Hi,As it was mentioned before RFC 3580 does not support assignments of tagged VLANs to authenticated client/device. In case of Aruba switch you can use RFC 4675. The attribute Egress-VLANID needs a proper value:
first 8 bits specify "tagging": 0x31 ...
Kerberos is tricky. If you login to domain NAC can snoop user name but if your user will map a network drive and will choose different username than kerberos will update username in NAC which can lead to policy change. So I am not a fun of kerberos i...
No you do not have to use Kerberos.
Most probably you did not enable Computer and User authentication on your windows IEEE 802.1x client so you only authenticate Computer. You also need User certificates to allow user authentication.
