaly with ClearPass. Check switch logs and 'show port-access clients' or equivalent for your switch to determine how the VLAN is being derived for this client. 

-------------------------------------------

Original Message:
Sent: Apr 11, 2026 04:42 AM
From: Lord
Subject: ClearPass assigning wrong vlan ???

No anomalies are visible in the screenshots. In both cases, the Tunnel-Private-Group-ID attribute was sent with the value 210, meaning that Clearpass assigned VLAN-ID 210.
Was the VLAN on the switch possibly overridden by a device profile or aruba-user-role?

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

We use Cisco 3850s. There was no changes to the switchport this printer was connected to. It has the clearpass config on it, I have no idea how it bounced through 2 different vlans like that. Our server vlan 100 and voice 240. Once the printer was factory reset the issue was resolved. But kind of worried about this happening again in the future. 

-------------------------------------------

Original Message:
Sent: Apr 11, 2026 04:42 AM
From: Lord
Subject: ClearPass assigning wrong vlan ???

No anomalies are visible in the screenshots. In both cases, the Tunnel-Private-Group-ID attribute was sent with the value 210, meaning that Clearpass assigned VLAN-ID 210.
Was the VLAN on the switch possibly overridden by a device profile or aruba-user-role?

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Also need to mention, the IP the printer was assigned on the 100 vlan isn't even in the DHCP scope for that vlan.. 

-------------------------------------------

I understand your concern, but according to your screenshots, ClearPass sent VLAN ID 210 to the switch. ClearPass cannot assign an IP address, the printer must have obtained it via DHCP from the access VLAN.

If the printer ends up in the wrong VLAN again in the future, check the switch configuration to see if the VLAN assigned by RADIUS is being overridden by a setting on the switch.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Apr 13, 2026 10:25 AM
From: Jscott1
Subject: ClearPass assigning wrong vlan ???

Also need to mention, the IP the printer was assigned on the 100 vlan isn't even in the DHCP scope for that vlan..