Say the VLAN-Tunnel-Attr as previously returned by Radius is X.
We change the Radius config to return Y.
After reauthentication (via "set macauth macreauthenticate MACADDRESS") we correctly see the new VLAN-Tunnel-Attr Y using "show vlanauth session" etc.
However the device apparently still is in the old VLAN X. (still pings)
When I disable/enable the port, the VLAN is set alright according to the current Radius setting to Y. (device no longer pings (which is normal since here Y is an isolated VLAN)
Is this normal that I have to port down/up, and that reauth has no effect here?
UPDATE Seems to behave that way only when either VLAN X or Y is set as the static PVID for that port too. Why do I do that? Well, I don't want to completely rely on Radius. I want to have all connections working even if Radius is not there, except for MACs that I specifically like to "blackhole" which I would do by a Radius-Accept with a "blackhole" VLAN. (In essence the static PVID is the default/fallback VLAN in case all else fails.)