Do all untagged ports tag every packet in input or not?
This worked for me.Try to change to proxy-arp the LAN interface on the VPN server side.
This is to accept CAP from the same board where runs CAPsMAN.
I may be wrong but try enabling "Proxy-Arp" on the interface that the VLAN is attached to.
If the device does not touch port 80 (http), then MAC login will not work. If opening a web browser for the device to connect is not an issue, then it is up to preference.
Seems that in the provision for cap AC “Client to client forwarding” is set to “no”.