Everything Instant On

Hi everyone,

I'm struggling to get Voice VLAN working reliably on an Aruba Instant On 1930 when the port is under Port Access Control (RADIUS/802.1X). I'd be grateful for a sanity check and best-practice guidance. 

Topology / components

• Switch: Aruba Instant On 1930 

• Phone: Grandstream GXP1625

• DHCP: Enable

• RADIUS: Windows NPS (Active Directory)

• Voice VLAN: Enable (PCP/CoS = 6)

• Data VLAN - Guest Vlan (PVID): Enable (untagged on the phone port)

• Ingress filtering: Enabled

• Tagged VLANs on the phone port: includes voice vlan

• LLDP/LLDP-MED: Enabled on the switch and phone

What I want

• Do everything via RADIUS (802.1X if possible), and have the phone end up in Voice VLAN on ports .

• PAP is not allowed in our environment.

• If 802.1X is the right path, I can configure PEAP (MSCHAPv2) or EAP-TLS on the phone.

Symptoms

• If I enable Voice VLAN membership on ports,  the phone loses network/DHCP during boot. Logs show LLDP-MED neighbor detected, but the phone never gets an IP in voice vlan.

• If I disable Voice VLAN on the port, the phone immediately works (either with manual VLAN on the phone or via DHCP ).

• With Port Access Control (Authenticator) enabled, the switch always sends the device to RADIUS, even when "VLAN Authentication" for vlan is set to Disabled (I assume this is by design).

What already works

• QoS mapping is set so PCP 5 → highest queue; CoS remarking value is 5.

• DHCP Snooping is enabled; uplink is trusted.

• VLAN membership on the phone port: untagged Data, tagged Voice.

Questions for the community

1. Instant On 1930 + 802.1X phones: Is it supported and expected that, after 802.1X success and NPS returning the VLAN attributes above, the phone session lands in Voice VLAN while the port continues to accept tagged vlan frames (ingress filtering enabled)? Any caveats for this model?

2. When Voice VLAN is enabled on the port, does the 1930 block tagged voice frames until LLDP-MED/OUI detection activates the voice profile? Could that explain why DHCP fails the moment I enable "Voice VLAN membership" even though Voice VLAN  is in the port's tagged list?

3. For Instant On 1930, what is the recommended sequence/interaction between Voice VLAN, LLDP-MED, and 802.1X via NPS for SIP phones (Grandstream specifically)?

   • Should we avoid Voice VLAN and rely solely on RADIUS-assigned VLAN + static port membership (untagged data + tagged voice)?

   • Or is there a supported way to keep Voice VLAN membership enabled and still let 802.1X place the phone into Voice VLAN cleanly?

4. Any reference configurations (Instant On + NPS) you can share for this exact combination would be amazing.

Thanks a lot for any pointers! If you need specific logs (LLDP, RADIUS attributes, port state) or screenshots, I can provide them.